diff --git a/packages/akamai/1.0.0/changelog.yml b/packages/akamai/1.0.0/changelog.yml deleted file mode 100755 index d3b67a0c62..0000000000 --- a/packages/akamai/1.0.0/changelog.yml +++ /dev/null @@ -1,31 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.2.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "0.1.3" - changes: - - description: Fix typo in config template for ignoring host enrichment - type: bugfix - link: https://github.com/elastic/integrations/pull/3092 -- version: "0.1.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.1" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2369 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1643 diff --git a/packages/akamai/1.0.0/data_stream/siem/agent/stream/httpjson.yml.hbs b/packages/akamai/1.0.0/data_stream/siem/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 4efc3cf8ea..0000000000 --- a/packages/akamai/1.0.0/data_stream/siem/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,80 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" -request.url: "{{api_host}}/siem/v1/configs/{{config_ids}}" -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -request.transforms: - - set: - target: url.params.from - value: "[[.cursor.last_execution_datetime]]" - default: '[[ (now (parseDuration "-{{initial_interval}}")).Unix ]]' - - set: - target: url.params.to - value: '[[ (now (parseDuration "-1m")).Unix ]]' - - set: - target: header.XTimestamp - value: '[[ formatDate (now) "20060102T15:04:05-0700" ]]' - - set: - target: header.XSignatureBase - value: '[[ sprintf "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;" "{{client_token}}" "{{access_token}}" (.header.Get "XTimestamp") uuid ]]' - - set: - target: header.XSignatureKey - value: '[[ hmacBase64 "sha256" "{{client_secret}}" (.header.Get "XTimestamp") ]]' - - set: - target: header.XSignature - value: '[[ hmacBase64 "sha256" (.header.Get "XSignatureKey") "GET\t" .url.Scheme "\t" .url.Host "\t" .url.Path "?" .url.RawQuery "\t\t\t" (.header.Get "XSignatureBase") ]]' - - set: - target: header.Authorization - value: '[[ sprintf "%ssignature=%s" (.header.Get "XSignatureBase") (.header.Get "XSignature") ]]' - - delete: - target: header.XSignature - - delete: - target: header.XSignatureKey - - delete: - target: header.XSignatureBase - - delete: - target: header.XTimestamp - -response.decode_as: application/x-ndjson - -response.pagination: - - set: - target: url.params.offset - value: '[[ .last_event.offset ]]' - fail_on_template_error: true - - delete: - target: url.params.from - - delete: - target: url.params.to - -cursor: - last_execution_datetime: - value: '[[ (now (parseDuration "-1m")).Unix ]]' - -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/akamai/1.0.0/data_stream/siem/elasticsearch/ingest_pipeline/default.yml b/packages/akamai/1.0.0/data_stream/siem/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 004f5fcf3f..0000000000 --- a/packages/akamai/1.0.0/data_stream/siem/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,423 +0,0 @@ ---- -description: Pipeline for parsing Akamai logs -processors: -- set: - field: ecs.version - value: '8.2.0' -- rename: - field: message - target_field: event.original -- json: - field: event.original - target_field: json -- drop: - if: 'ctx?.json?.offset != null' -- set: - field: observer.vendor - value: akamai -- set: - field: observer.type - value: proxy -- date: - field: json.httpMessage.start - formats: - - UNIX - timezone: UTC - target_field: "@timestamp" -- set: - field: "event.start" - copy_from: "@timestamp" -- rename: - field: json.httpMessage.status - target_field: http.response.status_code - ignore_missing: true -- convert: - field: http.response.status_code - type: long - ignore_missing: true -- rename: - field: json.httpMessage.bytes - target_field: http.response.bytes - ignore_missing: true -- convert: - field: http.response.bytes - type: long - ignore_missing: true -- rename: - field: json.httpMessage.requestId - target_field: http.request.id - ignore_missing: true -- set: - field: event.id - copy_from: http.request.id - ignore_empty_value: true -- fingerprint: - fields: - - http.request.id - target_field: "_id" - ignore_missing: true -- rename: - field: json.httpMessage.method - target_field: http.request.method - ignore_missing: true -- rename: - field: json.httpMessage.host - target_field: url.domain - ignore_missing: true -- urldecode: - field: json.httpMessage.path - target_field: url.path - ignore_missing: true -- urldecode: - field: json.httpMessage.query - target_field: url.query - ignore_missing: true -- rename: - field: json.httpMessage.port - target_field: url.port - ignore_missing: true -- convert: - field: url.port - type: long - ignore_missing: true -- urldecode: - field: json.httpMessage.responseHeaders - target_field: _tmp.response.headers - ignore_missing: true -- kv: - field: _tmp.response.headers - target_field: akamai.siem.response.headers - field_split: '\r\n' - value_split: ': ' - ignore_missing: true -- urldecode: - field: json.httpMessage.requestHeaders - target_field: _tmp.request.headers - ignore_missing: true -- kv: - field: _tmp.request.headers - target_field: akamai.siem.request.headers - field_split: '\r\n' - value_split: ': ' - ignore_missing: true -- script: - lang: painless - description: This script builds the `url.full` field out of the available `url.*` parts. - source: | - def full = ""; - if(ctx.url.scheme != null && ctx.url.scheme != "") { - full += ctx.url.scheme+"://"; - } - if(ctx.url.domain != null && ctx.url.domain != "") { - full += ctx.url.domain; - } - if(ctx.json.httpMessage.path != null && ctx.json.httpMessage.path != "") { - full += ctx.json.httpMessage.path; - } - if(ctx.json.httpMessage.query != null && ctx.json.httpMessage.query != "") { - full += "?"+ctx.json.httpMessage.query; - } - if(full != "") { - ctx.url.full = full - } -- dissect: - field: json.httpMessage.protocol - pattern: "%{network.protocol}/%{http.version}" - ignore_failure: true -- lowercase: - field: network.protocol - ignore_missing: true -- set: - field: network.transport - value: tcp - if: ctx?.network?.protocol != null && ctx?.network?.protocol == 'http' -- dissect: - field: json.httpMessage.tls - pattern: "%{tls.version_protocol}v%{tls.version}" - ignore_failure: true - ignore_missing: true -- lowercase: - field: tls.version_protocol - ignore_missing: true -- rename: - field: json.attackData.clientIP - target_field: source.address - ignore_missing: true -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true -- rename: - field: json.geo.country - target_field: source.geo.country_iso_code - ignore_missing: true - if: ctx?.source?.geo?.country_iso_code == null -- set: - field: source.geo.region_iso_code - value: "{{json.geo.country}}-{{json.geo.regionCode}}" - ignore_empty_value: true - if: ctx?.source?.geo?.region_iso_code == null -- rename: - field: json.geo.city - target_field: source.geo.city_name - ignore_missing: true - if: ctx?.source?.geo?.city_name == null -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- convert: - field: json.geo.asn - target_field: source.as.number - type: long - ignore_missing: true - if: ctx?.source?.as?.number == null -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -## Attack Data -- urldecode: - field: json.attackData.ruleActions - target_field: json.attackData.ruleActions - ignore_missing: true -- split: - field: json.attackData.ruleActions - target_field: json.attackData.ruleActions - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.ruleData - target_field: json.attackData.ruleData - ignore_missing: true -- split: - field: json.attackData.ruleData - target_field: json.attackData.ruleData - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.ruleMessages - target_field: json.attackData.ruleMessages - ignore_missing: true -- split: - field: json.attackData.ruleMessages - target_field: json.attackData.ruleMessages - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.ruleSelectors - target_field: json.attackData.ruleSelectors - ignore_missing: true -- split: - field: json.attackData.ruleSelectors - target_field: json.attackData.ruleSelectors - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.ruleTags - target_field: json.attackData.ruleTags - ignore_missing: true -- split: - field: json.attackData.ruleTags - target_field: json.attackData.ruleTags - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.ruleVersions - target_field: json.attackData.ruleVersions - ignore_missing: true -- split: - field: json.attackData.ruleVersions - target_field: json.attackData.ruleVersions - separator: ';' - preserve_trailing: true -- urldecode: - field: json.attackData.rules - target_field: json.attackData.rules - ignore_missing: true -- split: - field: json.attackData.rules - target_field: json.attackData.rules - separator: ';' - preserve_trailing: true -- script: - lang: painless - description: Base64 Decode the json.attackData.rule* fields - source: | - ArrayList items = new ArrayList(["rules", "ruleActions", "ruleData", "ruleMessages", "ruleTags", "ruleSelectors", "ruleVersions"]); - ArrayList rules_array = new ArrayList(); - for (def i = 0; i < ctx.json.attackData.rules.length; i++) { - HashMap map = new HashMap(); - for (def j = 0; j < items.length; j++) { - String key = items[j]; - if (i < ctx.json.attackData[key].length ) { - String value = ctx.json.attackData[key][i].replace(" ", "").decodeBase64(); - map.put(key, value); - } - } - rules_array.add(map); - } - ctx.akamai.siem.rules = rules_array; -- rename: - field: json.attackData.configId - target_field: akamai.siem.config_id - ignore_missing: true -- rename: - field: json.attackData.policyId - target_field: akamai.siem.policy_id - ignore_missing: true -- rename: - field: json.attackData.policyId - target_field: akamai.siem.policy_id - ignore_missing: true -- rename: - field: json.attackData.slowPostAction - target_field: akamai.siem.slow_post_action - ignore_missing: true -- convert: - field: json.attackData.slowPostRate - target_field: akamai.siem.slow_post_rate - type: long - ignore_missing: true -- rename: - field: json.attackData.clientReputation - target_field: akamai.siem.client_reputation - ignore_missing: true -- rename: - field: json.attackData.clientReputation - target_field: akamai.siem.client_reputation - ignore_missing: true -## Bot Data -- convert: - field: json.botData.botScore - target_field: akamai.siem.bot.score - type: long - ignore_missing: true -- convert: - field: json.botData.responseSegment - target_field: akamai.siem.bot.response_segment - type: long - ignore_missing: true -## Client Data -- rename: - field: json.clientData.appBundleId - target_field: akamai.siem.client_data.app_bundle_id - ignore_missing: true -- rename: - field: json.clientData.appVersion - target_field: akamai.siem.client_data.app_version - ignore_missing: true -- convert: - field: json.clientData.telemetryType - target_field: akamai.siem.client_data.telemetry_type - type: long - ignore_missing: true -- rename: - field: json.clientData.sdkVersion - target_field: akamai.siem.client_data.sdk_version - ignore_missing: true -## User Risk Data -- rename: - field: json.userRiskData.uuid - target_field: akamai.siem.user_risk.uuid - ignore_missing: true -- convert: - field: json.userRiskData.status - target_field: akamai.siem.user_risk.status - type: long - ignore_missing: true -- convert: - field: json.userRiskData.score - target_field: akamai.siem.user_risk.score - type: long - ignore_missing: true -- convert: - field: json.userRiskData.allow - target_field: akamai.siem.user_risk.allow - type: long - ignore_missing: true -- kv: - field: json.userRiskData.risk - target_field: akamai.siem.user_risk.risk - field_split: '\|' - value_split: ':' - ignore_missing: true -- kv: - field: json.userRiskData.trust - target_field: akamai.siem.user_risk.trust - field_split: '\|' - value_split: ':' - ignore_missing: true -- kv: - field: json.userRiskData.general - target_field: akamai.siem.user_risk.general - field_split: '\|' - value_split: ':' - ignore_missing: true -## -- append: - field: related.ip - value: "{{source.ip}}" - allow_duplicates: false -- set: - field: client - copy_from: source -- set: - field: event.category - value: network -- set: - field: event.kind - value: event -- remove: - field: - - json - - _tmp - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/akamai/1.0.0/data_stream/siem/fields/agent.yml b/packages/akamai/1.0.0/data_stream/siem/fields/agent.yml deleted file mode 100755 index 4d9a6f7b36..0000000000 --- a/packages/akamai/1.0.0/data_stream/siem/fields/agent.yml +++ /dev/null @@ -1,114 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/akamai/1.0.0/data_stream/siem/fields/base-fields.yml b/packages/akamai/1.0.0/data_stream/siem/fields/base-fields.yml deleted file mode 100755 index 90bd5c6753..0000000000 --- a/packages/akamai/1.0.0/data_stream/siem/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: akamai -- name: event.dataset - type: constant_keyword - description: Event dataset - value: akamai.siem -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/akamai/1.0.0/data_stream/siem/fields/beats.yml b/packages/akamai/1.0.0/data_stream/siem/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/akamai/1.0.0/data_stream/siem/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/akamai/1.0.0/data_stream/siem/fields/ecs.yml b/packages/akamai/1.0.0/data_stream/siem/fields/ecs.yml deleted file mode 100755 index 61cbacbed0..0000000000 --- a/packages/akamai/1.0.0/data_stream/siem/fields/ecs.yml +++ /dev/null @@ -1,264 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: client.geo.location - type: geo_point -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: Port of the client. - name: client.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: Password of the request. - name: url.password - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: Username of the request. - name: url.username - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: |- - A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. - The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. - name: http.request.id - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword diff --git a/packages/akamai/1.0.0/data_stream/siem/fields/fields.yml b/packages/akamai/1.0.0/data_stream/siem/fields/fields.yml deleted file mode 100755 index faa4f435cb..0000000000 --- a/packages/akamai/1.0.0/data_stream/siem/fields/fields.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: akamai.siem - type: group - release: beta - default_field: false - description: > - Fields for Akamai SIEM Logs - - fields: - - name: response.headers - type: flattened - description: > - HTTP response headers - - - name: request.headers - type: flattened - description: > - HTTP Request headers - - - name: rules - type: nested - description: > - Rules triggered by this request - - - name: config_id - type: keyword - description: > - ID of the Security Configuration applied to the request. - - - name: policy_id - type: keyword - description: > - ID of the Firewall policy applied to the request. - - - name: slow_post_action - type: keyword - description: > - Action taken if a Slow POST attack is detected: W for Warn or A for deny (abort). - - - name: slow_post_rate - type: long - description: > - Recorded rate of a detected Slow POST attack. - - - name: client_reputation - type: keyword - description: > - Client IP scores for Client Reputation. - - - name: bot.score - type: long - description: > - Score assigned to the request by Botman Manager. - - - name: bot.response_segment - type: long - description: > - Numeric response segment indicator. Segments are used to group and categorize bot scores. - - - name: client_data.app_bundle_id - type: keyword - description: > - Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information. - - - name: client_data.app_version - type: keyword - description: > - Version number of the app. - - - name: client_data.telemetry_type - type: long - description: > - Specifies the telemetry type in use. - - - name: client_data.sdk_version - type: keyword - description: > - SDK version - - - name: user_risk.uuid - type: keyword - description: > - Unique identifier of the user whose risk data is being provided. - - - name: user_risk.status - type: long - description: "Status code indicating any errors that might have occurred when calculating the risk score. \n" - - name: user_risk.score - type: long - description: > - Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk). - - - name: user_risk.risk - type: flattened - description: > - Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user's behavioral profile. - - - name: user_risk.trust - type: flattened - description: > - Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted. - - - name: user_risk.general - type: flattened - description: > - Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour. - - - name: user_risk.allow - type: long - description: >- - Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list. diff --git a/packages/akamai/1.0.0/data_stream/siem/manifest.yml b/packages/akamai/1.0.0/data_stream/siem/manifest.yml deleted file mode 100755 index 9d00eada89..0000000000 --- a/packages/akamai/1.0.0/data_stream/siem/manifest.yml +++ /dev/null @@ -1,105 +0,0 @@ -type: logs -title: Akamai SIEM Logs -release: experimental -streams: - - input: httpjson - vars: - - name: api_host - type: text - title: API Host - description: API Hostname in the form of http(s)://akzz-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.luna.akamaiapis.net without path - multi: false - required: true - show_user: true - default: https://akzz-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.luna.akamaiapis.net - - name: client_token - type: text - title: Client Token - description: Client token provided by "Credentials" ui - multi: false - required: true - show_user: true - - name: client_secret - type: password - title: Client Secret - description: Client secret provided by "Credentials" ui - multi: false - required: true - show_user: true - - name: access_token - type: password - title: Access Token - description: Access token provided by "Authorizations" ui - multi: false - required: true - show_user: true - - name: config_ids - type: text - title: Zone ID - multi: false - required: true - show_user: true - description: Unique identifier for each security configuration. To report on more than one configuration, separate integer identifiers with semicolons. ex. 12892;29182;82912 - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - default: 60s - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - description: Interval at which the logs will be pulled. The value must be between 2m and 1h. - default: 1h - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - default: 24h - description: Initial interval to poll for events. Default is 24 hours. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - akamai-siem - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - template_path: httpjson.yml.hbs - title: Akamai SIEM logs - description: Collect Akamai logs via the SIEM API diff --git a/packages/akamai/1.0.0/data_stream/siem/sample_event.json b/packages/akamai/1.0.0/data_stream/siem/sample_event.json deleted file mode 100755 index 3a25038b37..0000000000 --- a/packages/akamai/1.0.0/data_stream/siem/sample_event.json +++ /dev/null @@ -1,188 +0,0 @@ -{ - "@timestamp": "2016-08-11T13:45:33.026Z", - "agent": { - "ephemeral_id": "713a6a71-c1f5-4984-9283-20611786e6d3", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "akamai": { - "siem": { - "bot": { - "response_segment": 3, - "score": 100 - }, - "client_data": { - "app_bundle_id": "com.mydomain.myapp", - "app_version": "1.23", - "sdk_version": "4.7.1", - "telemetry_type": 2 - }, - "config_id": "6724", - "policy_id": "scoe_5426", - "request": { - "headers": { - "Accept": "text/html,application/xhtml xml", - "User-Agent": "BOT/0.1 (BOT for JCE)" - } - }, - "response": { - "headers": { - "Content-Type": "text/html", - "Mime-Version": "1.0", - "Server": "AkamaiGHost" - } - }, - "rules": [ - { - "ruleActions": "ALERT", - "ruleData": "alert(", - "ruleMessages": "Cross-site Scripting (XSS) Attack", - "ruleSelectors": "ARGS:a", - "ruleTags": "WEB_ATTACK/XSS", - "rules": "950004" - }, - { - "ruleActions": "DENY", - "ruleData": "curl", - "ruleMessages": "Request Indicates an automated program explored the site", - "ruleSelectors": "REQUEST_HEADERS:User-Agent", - "ruleTags": "AUTOMATION/MISC", - "rules": "990011" - } - ], - "user_risk": { - "allow": 0, - "general": { - "duc_1d": "30", - "duc_1h": "10" - }, - "risk": { - "udfp": "1325gdg4g4343g/M", - "unp": "74256/H" - }, - "score": 75, - "status": 0, - "trust": { - "ugp": "US" - }, - "uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5" - } - } - }, - "client": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "data_stream": { - "dataset": "akamai.siem", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2021-12-24T00:19:04.410Z", - "dataset": "akamai.siem", - "id": "2ab418ac8515f33", - "ingested": "2021-12-24T00:19:05Z", - "kind": "event", - "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", - "start": "2016-08-11T13:45:33.026Z" - }, - "host": { - "name": "docker-fleet-agent" - }, - "http": { - "request": { - "id": "2ab418ac8515f33", - "method": "POST" - }, - "response": { - "bytes": 34523, - "status_code": 301 - }, - "version": "2" - }, - "input": { - "type": "httpjson" - }, - "network": { - "protocol": "http", - "transport": "tcp" - }, - "observer": { - "type": "proxy", - "vendor": "akamai" - }, - "related": { - "ip": [ - "89.160.20.156" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "tags": [ - "akamai-siem", - "forwarded", - "preserve_original_event" - ], - "tls": { - "version": "1.2", - "version_protocol": "tls" - }, - "url": { - "domain": "www.example.com", - "full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd", - "path": "/examples/1/", - "port": 80, - "query": "a=../../../etc/passwd" - } -} \ No newline at end of file diff --git a/packages/akamai/1.0.0/docs/README.md b/packages/akamai/1.0.0/docs/README.md deleted file mode 100755 index 8943c6993a..0000000000 --- a/packages/akamai/1.0.0/docs/README.md +++ /dev/null @@ -1,326 +0,0 @@ -# Akamai Integration - -The Akamai integration collects events from the Akamai API, specifically reading from the [Akamai SIEM API](https://techdocs.akamai.com/siem-integration/reference/api). - -## Logs - -### SIEM - -The Security Information and Event Management API allows you to capture security events generated on the ​Akamai​ platform in your SIEM application. - -Use this API to get security event data generated on the ​Akamai​ platform and correlate it with data from other sources in your SIEM solution. Capture security event data incrementally, or replay missed security events from the past 12 hours. You can store, query, and analyze the data delivered through this API on your end, then go back and adjust your Akamai security settings. If you’re coding your own SIEM connector, it needs to adhere to these specifications in order to pull in security events from Akamai Security Events Collector (ASEC) and process them properly. - -See https://techdocs.akamai.com/siem-integration/reference/api-get-started to setup your Akamai account and obtain your credentials - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| akamai.siem.bot.response_segment | Numeric response segment indicator. Segments are used to group and categorize bot scores. | long | -| akamai.siem.bot.score | Score assigned to the request by Botman Manager. | long | -| akamai.siem.client_data.app_bundle_id | Unique identifier of the app bundle. An app bundle contains both the software itself and the accompanying configuration information. | keyword | -| akamai.siem.client_data.app_version | Version number of the app. | keyword | -| akamai.siem.client_data.sdk_version | SDK version | keyword | -| akamai.siem.client_data.telemetry_type | Specifies the telemetry type in use. | long | -| akamai.siem.client_reputation | Client IP scores for Client Reputation. | keyword | -| akamai.siem.config_id | ID of the Security Configuration applied to the request. | keyword | -| akamai.siem.policy_id | ID of the Firewall policy applied to the request. | keyword | -| akamai.siem.request.headers | HTTP Request headers | flattened | -| akamai.siem.response.headers | HTTP response headers | flattened | -| akamai.siem.rules | Rules triggered by this request | nested | -| akamai.siem.slow_post_action | Action taken if a Slow POST attack is detected: W for Warn or A for deny (abort). | keyword | -| akamai.siem.slow_post_rate | Recorded rate of a detected Slow POST attack. | long | -| akamai.siem.user_risk.allow | Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list. | long | -| akamai.siem.user_risk.general | Indicators of general behavior observed for relevant attributes. For example, duc_1h represents the number of users recorded on a specific device in the past hour. | flattened | -| akamai.siem.user_risk.risk | Indicators that increased the calculated risk score. For example, the value udfp represents the risk of the device fingerprint based on the user's behavioral profile. | flattened | -| akamai.siem.user_risk.score | Calculated risk scores. Scores range from 0 (no risk) to 100 (the highest possible risk). | long | -| akamai.siem.user_risk.status | Status code indicating any errors that might have occurred when calculating the risk score. | long | -| akamai.siem.user_risk.trust | Indicators that were trusted. For example, the value ugp indicates that the user’s country or area is trusted. | flattened | -| akamai.siem.user_risk.uuid | Unique identifier of the user whose risk data is being provided. | keyword | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.id | A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | - - -An example event for `siem` looks as following: - -```json -{ - "@timestamp": "2016-08-11T13:45:33.026Z", - "agent": { - "ephemeral_id": "713a6a71-c1f5-4984-9283-20611786e6d3", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "akamai": { - "siem": { - "bot": { - "response_segment": 3, - "score": 100 - }, - "client_data": { - "app_bundle_id": "com.mydomain.myapp", - "app_version": "1.23", - "sdk_version": "4.7.1", - "telemetry_type": 2 - }, - "config_id": "6724", - "policy_id": "scoe_5426", - "request": { - "headers": { - "Accept": "text/html,application/xhtml xml", - "User-Agent": "BOT/0.1 (BOT for JCE)" - } - }, - "response": { - "headers": { - "Content-Type": "text/html", - "Mime-Version": "1.0", - "Server": "AkamaiGHost" - } - }, - "rules": [ - { - "ruleActions": "ALERT", - "ruleData": "alert(", - "ruleMessages": "Cross-site Scripting (XSS) Attack", - "ruleSelectors": "ARGS:a", - "ruleTags": "WEB_ATTACK/XSS", - "rules": "950004" - }, - { - "ruleActions": "DENY", - "ruleData": "curl", - "ruleMessages": "Request Indicates an automated program explored the site", - "ruleSelectors": "REQUEST_HEADERS:User-Agent", - "ruleTags": "AUTOMATION/MISC", - "rules": "990011" - } - ], - "user_risk": { - "allow": 0, - "general": { - "duc_1d": "30", - "duc_1h": "10" - }, - "risk": { - "udfp": "1325gdg4g4343g/M", - "unp": "74256/H" - }, - "score": 75, - "status": 0, - "trust": { - "ugp": "US" - }, - "uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5" - } - } - }, - "client": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "data_stream": { - "dataset": "akamai.siem", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2021-12-24T00:19:04.410Z", - "dataset": "akamai.siem", - "id": "2ab418ac8515f33", - "ingested": "2021-12-24T00:19:05Z", - "kind": "event", - "original": "{\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"6724\",\"policyId\":\"scoe_5426\",\"ruleActions\":\"QUxFUlQ;REVOWQ==\",\"ruleData\":\"YWxlcnQo;Y3VybA==\",\"ruleMessages\":\"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=\",\"ruleSelectors\":\"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=\",\"ruleTags\":\"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND\",\"ruleVersions\":\";\",\"rules\":\"OTUwMDA0;OTkwMDEx\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"format\":\"json\",\"geo\":{\"asn\":\"12271\",\"city\":\"NEWYORK\",\"continent\":\"NA\",\"country\":\"US\",\"regionCode\":\"NY\"},\"httpMessage\":{\"bytes\":\"34523\",\"host\":\"www.example.com\",\"method\":\"POST\",\"path\":\"/examples/1/\",\"port\":\"80\",\"protocol\":\"http/2\",\"query\":\"a%3D..%2F..%2F..%2Fetc%2Fpasswd\",\"requestHeaders\":\"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml\",\"requestId\":\"2ab418ac8515f33\",\"responseHeaders\":\"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml\",\"start\":\"1470923133.026\",\"status\":\"301\",\"tls\":\"TLSv1.2\"},\"type\":\"akamai_siem\",\"userRiskData\":{\"allow\":\"0\",\"general\":\"duc_1h:10|duc_1d:30\",\"risk\":\"udfp:1325gdg4g4343g/M|unp:74256/H\",\"score\":\"75\",\"status\":\"0\",\"trust\":\"ugp:US\",\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\"},\"version\":\"1.0\"}", - "start": "2016-08-11T13:45:33.026Z" - }, - "host": { - "name": "docker-fleet-agent" - }, - "http": { - "request": { - "id": "2ab418ac8515f33", - "method": "POST" - }, - "response": { - "bytes": 34523, - "status_code": 301 - }, - "version": "2" - }, - "input": { - "type": "httpjson" - }, - "network": { - "protocol": "http", - "transport": "tcp" - }, - "observer": { - "type": "proxy", - "vendor": "akamai" - }, - "related": { - "ip": [ - "89.160.20.156" - ] - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "tags": [ - "akamai-siem", - "forwarded", - "preserve_original_event" - ], - "tls": { - "version": "1.2", - "version_protocol": "tls" - }, - "url": { - "domain": "www.example.com", - "full": "www.example.com/examples/1/?a%3D..%2F..%2F..%2Fetc%2Fpasswd", - "path": "/examples/1/", - "port": 80, - "query": "a=../../../etc/passwd" - } -} -``` \ No newline at end of file diff --git a/packages/akamai/1.0.0/img/akamai_logo.svg b/packages/akamai/1.0.0/img/akamai_logo.svg deleted file mode 100755 index 78cf6ad7e3..0000000000 --- a/packages/akamai/1.0.0/img/akamai_logo.svg +++ /dev/null @@ -1,151 +0,0 @@ - - - -image/svg+xml \ No newline at end of file diff --git a/packages/akamai/1.0.0/manifest.yml b/packages/akamai/1.0.0/manifest.yml deleted file mode 100755 index 0f83a79779..0000000000 --- a/packages/akamai/1.0.0/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: akamai -title: Akamai -version: 1.0.0 -release: ga -description: Akamai Integration -type: integration -format_version: 1.0.0 -license: basic -categories: [security, network, web, cloud] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/akamai_logo.svg - title: Akamai - size: 409×167 - type: image/svg+xml -policy_templates: - - name: akamai - title: Akamai logs - description: Collect SIEM logs from Akamai - inputs: - - type: httpjson - title: "Collect Akamai SIEM logs via API" - description: "Collecting SIEM logs from Akamai via API" -owner: - github: elastic/security-external-integrations diff --git a/packages/auth0/1.0.0/changelog.yml b/packages/auth0/1.0.0/changelog.yml deleted file mode 100755 index efcc0a7517..0000000000 --- a/packages/auth0/1.0.0/changelog.yml +++ /dev/null @@ -1,31 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.1.4" - changes: - - description: Update Readme - type: enhancement - link: https://github.com/elastic/integrations/pull/3065 -- version: "0.1.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.2" - changes: - - description: Fix documentation bug - type: bugfix - link: https://github.com/elastic/integrations/pull/2761 -- version: "0.1.1" - changes: - - description: Update Auth0 logo image - type: bugfix - link: https://github.com/elastic/integrations/pull/2749 -- version: "0.1.0" - changes: - - description: Initial commit - type: enhancement - link: https://github.com/elastic/integrations/pull/2152 diff --git a/packages/auth0/1.0.0/data_stream/logs/agent/stream/http_endpoint.yml.hbs b/packages/auth0/1.0.0/data_stream/logs/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 1203728f14..0000000000 --- a/packages/auth0/1.0.0/data_stream/logs/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,41 +0,0 @@ -type: http_endpoint -enabled: true -prefix: json - -{{#if listen_address}} -listen_address: {{listen_address}} -{{/if}} -{{#if listen_port}} -listen_port: {{listen_port}} -{{/if}} -{{#if url}} -url: {{url}} -{{/if}} - -{{#if secret_value}} -secret.header: Authorization -secret.value: "{{secret_value}}" -{{/if}} - -{{#if ssl}} -ssl: {{ssl}} -{{/if}} - -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/auth0/1.0.0/data_stream/logs/elasticsearch/ingest_pipeline/default.yml b/packages/auth0/1.0.0/data_stream/logs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index af1e5a307a..0000000000 --- a/packages/auth0/1.0.0/data_stream/logs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1105 +0,0 @@ ---- -description: Pipeline for processing Auth0 log stream events -processors: -- set: - field: ecs.version - value: '1.12.0' -- set: - field: auth0.logs.data - copy_from: json.data -- date: - field: auth0.logs.data.date - formats: - - ISO8601 -- set: - field: log.level - value: info -- set: - field: log.level - value: error - if: ctx?.auth0?.logs?.data?.details?.error != null -- set: - field: source.ip - copy_from: auth0.logs.data.ip - if: ctx?.auth0?.logs?.data?.ip != null -# IP Geolocation Lookup -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: 'ctx.source?.geo == null && ctx?.source?.ip != null' -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx?.source?.ip != null -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- set: - field: network.type - value: ipv6 - if: 'ctx.source?.ip != null && ctx.source?.ip.contains(":")' -- set: - field: network.type - value: ipv4 - if: 'ctx.network?.type == null && ctx.source?.ip != null' -- set: - field: user.name - copy_from: auth0.logs.data.user_name - if: 'ctx?.auth0?.logs?.data?.user_name != null' -- set: - field: user.id - copy_from: auth0.logs.data.user_id - if: 'ctx?.auth0?.logs?.data?.user_id != null' -- user_agent: - field: auth0.logs.data.user_agent - ignore_missing: true -- set: - field: event.id - copy_from: auth0.logs.data.log_id - if: 'ctx?.auth0?.logs?.data?.log_id != null' -## -# Event kind, code and action -## -- set: - field: event.kind - value: event -- append: - field: event.category - value: authentication -- script: - lang: painless - description: Sets event type, category and action based on type - if: ctx?.auth0?.logs?.data?.type != null - params: - actions: - f: - classification: "Login - Failure" - value: "Failed login" - type: - - info - action: failed-login - fc: - classification: "Login - Failure" - value: "Failed connector login" - type: - - info - action: failed-connector-login - fco: - classification: "Login - Failure" - value: "Origin is not in the application's Allowed Origins list" - type: - - info - action: origin-not-allowed - fcoa: - classification: "Login - Failure" - value: "Failed cross-origin authentication" - type: - - info - action: failed-cross-origin-authentication - fens: - classification: "Login - Failure" - value: "Failed native social login" - type: - - info - action: failed-native-social-login - fp: - classification: "Login - Failure" - value: "Incorrect password" - type: - - info - action: incorrect-password - fu: - classification: "Login - Failure" - value: "Invalid email or username" - type: - - info - - indicator - category: - - threat - action: invalid-username-or-email - w: - classification: "Login - Notification" - value: "Warnings during login" - type: - - info - - indicator - category: - - threat - action: warnings-during-login - s: - classification: "Login - Success" - value: "Successful login" - type: - - info - - start - category: - - session - action: successful-login - scoa: - classification: "Login - Success" - value: "Successful cross-origin authentication" - type: - - info - - start - category: - - session - action: successful-cross-origin-authentication - sens: - classification: "Login - Success" - value: "Successful native social login" - type: - - info - - start - category: - - session - action: successful-native-social-login - flo: - classification: "Logout - Failure" - value: "User logout failed" - type: - - info - category: - - session - action: user-logout-failed - slo: - classification: "Logout - Success" - value: "User successfully logged out" - type: - - info - - end - category: - - session - action: user-logout-successful - fs: - classification: "Signup - Failure" - value: "User signup failed" - type: - - info - - creation - - user - category: - - iam - action: user-signup-failed - fsa: - classification: "Silent Authentication - Failure" - value: "Failed silent authentication" - type: - - info - - indicator - category: - - threat - action: failed-silent-authentication - ssa: - classification: "Silent Authentication - Success" - value: "Successful silent authentication" - type: - - info - action: successful-silent-authentication - feacft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Authorization Code for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-auth-code-for-access-token - feccft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Access Token for a Client Credentials Grant" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-access-token-for-client-cred-grant - fede: - classification: "Token Exchange - Failure" - value: "Failed exchange of Device Code for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-device-code-for-access-token - feoobft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password and OOB Challenge for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-oob-challenge-for-access-token - feotpft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password and OTP Challenge for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-otp-challenge-for-access-token - fepft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-for-access-token - fepotpft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Passwordless OTP for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-passwordless-otp-for-access-token - fercft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Password and MFA Recovery code for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-password-mfa-recovery-code-for-access-token - ferrt: - classification: "Token Exchange - Failure" - value: "Failed exchange of Rotating Refresh Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-rotating-refresh-token - fertft: - classification: "Token Exchange - Failure" - value: "Failed exchange of Refresh Token for Access Token" - type: - - info - - protocol - - error - category: - - network - - web - action: failed-exchange-refresh-token-for-access-token - seacft: - classification: "Token Exchange - Success" - value: "Successful exchange of Authorization Code for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-auth-code-for-access-token - seccft: - classification: "Token Exchange - Success" - value: "Successful exchange of Access Token for a Client Credentials Grant" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-access-token-for-client-cred-grant - sede: - classification: "Token Exchange - Success" - value: "Successful exchange of Device Code for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-device-code-for-access-token - seoobft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password and OOB Challenge for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-password-oob-challange-for-access-token - seotpft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password and OTP Challenge for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-password-otp-challenge-for-access-token - sepft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-password-for-access-token - sercft: - classification: "Token Exchange - Success" - value: "Successful exchange of Password and MFA Recovery code for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-mfa-recovery-code-for-access-token - sertft: - classification: "Token Exchange - Success" - value: "Successful exchange of Refresh Token for Access Token" - type: - - info - - protocol - - access - category: - - network - - web - action: success-exchange-refresh-token-for-access-token - fapi: - classification: "Management API - Failure" - value: "Failed Management API operation" - type: - - info - - error - category: - - web - action: failed-mgmt-api-operation - sapi: - classification: "Management API - Success" - value: "Successful Management API operation" - type: - - info - - access - - change - category: - - web - - iam - action: success-mgmt-api-op - mgmt_api_read: - classification: "Management API - Success" - value: "API GET operation returning secrets completed successfully" - type: - - info - - access - category: - - web - - iam - action: success-mgmt-api-op-secrets-returned - admin_update_launch: - classification: "System - Notification" - value: "Auth0 Update Launched" - type: - - change - category: - - configuration - action: auth0-update-launched - api_limit: - classification: "System - Notification" - value: "The maximum number of requests to the Authentication or Management APIs in given time has reached" - type: - - info - - access - category: - - network - action: max-requests-reached - coff: - classification: "System - Notification" - value: "AD/LDAP Connector is offline" - type: - - error - - connection - category: - - network - - web - action: ad-ldap-connector-offline - con: - classification: "System - Notification" - value: "AD/LDAP Connector is online and working" - type: - - info - - connection - category: - - network - action: ad-ldap-connector-online - depnote: - classification: "System - Notification" - value: "Deprecation Notice" - type: - - info - action: deprecation-notice - fcpro: - classification: "System - Notification" - value: "Failed to provision a AD/LDAP connector" - type: - - info - - connection - - error - category: - - network - action: failed-ad-ldap-provision - fui: - classification: "System - Notification" - value: "Failed to import users" - type: - - info - - user - - error - category: - - iam - - web - action: failed-to-import-users - limit_delegation: - classification: "System - Notification" - value: "Rate limit exceeded to /delegation endpoint" - type: - - info - - access - category: - - network - action: rate-limit-exceeded-to-delegation-endpoint - limit_mu: - classification: "System - Notification" - value: "An IP address is blocked with 100 failed login attempts using different usernames" - type: - - indicator - - info - category: - - threat - - intrusion_detection - action: hundred-failed-logins-ip-address-blocked - limit_wc: - classification: "System - Notification" - value: "An IP address is blocked with 10 failed login attempts into a single account from the same IP address" - type: - - indicator - - info - category: - - threat - - intrusion_detection - action: ten-failed-logins-ip-address-blocked - sys_os_update_start: - classification: "System - Notification" - value: "Auth0 OS Update Started" - type: - - change - - start - - installation - category: - - configuration - - package - action: auth0-os-update-started - sys_os_update_end: - classification: "System - Notification" - value: "Auth0 OS Update Ended" - type: - - change - - end - - installation - category: - - configuration - - package - action: auth0-os-update-ended - sys_update_start: - classification: "System - Notification" - value: "Auth0 Update Started" - type: - - change - - start - - installation - category: - - configuration - - package - action: auth0-update-started - sys_update_end: - classification: "System - Notification" - value: "Auth0 Update Ended" - type: - - change - - end - - installation - category: - - configuration - - package - action: auth0-update-ended - fce: - classification: "User/Behavioral - Failure" - value: "Failed to change user email" - type: - - change - - user - category: - - iam - action: failed-to-change-user-email - fcp: - classification: "User/Behavioral - Failure" - value: "Failed to change password" - type: - - change - - user - category: - - iam - action: failed-to-change-password - fcpn: - classification: "User/Behavioral - Failure" - value: "Failed to change phone number" - type: - - change - - user - category: - - iam - action: failed-to-change-phone-number - fcpr: - classification: "User/Behavioral - Failure" - value: "Failed change password request" - type: - - change - - user - category: - - iam - action: failed-change-password-request - fcu: - classification: "User/Behavioral - Failure" - value: "Failed to change username" - type: - - change - - user - category: - - iam - action: failed-to-change-username - fd: - classification: "User/Behavioral - Failure" - value: "Failed to generate delegation token" - type: - - info - - user - category: - - iam - action: failed-to-generate-delegation-token - fdeaz: - classification: "User/Behavioral - Failure" - value: "Device authorization request failed" - type: - - info - - user - category: - - iam - action: failed-device-authorization-request - fdecc: - classification: "User/Behavioral - Failure" - value: "User did not confirm device" - type: - - info - action: user-device-not-confirmed - fdu: - classification: "User/Behavioral - Failure" - value: "Failed user deletion" - type: - - deletion - - user - category: - - iam - action: failed-user-deletion - fn: - classification: "User/Behavioral - Failure" - value: "Failed to send email notification" - type: - - info - action: failed-to-send-email-notification - fv: - classification: "User/Behavioral - Failure" - value: "Failed to send verification email" - type: - - info - action: failed-to-send-verification-email - fvr: - classification: "User/Behavioral - Failure" - value: "Failed to process verification email request" - type: - - info - action: failed-to-process-verification-email - cs: - classification: "User/Behavioral - Notification" - value: "Passwordless login code has been sent" - type: - - info - action: passwordless-login-code-sent - du: - classification: "User/Behavioral - Notification" - value: "User has been deleted" - type: - - info - - user - - deletion - category: - - iam - action: user-deleted - gd_enrollment_complete: - classification: "User/Behavioral - Notification" - value: "A first time MFA user has successfully enrolled using one of the factors" - type: - - info - - change - - end - category: - - iam - - session - action: mfa-enrollment-completed - gd_start_enroll: - classification: "User/Behavioral - Notification" - value: "Multi-factor authentication enroll has started" - type: - - info - - change - - start - category: - - iam - - session - action: mfa-enrollment-started - gd_unenroll: - classification: "User/Behavioral - Notification" - value: "Device used for second factor authentication has been unenrolled" - type: - - info - - deletion - category: - - iam - action: mfa-device-unenrolled - gd_update_device_account: - classification: "User/Behavioral - Notification" - value: "Device used for second factor authentication has been updated" - type: - - info - - change - category: - - iam - action: mfa-device-updated - ublkdu: - classification: "User/Behavioral - Notification" - value: "User block setup by anomaly detection has been released" - type: - - info - action: user-login-block-released - sce: - classification: "User/Behavioral - Success" - value: "Successfully changed user email" - type: - - info - - change - - user - category: - - iam - action: user-email-changed-successfully - scp: - classification: "User/Behavioral - Success" - value: "Successfully changed password" - type: - - info - - change - - user - category: - - iam - action: user-password-changed-successfully - scpn: - classification: "User/Behavioral - Success" - value: "Successfully changed phone number" - type: - - info - - change - - user - category: - - iam - action: user-phone-number-changed-successfully - scpr: - classification: "User/Behavioral - Success" - value: "Successful change password request" - type: - - info - - change - - user - category: - - iam - action: user-password-change-request-successful - scu: - classification: "User/Behavioral - Success" - value: "Successfully changed username" - type: - - info - - change - - user - category: - - iam - action: username-changed-successfully - sdu: - classification: "User/Behavioral - Success" - value: "User successfully deleted" - type: - - info - - deletion - category: - - iam - action: user-deleted-successfully - srrt: - classification: "User/Behavioral - Success" - value: "Successfully revoked a Refresh Token" - type: - - info - - deletion - category: - - iam - action: revoked-refresh-token-successfully - sui: - classification: "User/Behavioral - Success" - value: "Successfully imported users" - type: - - info - - user - category: - - iam - action: imported-users-successfully - sv: - classification: "User/Behavioral - Success" - value: "Sent verification email" - type: - - info - - user - category: - - iam - action: sent-verification-email - svr: - classification: "User/Behavioral - Success" - value: "Successfully processed verification email request" - type: - - info - - user - category: - - iam - action: email-verification-processed-successfully - fcph: - classification: "Other" - value: "Failed Post Change Password Hook" - type: - - change - - user - category: - - iam - action: failed-post-change-password-hook - fdeac: - classification: "Other" - value: "Failed to activate device" - type: - - info - action: failed-to-activate-device - fi: - classification: "Other" - value: "Failed to accept a user invitation. This could happen if the user accepts an invitation using a different email address than provided in the invitation, or due to a system failure while provisioning the invitation." - type: - - info - action: failed-to-accept-user-invitation - gd_auth_failed: - classification: "Other" - value: "Multi-factor authentication failed. This could happen due to a wrong code entered for SMS/Voice/Email/TOTP factors, or a system failure." - type: - - info - action: mfa-authentication-failed-wrong-code - gd_auth_rejected: - classification: "Other" - value: "A user rejected a Multi-factor authentication request via push-notification." - type: - - info - action: user-rejected-mfa-request - gd_auth_succeed: - classification: "Other" - value: "Multi-factor authentication success." - type: - - info - action: mfa-authentication-succeeded - gd_otp_rate_limit_exceed: - classification: "Other" - value: "A user, during enrollment or authentication, enters an incorrect code more than the maximum allowed number of times. Ex: A user enrolling in SMS enters the 6-digit code wrong more than 10 times in a row." - type: - - info - - indicator - category: - - threat - action: user-entered-too-many-incorrect-codes - gd_recovery_failed: - classification: "Other" - value: "A user enters a wrong recovery code when attempting to authenticate." - type: - - info - action: user-entered-wrong-recovery-code - gd_recovery_rate_limit_exceed: - classification: "Other" - value: "A user enters a wrong recovery code too many times." - type: - - info - - indicator - category: - - threat - action: user-entered-too-many-wrong-codes - gd_recovery_succeed: - classification: "Other" - value: "A user successfully authenticates with a recovery code" - type: - - info - action: recovery-succeeded - gd_send_pn: - classification: "Other" - value: "Push notification for MFA sent successfully sent." - type: - - info - action: push-notification-sent - gd_send_sms: - classification: "Other" - value: "SMS for MFA successfully sent." - type: - - info - action: sms-sent - gd_send_sms_failure: - classification: "Other" - value: "Attempt to send SMS for MFA failed." - type: - - info - action: failed-to-send-sms - gd_send_voice: - classification: "Other" - value: "Voice call for MFA successfully made." - type: - - info - action: voice-call-made - gd_send_voice_failure: - classification: "Other" - value: "Attempt to make Voice call for MFA failed." - type: - - info - action: voice-call-failure - gd_start_auth: - classification: "Other" - value: "Second factor authentication event started for MFA." - type: - - info - action: 2fa-auth-event-started - gd_tenant_update: - classification: "Other" - value: "Guardian tenant update" - type: - - info - action: guardian-tenant-update - limit_sul: - classification: "Other" - value: "A user is temporarily prevented from logging in because more than 20 logins per minute occurred from the same IP address" - type: - - info - - indicator - category: - - threat - action: user-blocked-too-many-failed-logins-from-same-ip - mfar: - classification: "Other" - value: "A user has been prompted for multi-factor authentication (MFA). When using Adaptive MFA, Auth0 includes details about the risk assessment." - type: - - info - action: user-prompted-for-mfa - pla: - classification: "Other" - value: "This log is generated before a login and helps in monitoring the behavior of bot detection without having to enable it." - type: - - info - action: pre-login-assessment - pwd_leak: - classification: "Other" - value: "Someone behind the IP address attempted to login with a leaked password." - type: - - info - category: - - intrusion_detection - action: login-with-breached-password - scph: - classification: "Other" - value: "Success Post Change Password Hook" - type: - - info - action: success-post-change-password-hook - sd: - classification: "Other" - value: "Success delegation" - type: - - info - action: success-delegation - si: - classification: "Other" - value: "Successfully accepted a user invitation" - type: - - info - action: successfully-accepted-user-invitation - ss: - classification: "Other" - value: "Success Signup" - type: - - info - action: success-signup - source: |- - def eventType = ctx.auth0.logs.data.type; - def actions = params.get('actions'); - def actionData = actions.get(eventType); - if (actionData == null) { - ctx.event.action = 'unknown-' + eventType; - ctx.event.type = ['info']; - return; - } - // overwrite type abbreviation with actual value - def eventTypeVal = actionData.get('value'); - if (eventTypeVal != null) { - ctx.auth0.logs.data.type = eventTypeVal; - } - // event.type - def actionType = actionData.get('type'); - if (actionType != null) { - ctx.event.type = new ArrayList(actionType); - } - // event.category - def actionCategory = actionData.get('category'); - if (actionCategory != null) { - for (def c : actionCategory) { - ctx.event.category.add(c); - } - } - // event.action - def action = actionData.get('action'); - if (action != null) { - ctx.event.action = action; - } - // auth0 event category / classification group - def classification = actionData.get('classification'); - if (classification != null) { - ctx.auth0.logs.data.classification = classification; - } - // event.outcome - if (classification.toLowerCase().contains("success")) { - ctx.event.outcome = "success"; - } else if (classification.toLowerCase().contains("failure")) { - ctx.event.outcome = "failure"; - } else { - ctx.event.outcome = "unknown"; - } -- date: - if: ctx?.auth0?.logs?.data?.details?.initiatedAt != null - field: auth0.logs.data.details.initiatedAt - target_field: auth0.logs.data.login.initiatedAt - formats: - - UNIX_MS -- date: - if: ctx?.auth0?.logs?.data?.details?.completedAt != null - field: auth0.logs.data.details.completedAt - target_field: auth0.logs.data.login.completedAt - formats: - - UNIX_MS -- convert: - if: ctx?.auth0?.logs?.data?.details?.elapsedTime != null - field: auth0.logs.data.details.elapsedTime - target_field: auth0.logs.data.login.elapsedTime - type: long - ignore_missing: true -- convert: - if: "ctx.auth0.logs.data.type == 'Successful login'" - field: auth0.logs.data.details.stats.loginsCount - target_field: auth0.logs.data.login.stats.loginsCount - type: long - ignore_missing: true -## -# Clean up -## -- remove: - field: - - json - - auth0.logs.data.ip - - auth0.logs.data.user_name - - auth0.logs.data.user_id - - auth0.logs.data.user_agent - - auth0.logs.data.log_id - ignore_missing: true -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/auth0/1.0.0/data_stream/logs/fields/agent.yml b/packages/auth0/1.0.0/data_stream/logs/fields/agent.yml deleted file mode 100755 index b4f84cf84a..0000000000 --- a/packages/auth0/1.0.0/data_stream/logs/fields/agent.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: input.type - type: keyword - description: Input type. diff --git a/packages/auth0/1.0.0/data_stream/logs/fields/base-fields.yml b/packages/auth0/1.0.0/data_stream/logs/fields/base-fields.yml deleted file mode 100755 index bc27cfd1c1..0000000000 --- a/packages/auth0/1.0.0/data_stream/logs/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event timestamp. - value: auth0 -- name: event.dataset - type: constant_keyword - description: Event timestamp. - value: auth0.logs diff --git a/packages/auth0/1.0.0/data_stream/logs/fields/ecs.yml b/packages/auth0/1.0.0/data_stream/logs/fields/ecs.yml deleted file mode 100755 index b2d6d71186..0000000000 --- a/packages/auth0/1.0.0/data_stream/logs/fields/ecs.yml +++ /dev/null @@ -1,298 +0,0 @@ -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: source.user.domain - type: keyword -- description: Unique identifier of the user. - name: source.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - name: network.type - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: user_agent.os.family - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system kernel version as a raw string. - name: user_agent.os.kernel - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system platform (such centos, ubuntu, windows). - name: user_agent.os.platform - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: user_agent.os.type - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/auth0/1.0.0/data_stream/logs/fields/fields.yml b/packages/auth0/1.0.0/data_stream/logs/fields/fields.yml deleted file mode 100755 index fc2da86b51..0000000000 --- a/packages/auth0/1.0.0/data_stream/logs/fields/fields.yml +++ /dev/null @@ -1,126 +0,0 @@ -- name: auth0 - type: group - description: Fields for Auth0 events. - fields: - - name: logs - type: group - description: Fields for Auth0 log events. - fields: - - name: log_id - type: keyword - description: Unique log event identifier - - name: data - type: group - description: log stream event data - fields: - - name: log_id - type: keyword - description: Unique log event identifier - - name: date - type: date - description: Date when the event occurred in ISO 8601 format. - - name: type - type: keyword - description: Type of event. - - name: description - type: text - description: Description of this event. - - name: connection - type: keyword - description: Name of the connection the event relates to. - - name: connection_id - type: keyword - description: ID of the connection the event relates to. - - name: client_id - type: keyword - description: ID of the client (application). - - name: client_name - type: keyword - description: Name of the client (application). - - name: ip - type: ip - description: IP address of the log event source. - - name: hostname - type: keyword - description: Hostname the event applies to. - - name: user_id - type: keyword - description: ID of the user involved in the event. - - name: user_name - type: keyword - description: Name of the user involved in the event. - - name: audience - type: keyword - description: API audience the event applies to. - - name: scope - type: keyword - description: Scope permissions applied to the event. - - name: strategy - type: keyword - description: Name of the strategy involved in the event. - - name: strategy_type - type: keyword - description: Type of strategy involved in the event. - - name: log_id - type: keyword - description: Unique ID of the event. - - name: is_mobile - type: boolean - description: Whether the client was a mobile device (true) or desktop/laptop/server (false). - - name: classification - type: keyword - description: Log stream filters - - name: details - type: flattened - description: Additional useful details about this event (values here depend upon event type). - - name: login - type: group - description: Filtered fields for login type - fields: - - name: initiatedAt - type: date - description: Time at which the operation was initiated - - name: completedAt - type: date - description: Time at which the operation was completed - - name: elapsedTime - type: long - description: Number of milliseconds the operation took to complete. - - name: stats - type: group - description: login stats - fields: - - name: loginsCount - type: long - description: Total number of logins performed by the user - - name: user_agent - type: text - description: User agent string from the client device that caused the event. - - name: location_info - type: group - description: Information about the location that triggered this event based on the IP. - fields: - - name: country_code - type: keyword - description: Two-letter [Alpha-2 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code - - name: country_code3 - type: keyword - description: Three-letter [Alpha-3 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code - - name: country_name - type: keyword - description: Full country name in English. - - name: city_name - type: keyword - description: Full city name in English. - - name: latitude - type: keyword - description: Global latitude (horizontal) position. - - name: longitude - type: keyword - description: Global longitude (vertical) position. - - name: time_zone - type: keyword - description: Time zone name as found in the [tz database](https://www.iana.org/time-zones). - - name: continent_code - type: keyword - description: Continent the country is located within. Can be AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America). diff --git a/packages/auth0/1.0.0/data_stream/logs/manifest.yml b/packages/auth0/1.0.0/data_stream/logs/manifest.yml deleted file mode 100755 index 0e7b6a206d..0000000000 --- a/packages/auth0/1.0.0/data_stream/logs/manifest.yml +++ /dev/null @@ -1,74 +0,0 @@ -title: "Auth0 logs via Webhooks" -type: logs -streams: - - input: http_endpoint - title: Auth0 log events - description: Receives log events from Auth0 - template_path: http_endpoint.yml.hbs - vars: - - name: listen_address - type: text - title: Listen Address - description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - multi: false - required: true - show_user: true - default: 8383 - - name: url - type: text - title: Webhook path - description: URL path where the webhook will accept requests. - multi: false - required: true - show_user: false - default: /auth0/logs - - name: secret_value - type: text - description: Authorization token - multi: false - required: false - show_user: true - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - auth0-logstream - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/auth0/1.0.0/data_stream/logs/sample_event.json b/packages/auth0/1.0.0/data_stream/logs/sample_event.json deleted file mode 100755 index 02d4e4c023..0000000000 --- a/packages/auth0/1.0.0/data_stream/logs/sample_event.json +++ /dev/null @@ -1,156 +0,0 @@ -{ - "@timestamp": "2021-11-03T03:25:28.923Z", - "agent": { - "ephemeral_id": "3c2232a0-df0e-48e0-8440-96d5500ce25c", - "hostname": "docker-fleet-agent", - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "auth0": { - "logs": { - "data": { - "classification": "Login - Success", - "client_id": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB", - "client_name": "Default App", - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "date": "2021-11-03T03:25:28.923Z", - "details": { - "completedAt": 1635909928922, - "elapsedTime": 1110091, - "initiatedAt": 1635908818831, - "prompts": [ - { - "completedAt": 1635909903693, - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "identity": "6182002f34f4dd006b05b5c7", - "name": "prompt-authenticate", - "stats": { - "loginsCount": 1 - }, - "strategy": "auth0" - }, - { - "completedAt": 1635909903745, - "elapsedTime": 1084902, - "flow": "universal-login", - "initiatedAt": 1635908818843, - "name": "login", - "timers": { - "rules": 5 - }, - "user_id": "auth0|6182002f34f4dd006b05b5c7", - "user_name": "neo@test.com" - }, - { - "completedAt": 1635909928352, - "elapsedTime": 23378, - "flow": "consent", - "grantInfo": { - "audience": "https://dev-yoj8axza.au.auth0.com/userinfo", - "id": "618201284369c9b4f9cd6d52", - "scope": "openid profile" - }, - "initiatedAt": 1635909904974, - "name": "consent" - } - ], - "session_id": "1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc", - "stats": { - "loginsCount": 1 - } - }, - "hostname": "dev-yoj8axza.au.auth0.com", - "login": { - "completedAt": "2021-11-03T03:25:28.922Z", - "elapsedTime": 1110091, - "initiatedAt": "2021-11-03T03:06:58.831Z", - "stats": { - "loginsCount": 1 - } - }, - "strategy": "auth0", - "strategy_type": "database", - "type": "Successful login" - } - } - }, - "data_stream": { - "dataset": "auth0.logs", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "1.12.0" - }, - "elastic_agent": { - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "action": "successful-login", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "dataset": "auth0.logs", - "id": "90020211103032530111223343147286033102509916061341581378", - "ingested": "2022-01-20T05:57:05Z", - "kind": "event", - "original": "{\"data\":{\"client_id\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\",\"client_name\":\"Default App\",\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"date\":\"2021-11-03T03:25:28.923Z\",\"details\":{\"completedAt\":1635909928922,\"elapsedTime\":1110091,\"initiatedAt\":1635908818831,\"prompts\":[{\"completedAt\":1635909903693,\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"elapsedTime\":null,\"identity\":\"6182002f34f4dd006b05b5c7\",\"name\":\"prompt-authenticate\",\"stats\":{\"loginsCount\":1},\"strategy\":\"auth0\"},{\"completedAt\":1635909903745,\"elapsedTime\":1084902,\"flow\":\"universal-login\",\"initiatedAt\":1635908818843,\"name\":\"login\",\"timers\":{\"rules\":5},\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},{\"completedAt\":1635909928352,\"elapsedTime\":23378,\"flow\":\"consent\",\"grantInfo\":{\"audience\":\"https://dev-yoj8axza.au.auth0.com/userinfo\",\"expiration\":null,\"id\":\"618201284369c9b4f9cd6d52\",\"scope\":\"openid profile\"},\"initiatedAt\":1635909904974,\"name\":\"consent\"}],\"session_id\":\"1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc\",\"stats\":{\"loginsCount\":1}},\"hostname\":\"dev-yoj8axza.au.auth0.com\",\"ip\":\"81.2.69.143\",\"log_id\":\"90020211103032530111223343147286033102509916061341581378\",\"strategy\":\"auth0\",\"strategy_type\":\"database\",\"type\":\"s\",\"user_agent\":\"Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0\",\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},\"log_id\":\"90020211103032530111223343147286033102509916061341581378\"}", - "outcome": "success", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "info" - }, - "network": { - "type": "ipv4" - }, - "source": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "auth0-logstream" - ], - "user": { - "id": "auth0|6182002f34f4dd006b05b5c7", - "name": "neo@test.com" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0", - "os": { - "name": "Ubuntu" - }, - "version": "93.0." - } -} \ No newline at end of file diff --git a/packages/auth0/1.0.0/docs/README.md b/packages/auth0/1.0.0/docs/README.md deleted file mode 100755 index a40c20f6ac..0000000000 --- a/packages/auth0/1.0.0/docs/README.md +++ /dev/null @@ -1,330 +0,0 @@ -# Auth0 Log Streams Integration - -Auth0 offers integrations that push log events via log streams to Elasticsearch. The [Auth0 Log Streams](https://auth0.com/docs/customize/log-streams) integration package creates a HTTP listener that accepts incoming log events and ingests them into Elasticsearch. This allows you to search, observe and visualize the Auth0 log events through Elasticsearch. - -The agent running this integration must be able to accept requests from the Internet in order for Auth0 to be able connect. Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. - -For more information, see Auth0's webpage on [integration to Elastic Security](https://marketplace.auth0.com/integrations/elastic-security). - -## Compatability - -The package collects log events sent via log stream webhooks. - -## Configuration - -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations** -2. In "Search for integrations" search bar type **Auth0** -3. Click on "Auth0" integration from the search results. -4. Click on **Add Auth0** button to add Auth0 integration. - -### Configure the Auth0 integration - -1. Enter values for "Listen Address", "Listen Port" and "Webhook path" to form the endpoint URL. Make note of the **Endpoint URL** `https://{AGENT_ADDRESS}:8383/auth0/logs`. -2. Enter value for "Secret value". This must match the "Authorization Token" value entered when configuring the "Custom Webhook" from Auth0 cloud. -3. Enter values for "TLS". Auth0 requires that the webhook accept requests over HTTPS. So you must either configure the integration with a valid TLS certificate or use a reverse proxy in front of the integration. - -### Creating the stream in Auth0 - -1. From the Auth0 management console, navigate to **Logs > Streams** and click **+ Create Stream**. -2. Choose **Custom Webhook**. -3. Name the new **Event Stream** appropriately (e.g. Elastic) and click **Create**. -4. In **Payload URL**, paste the **Endpoint URL** collected during Step 1 of **Configure the Auth0 integration** section. -5. In **Authorization Token**, paste the **Authorization Token**. This must match the value entered in Step 2 of **Configure the Auth0 integration** section. -6. In **Content Type**, choose **application/json**. -7. In **Content Format**, choose **JSON Lines**. -8. **Click Save**. - -## Log Events - -Enable to collect Auth0 log events for all the applications configured for the chosen log stream. - -## Logs - -### Log Stream Events - -The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log events are available in the `auth0.logs` field group. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| auth0.logs.data.audience | API audience the event applies to. | keyword | -| auth0.logs.data.classification | Log stream filters | keyword | -| auth0.logs.data.client_id | ID of the client (application). | keyword | -| auth0.logs.data.client_name | Name of the client (application). | keyword | -| auth0.logs.data.connection | Name of the connection the event relates to. | keyword | -| auth0.logs.data.connection_id | ID of the connection the event relates to. | keyword | -| auth0.logs.data.date | Date when the event occurred in ISO 8601 format. | date | -| auth0.logs.data.description | Description of this event. | text | -| auth0.logs.data.details | Additional useful details about this event (values here depend upon event type). | flattened | -| auth0.logs.data.hostname | Hostname the event applies to. | keyword | -| auth0.logs.data.ip | IP address of the log event source. | ip | -| auth0.logs.data.is_mobile | Whether the client was a mobile device (true) or desktop/laptop/server (false). | boolean | -| auth0.logs.data.location_info.city_name | Full city name in English. | keyword | -| auth0.logs.data.location_info.continent_code | Continent the country is located within. Can be AF (Africa), AN (Antarctica), AS (Asia), EU (Europe), NA (North America), OC (Oceania) or SA (South America). | keyword | -| auth0.logs.data.location_info.country_code | Two-letter [Alpha-2 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code | keyword | -| auth0.logs.data.location_info.country_code3 | Three-letter [Alpha-3 ISO 3166-1](https://www.iso.org/iso-3166-country-codes.html) country code | keyword | -| auth0.logs.data.location_info.country_name | Full country name in English. | keyword | -| auth0.logs.data.location_info.latitude | Global latitude (horizontal) position. | keyword | -| auth0.logs.data.location_info.longitude | Global longitude (vertical) position. | keyword | -| auth0.logs.data.location_info.time_zone | Time zone name as found in the [tz database](https://www.iana.org/time-zones). | keyword | -| auth0.logs.data.log_id | Unique ID of the event. | keyword | -| auth0.logs.data.login.completedAt | Time at which the operation was completed | date | -| auth0.logs.data.login.elapsedTime | Number of milliseconds the operation took to complete. | long | -| auth0.logs.data.login.initiatedAt | Time at which the operation was initiated | date | -| auth0.logs.data.login.stats.loginsCount | Total number of logins performed by the user | long | -| auth0.logs.data.scope | Scope permissions applied to the event. | keyword | -| auth0.logs.data.strategy | Name of the strategy involved in the event. | keyword | -| auth0.logs.data.strategy_type | Type of strategy involved in the event. | keyword | -| auth0.logs.data.type | Type of event. | keyword | -| auth0.logs.data.user_agent | User agent string from the client device that caused the event. | text | -| auth0.logs.data.user_id | ID of the user involved in the event. | keyword | -| auth0.logs.data.user_name | Name of the user involved in the event. | keyword | -| auth0.logs.log_id | Unique log event identifier | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event timestamp. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event timestamp. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| input.type | Input type. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| user_agent.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `logs` looks as following: - -```json -{ - "@timestamp": "2021-11-03T03:25:28.923Z", - "agent": { - "ephemeral_id": "3c2232a0-df0e-48e0-8440-96d5500ce25c", - "hostname": "docker-fleet-agent", - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "auth0": { - "logs": { - "data": { - "classification": "Login - Success", - "client_id": "aI61p8I8aFjmYRliLWgvM9ev97kCCNDB", - "client_name": "Default App", - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "date": "2021-11-03T03:25:28.923Z", - "details": { - "completedAt": 1635909928922, - "elapsedTime": 1110091, - "initiatedAt": 1635908818831, - "prompts": [ - { - "completedAt": 1635909903693, - "connection": "Username-Password-Authentication", - "connection_id": "con_1a5wCUmAs6VOU17n", - "identity": "6182002f34f4dd006b05b5c7", - "name": "prompt-authenticate", - "stats": { - "loginsCount": 1 - }, - "strategy": "auth0" - }, - { - "completedAt": 1635909903745, - "elapsedTime": 1084902, - "flow": "universal-login", - "initiatedAt": 1635908818843, - "name": "login", - "timers": { - "rules": 5 - }, - "user_id": "auth0|6182002f34f4dd006b05b5c7", - "user_name": "neo@test.com" - }, - { - "completedAt": 1635909928352, - "elapsedTime": 23378, - "flow": "consent", - "grantInfo": { - "audience": "https://dev-yoj8axza.au.auth0.com/userinfo", - "id": "618201284369c9b4f9cd6d52", - "scope": "openid profile" - }, - "initiatedAt": 1635909904974, - "name": "consent" - } - ], - "session_id": "1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc", - "stats": { - "loginsCount": 1 - } - }, - "hostname": "dev-yoj8axza.au.auth0.com", - "login": { - "completedAt": "2021-11-03T03:25:28.922Z", - "elapsedTime": 1110091, - "initiatedAt": "2021-11-03T03:06:58.831Z", - "stats": { - "loginsCount": 1 - } - }, - "strategy": "auth0", - "strategy_type": "database", - "type": "Successful login" - } - } - }, - "data_stream": { - "dataset": "auth0.logs", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "1.12.0" - }, - "elastic_agent": { - "id": "38ed1ea2-8c9a-4d5a-81ee-826cead96859", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "action": "successful-login", - "agent_id_status": "verified", - "category": [ - "authentication", - "session" - ], - "dataset": "auth0.logs", - "id": "90020211103032530111223343147286033102509916061341581378", - "ingested": "2022-01-20T05:57:05Z", - "kind": "event", - "original": "{\"data\":{\"client_id\":\"aI61p8I8aFjmYRliLWgvM9ev97kCCNDB\",\"client_name\":\"Default App\",\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"date\":\"2021-11-03T03:25:28.923Z\",\"details\":{\"completedAt\":1635909928922,\"elapsedTime\":1110091,\"initiatedAt\":1635908818831,\"prompts\":[{\"completedAt\":1635909903693,\"connection\":\"Username-Password-Authentication\",\"connection_id\":\"con_1a5wCUmAs6VOU17n\",\"elapsedTime\":null,\"identity\":\"6182002f34f4dd006b05b5c7\",\"name\":\"prompt-authenticate\",\"stats\":{\"loginsCount\":1},\"strategy\":\"auth0\"},{\"completedAt\":1635909903745,\"elapsedTime\":1084902,\"flow\":\"universal-login\",\"initiatedAt\":1635908818843,\"name\":\"login\",\"timers\":{\"rules\":5},\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},{\"completedAt\":1635909928352,\"elapsedTime\":23378,\"flow\":\"consent\",\"grantInfo\":{\"audience\":\"https://dev-yoj8axza.au.auth0.com/userinfo\",\"expiration\":null,\"id\":\"618201284369c9b4f9cd6d52\",\"scope\":\"openid profile\"},\"initiatedAt\":1635909904974,\"name\":\"consent\"}],\"session_id\":\"1TAd-7tsPYzxWudzqfHYXN0e6q1D0GSc\",\"stats\":{\"loginsCount\":1}},\"hostname\":\"dev-yoj8axza.au.auth0.com\",\"ip\":\"81.2.69.143\",\"log_id\":\"90020211103032530111223343147286033102509916061341581378\",\"strategy\":\"auth0\",\"strategy_type\":\"database\",\"type\":\"s\",\"user_agent\":\"Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0\",\"user_id\":\"auth0|6182002f34f4dd006b05b5c7\",\"user_name\":\"neo@test.com\"},\"log_id\":\"90020211103032530111223343147286033102509916061341581378\"}", - "outcome": "success", - "type": [ - "info", - "start" - ] - }, - "input": { - "type": "http_endpoint" - }, - "log": { - "level": "info" - }, - "network": { - "type": "ipv4" - }, - "source": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "auth0-logstream" - ], - "user": { - "id": "auth0|6182002f34f4dd006b05b5c7", - "name": "neo@test.com" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Firefox", - "original": "Mozilla/5.0 (X11;Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0", - "os": { - "name": "Ubuntu" - }, - "version": "93.0." - } -} -``` diff --git a/packages/auth0/1.0.0/img/auth0-logo.svg b/packages/auth0/1.0.0/img/auth0-logo.svg deleted file mode 100755 index e0f2aa1d36..0000000000 --- a/packages/auth0/1.0.0/img/auth0-logo.svg +++ /dev/null @@ -1,60 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/auth0/1.0.0/img/auth0-screenshot.png b/packages/auth0/1.0.0/img/auth0-screenshot.png deleted file mode 100755 index 72b880f161..0000000000 Binary files a/packages/auth0/1.0.0/img/auth0-screenshot.png and /dev/null differ diff --git a/packages/auth0/1.0.0/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json b/packages/auth0/1.0.0/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json deleted file mode 100755 index 86e7ba2c55..0000000000 --- a/packages/auth0/1.0.0/kibana/dashboard/auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c9215ac0-57f7-4fbb-af81-9f5bb365a238\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c9215ac0-57f7-4fbb-af81-9f5bb365a238\":{\"columnOrder\":[\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\",\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\"],\"columns\":{\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ad18389f-67bd-47ae-bd5e-7a0a8a74ef31\"],\"layerId\":\"c9215ac0-57f7-4fbb-af81-9f5bb365a238\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"becf928d-1e95-4cf0-a37f-e4eb735dcc27\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"1a13814d-17bf-42cf-8ef9-2dc599fb6766\",\"w\":15,\"x\":0,\"y\":0},\"panelIndex\":\"1a13814d-17bf-42cf-8ef9-2dc599fb6766\",\"title\":\"Auth0 Log Stream Event Types\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\":{\"columnOrder\":[\"234dec72-0dd2-42cb-b486-059fa3e0a077\",\"9fb2da13-fb8b-4041-b60e-0840068dc570\"],\"columns\":{\"234dec72-0dd2-42cb-b486-059fa3e0a077\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"9fb2da13-fb8b-4041-b60e-0840068dc570\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique count of event.type\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"9fb2da13-fb8b-4041-b60e-0840068dc570\"],\"layerId\":\"1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"234dec72-0dd2-42cb-b486-059fa3e0a077\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"6089a77e-3c96-4414-9932-eda55ced3d07\",\"w\":14,\"x\":15,\"y\":0},\"panelIndex\":\"6089a77e-3c96-4414-9932-eda55ced3d07\",\"title\":\"Rate of events\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"\",\"type\":\"metric\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"5124c723-8890-477e-aad5-bc4fd529bd46\",\"w\":9,\"x\":29,\"y\":0},\"panelIndex\":\"5124c723-8890-477e-aad5-bc4fd529bd46\",\"title\":\"Number of Failed Logins\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Signup - Success\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Signup - Success\"}}}],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"\",\"type\":\"metric\",\"uiState\":{}}},\"gridData\":{\"h\":10,\"i\":\"cb337534-d263-480b-b6a3-80cc4f14d73b\",\"w\":10,\"x\":38,\"y\":0},\"panelIndex\":\"cb337534-d263-480b-b6a3-80cc4f14d73b\",\"title\":\"Number of Successful Signups\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e7270679-c5d0-496a-9fd2-7409b402bdb0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e7270679-c5d0-496a-9fd2-7409b402bdb0\":{\"columnOrder\":[\"60724141-ecf4-4f42-b263-d12cd64fe1a3\",\"14ed1312-1743-452e-89e9-52018d6db787\"],\"columns\":{\"14ed1312-1743-452e-89e9-52018d6db787\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"60724141-ecf4-4f42-b263-d12cd64fe1a3\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Success\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Success\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"14ed1312-1743-452e-89e9-52018d6db787\"],\"layerId\":\"e7270679-c5d0-496a-9fd2-7409b402bdb0\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"60724141-ecf4-4f42-b263-d12cd64fe1a3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"d00429d4-502f-41d8-8a2b-7300859930ea\",\"w\":15,\"x\":0,\"y\":10},\"panelIndex\":\"d00429d4-502f-41d8-8a2b-7300859930ea\",\"title\":\"Rate of Successful Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\":{\"columnOrder\":[\"56478895-2ad9-4541-9b3c-debffe3de81d\",\"d8ee79e4-d617-4809-9065-217bcd1f628c\"],\"columns\":{\"56478895-2ad9-4541-9b3c-debffe3de81d\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d8ee79e4-d617-4809-9065-217bcd1f628c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"d8ee79e4-d617-4809-9065-217bcd1f628c\"],\"layerId\":\"4fc38bcd-1242-43bb-a213-0c6fe6e7a26e\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"56478895-2ad9-4541-9b3c-debffe3de81d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8\",\"w\":14,\"x\":15,\"y\":10},\"panelIndex\":\"c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8\",\"title\":\"Rate of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"w\":19,\"x\":29,\"y\":10},\"panelIndex\":\"d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"panelRefName\":\"panel_d6323397-e8a4-4869-ad2b-d48ee5b5a70a\",\"type\":\"visualization\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":11,\"i\":\"253f1007-1537-4012-a663-48bccf233f4c\",\"w\":48,\"x\":0,\"y\":22},\"panelIndex\":\"253f1007-1537-4012-a663-48bccf233f4c\",\"panelRefName\":\"panel_253f1007-1537-4012-a663-48bccf233f4c\",\"type\":\"search\",\"version\":\"7.15.1\"}]", - "timeRestore": false, - "title": "Auth0", - "version": 1 - }, - "coreMigrationVersion": "7.15.1", - "id": "auth0-29fb7200-4062-11ec-b18d-ef6bf98b26bf", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "logs-*", - "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:indexpattern-datasource-layer-c9215ac0-57f7-4fbb-af81-9f5bb365a238", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1a13814d-17bf-42cf-8ef9-2dc599fb6766:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6089a77e-3c96-4414-9932-eda55ced3d07:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6089a77e-3c96-4414-9932-eda55ced3d07:indexpattern-datasource-layer-1f92a60a-ed7e-42e4-b03c-4a3fb37e1a35", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6089a77e-3c96-4414-9932-eda55ced3d07:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5124c723-8890-477e-aad5-bc4fd529bd46:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cb337534-d263-480b-b6a3-80cc4f14d73b:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:indexpattern-datasource-layer-e7270679-c5d0-496a-9fd2-7409b402bdb0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d00429d4-502f-41d8-8a2b-7300859930ea:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:indexpattern-datasource-layer-4fc38bcd-1242-43bb-a213-0c6fe6e7a26e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1a1b718-c5f1-4029-9fda-0cd7ed38b3a8:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9", - "name": "d6323397-e8a4-4869-ad2b-d48ee5b5a70a:panel_d6323397-e8a4-4869-ad2b-d48ee5b5a70a", - "type": "visualization" - }, - { - "id": "auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf", - "name": "253f1007-1537-4012-a663-48bccf233f4c:panel_253f1007-1537-4012-a663-48bccf233f4c", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/auth0/1.0.0/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json b/packages/auth0/1.0.0/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json deleted file mode 100755 index 3d37f68df5..0000000000 --- a/packages/auth0/1.0.0/kibana/search/auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "columns": [ - "auth0.logs.data.connection", - "auth0.logs.data.user_name", - "auth0.logs.data.user_agent" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"auth0.logs\\\" \"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Auth0 logs", - "version": 1 - }, - "coreMigrationVersion": "7.15.1", - "id": "auth0-629b19e0-4061-11ec-b18d-ef6bf98b26bf", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/auth0/1.0.0/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json b/packages/auth0/1.0.0/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json deleted file mode 100755 index 59f6851d51..0000000000 --- a/packages/auth0/1.0.0/kibana/visualization/auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"auth0.logs\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"auth0.logs\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"Login - Failure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"Login - Failure\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "IP Addresses of failed logins", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"auth0.logs.data.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"IP Addresses of failed logins\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.15.1", - "id": "auth0-187e7650-42a9-11ec-b9a2-edbe9edd14c9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/auth0/1.0.0/manifest.yml b/packages/auth0/1.0.0/manifest.yml deleted file mode 100755 index c92f640b6c..0000000000 --- a/packages/auth0/1.0.0/manifest.yml +++ /dev/null @@ -1,34 +0,0 @@ -format_version: 1.0.0 -name: auth0 -title: "Auth0 Log Streams Integration" -version: 1.0.0 -license: basic -description: Collect logs from Auth0 with Elastic Agent. -type: integration -categories: - - cloud - - network - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -screenshots: - - src: /img/auth0-screenshot.png - title: Auth0 Dashboard - size: 600x600 - type: image/png -icons: - - src: /img/auth0-logo.svg - title: Auth0 logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: auth0_events - title: Auth0 log stream events via Webhooks - description: Collect Auth0 log streams events via Webhooks. - inputs: - - type: http_endpoint - title: Collect Auth0 log streams events via Webhooks - description: Collecting Auth0 log stream events via Webhooks. -owner: - github: elastic/security-external-integrations diff --git a/packages/carbon_black_cloud/1.0.0/changelog.yml b/packages/carbon_black_cloud/1.0.0/changelog.yml deleted file mode 100755 index b9356e81df..0000000000 --- a/packages/carbon_black_cloud/1.0.0/changelog.yml +++ /dev/null @@ -1,21 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: 0.1.2 - changes: - - description: Add "VMware" to the title to make it "VMware Carbon Black Cloud". - type: enhancement - link: https://github.com/elastic/integrations/pull/3196 -- version: 0.1.1 - changes: - - description: Captured domain from username and hostname - type: enhancement - link: https://github.com/elastic/integrations/pull/3106 -- version: 0.1.0 - changes: - - description: Initial draft of the package. - type: enhancement - link: https://github.com/elastic/integrations/pull/2760 diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/alert/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.0/data_stream/alert/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/alert/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.0/data_stream/alert/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2f738b21a6..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/alert/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,52 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.timeout: 2m -request.method: POST - -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} - -request.url: {{hostname}}/appservices/v6/orgs/{{org_key}}/alerts/_search -request.transforms: - - set: - target: header.X-Auth-Token - value: {{custom_api_secret_key}}/{{custom_api_id}} - - set: - target: body.criteria.last_update_time.start - value: '[[.cursor.last_update_timestamp]]' - default: '[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "-15m")) "RFC3339"]]' - - set: - target: body.criteria.last_update_time.end - value: '[[formatDate (now (parseDuration "-15m")) "RFC3339"]]' - - set: - target: body.sort - value: '[{ "field": "last_update_time", "order": "ASC"}]' - value_type: json -response.pagination: - - set: - target: body.criteria.last_update_time.start - value: '[[if (ne .last_response.body.num_found .last_response.body.num_available)]][[.last_event.last_update_time]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_timestamp: - value: '[[.last_event.last_update_time]]' -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f6f5fc171e..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,313 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud alerts. -processors: - - set: - field: ecs.version - value: "8.0.0" - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.id - - json.create_time - - json.last_update_time - target_field: _id - ignore_missing: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - set: - field: event.kind - value: alert - - rename: - field: json.id - target_field: event.id - ignore_missing: true - - rename: - field: json.first_event_time - target_field: event.start - ignore_missing: true - - rename: - field: json.last_event_time - target_field: event.end - ignore_missing: true - - rename: - field: json.severity - target_field: event.severity - ignore_missing: true - - urldecode: - field: json.alert_url - target_field: event.url - ignore_missing: true - - rename: - field: json.reason - target_field: event.reason - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - set: - field: event.kind - value: alert - - rename: - field: json.device_os_version - target_field: host.os.version - ignore_missing: true - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device_username - target_field: user.name - ignore_missing: true - - grok: - field: user.name - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:user.name})$' - ignore_missing: true - ignore_failure: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{user.name}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - append: - field: related.hash - value: - - "{{{json.threat_cause_actor_md5}}}" - - "{{{json.threat_cause_actor_sha256}}}" - allow_duplicates: false - - rename: - field: json.process_name - target_field: process.name - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.vendor_name - target_field: carbon_black_cloud.alert.vendor_name - ignore_missing: true - - rename: - field: json.product_name - target_field: carbon_black_cloud.alert.product_name - ignore_missing: true - - rename: - field: json.serial_number - target_field: carbon_black_cloud.alert.serial_number - ignore_missing: true - - rename: - field: json.policy_id - target_field: carbon_black_cloud.alert.policy.id - ignore_missing: true - - rename: - field: json.policy_name - target_field: carbon_black_cloud.alert.policy.name - ignore_missing: true - - rename: - field: json.threat_id - target_field: carbon_black_cloud.alert.threat_id - ignore_missing: true - - rename: - field: json.policy_applied - target_field: carbon_black_cloud.alert.policy.applied - ignore_missing: true - - rename: - field: json.threat_activity_c2 - target_field: carbon_black_cloud.alert.threat_activity.c2 - ignore_missing: true - - rename: - field: json.threat_activity_dlp - target_field: carbon_black_cloud.alert.threat_activity.dlp - ignore_missing: true - - rename: - field: json.threat_activity_phish - target_field: carbon_black_cloud.alert.threat_activity.phish - ignore_missing: true - - rename: - field: json.threat_cause_actor_name - target_field: carbon_black_cloud.alert.threat_cause.actor.name - ignore_missing: true - - rename: - field: json.threat_cause_actor_process_pid - target_field: carbon_black_cloud.alert.threat_cause.actor.process_pid - ignore_missing: true - - rename: - field: json.threat_cause_actor_sha256 - target_field: carbon_black_cloud.alert.threat_cause.actor.sha256 - ignore_missing: true - - rename: - field: json.threat_cause_actor_md5 - target_field: carbon_black_cloud.alert.threat_cause.actor.md5 - ignore_missing: true - - rename: - field: json.threat_cause_cause_event_id - target_field: carbon_black_cloud.alert.threat_cause.cause_event_id - ignore_missing: true - - rename: - field: json.threat_cause_parent_guid - target_field: carbon_black_cloud.alert.threat_cause.process.parent.guid - ignore_missing: true - - rename: - field: json.threat_cause_process_guid - target_field: carbon_black_cloud.alert.threat_cause.process.guid - ignore_missing: true - - rename: - field: json.threat_cause_reputation - target_field: carbon_black_cloud.alert.threat_cause.reputation - ignore_missing: true - - rename: - field: json.threat_cause_threat_category - target_field: carbon_black_cloud.alert.threat_cause.threat_category - ignore_missing: true - - rename: - field: json.threat_cause_vector - target_field: carbon_black_cloud.alert.threat_cause.vector - ignore_missing: true - - rename: - field: json.ioc_field - target_field: carbon_black_cloud.alert.ioc.field - ignore_missing: true - - rename: - field: json.ioc_hit - target_field: carbon_black_cloud.alert.ioc.hit - ignore_missing: true - - rename: - field: json.ioc_id - target_field: carbon_black_cloud.alert.ioc.id - ignore_missing: true - - rename: - field: json.report_id - target_field: carbon_black_cloud.alert.report.id - ignore_missing: true - - rename: - field: json.report_name - target_field: carbon_black_cloud.alert.report.name - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.alert.organization_key - ignore_missing: true - - rename: - field: json.device_location - target_field: carbon_black_cloud.alert.device.location - ignore_missing: true - - rename: - field: json.device_os - target_field: carbon_black_cloud.alert.device.os - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.alert.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.alert.device.external_ip - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - lowercase: - field: json.category - ignore_missing: true - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.alert - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.alert[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.alert.create_time - - carbon_black_cloud.alert.device_id - - carbon_black_cloud.alert.alert_url - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/base-fields.yml deleted file mode 100755 index 14fb618ea4..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.alert diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/ecs.yml deleted file mode 100755 index cfad6817c1..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,117 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/fields.yml b/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/fields.yml deleted file mode 100755 index 3eca3a1515..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/alert/fields/fields.yml +++ /dev/null @@ -1,218 +0,0 @@ -- name: carbon_black_cloud.alert - type: group - fields: - - name: blocked_threat_category - type: keyword - description: The category of threat which we were able to take action on. - - name: category - type: keyword - description: The category of the alert. - - name: count - type: long - - name: created_by_event_id - type: keyword - description: Event identifier that initiated the alert. - - name: device - type: group - fields: - - name: location - type: keyword - description: The Location of device. - - name: os - type: keyword - description: OS of the device. - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: document_guid - type: keyword - description: Unique ID of document. - - name: ioc - type: group - fields: - - name: field - type: keyword - description: The field the indicator of comprise (IOC) hit contains. - - name: hit - type: keyword - description: IOC field value or IOC query that matches. - - name: id - type: keyword - description: The identifier of the IOC that cause the hit. - - name: kill_chain_status - type: keyword - description: The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. - - name: last_update_time - type: date - description: The last time the alert was updated as an ISO 8601 UTC timestamp. - - name: legacy_alert_id - type: keyword - description: The legacy identifier for the alert. - - name: not_blocked_threat_category - type: keyword - description: Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). - - name: notes_present - type: boolean - description: Indicates if notes are associated with the threat_id. - - name: organization_key - type: keyword - description: The unique identifier for the organization associated with the alert. - - name: policy - type: group - fields: - - name: applied - type: keyword - description: Whether a policy was applied. - - name: id - type: long - description: The identifier for the policy associated with the device at the time of the alert. - - name: name - type: keyword - description: The name of the policy associated with the device at the time of the alert. - - name: product_id - type: keyword - description: The hexadecimal id of the USB device's product. - - name: product_name - type: keyword - description: The name of the USB device’s vendor. - - name: reason_code - type: keyword - description: Shorthand enum for the full-text reason. - - name: report - type: group - fields: - - name: id - type: keyword - description: The identifier of the report that contains the IOC. - - name: name - type: keyword - description: The name of the report that contains the IOC. - - name: run_state - type: keyword - description: Whether the threat in the alert ran. - - name: sensor_action - type: keyword - description: The action taken by the sensor, according to the rule of the policy. - - name: serial_number - type: keyword - description: The serial number of the USB device. - - name: status - type: keyword - description: status of alert. - - name: tags - type: keyword - description: Tags associated with the alert. - - name: target_value - type: keyword - description: The priority of the device assigned by the policy. - - name: threat_activity - type: group - fields: - - name: c2 - type: keyword - description: Whether the alert involved a command and control (c2) server. - - name: dlp - type: keyword - description: Whether the alert involved data loss prevention (DLP). - - name: phish - type: keyword - description: Whether the alert involved phishing. - - name: threat_cause - type: group - fields: - - name: actor - type: group - fields: - - name: md5 - type: keyword - description: MD5 of the threat cause actor. - - name: name - type: keyword - description: 'The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan.' - - name: process_pid - type: keyword - description: Process identifier (PID) of the actor process. - - name: sha256 - type: keyword - description: SHA256 of the threat cause actor. - - name: cause_event_id - type: keyword - description: ID of the Event that triggered the threat. - - name: process - type: group - fields: - - name: guid - type: keyword - description: The global unique identifier of the process. - - name: parent - type: group - fields: - - name: guid - type: keyword - description: The global unique identifier of the process. - - name: reputation - type: keyword - description: Reputation of the threat cause. - - name: threat_category - type: keyword - description: Category of the threat cause. - - name: vector - type: keyword - description: The source of the threat cause. - - name: threat_id - type: keyword - description: The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. - - name: threat_indicators - type: group - description: List of the threat indicators that make up the threat. - fields: - - name: process_name - type: keyword - description: Process name associated with threat. - - name: sha256 - type: keyword - description: Sha256 associated with threat. - - name: ttps - type: keyword - description: Tactics, techniques and procedures associated with threat. - - name: type - type: keyword - description: Type of alert. - - name: vendor_id - type: keyword - description: The hexadecimal id of the USB device's vendor. - - name: vendor_name - type: keyword - description: The name of the USB device’s vendor. - - name: watchlists - type: group - description: List of watchlists associated with an alert. - fields: - - name: id - type: keyword - description: The identifier of watchlist. - - name: name - type: keyword - description: The name of the watchlist. - - name: workflow - type: group - description: Tracking system for alerts as they are triaged and resolved. - fields: - - name: changed_by - type: keyword - description: The name of user who changed the workflow. - - name: comment - type: keyword - description: Comment associated with workflow. - - name: last_update_time - type: date - description: The last update time of workflow. - - name: remediation - type: keyword - description: N/A - - name: state - type: keyword - description: The state of workflow. diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/alert/manifest.yml b/packages/carbon_black_cloud/1.0.0/data_stream/alert/manifest.yml deleted file mode 100755 index 477667ce22..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/alert/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: Alert -type: logs -streams: - - input: httpjson - title: Collect alerts from Carbon Black Cloud - description: Collect alerts from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch alerts from Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1m - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the alerts from the Carbon Black Cloud API. - default: 24h - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: aws-s3 - title: Collect alerts from Carbon Black Cloud - description: Collect alerts from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch alerts from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/1.0.0/data_stream/alert/sample_event.json deleted file mode 100755 index 67e2c63a32..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/alert/sample_event.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "@timestamp": "2020-11-17T22:05:13.000Z", - "agent": { - "ephemeral_id": "56053d91-103c-4c77-8f15-0a1006a80102", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "alert": { - "category": "warning", - "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", - "location": "UNKNOWN", - "os": "WINDOWS" - }, - "last_update_time": "2020-11-17T22:05:13Z", - "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", - "organization_key": "ABCD6X3T", - "policy": { - "applied": "APPLIED", - "id": 6997287, - "name": "Standard" - }, - "product_id": "0x5406", - "product_name": "U3 Cruzer Micro", - "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", - "run_state": "DID_NOT_RUN", - "sensor_action": "DENY", - "serial_number": "0875920EF7C2A304", - "target_value": "MEDIUM", - "threat_cause": { - "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", - "threat_category": "NON_MALWARE", - "vector": "REMOVABLE_MEDIA" - }, - "threat_id": "t5678", - "type": "DEVICE_CONTROL", - "vendor_id": "0x0781", - "vendor_name": "SanDisk", - "workflow": { - "changed_by": "Carbon Black", - "last_update_time": "2020-11-17T22:02:16Z", - "state": "OPEN" - } - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:46:13.154Z", - "dataset": "carbon_black_cloud.alert", - "end": "2020-11-17T22:02:16Z", - "id": "test1", - "ingested": "2022-04-14T11:46:14Z", - "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", - "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", - "severity": 3, - "start": "2020-11-17T22:02:16Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" - }, - "host": { - "hostname": "DESKTOP-002", - "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "name": "DESKTOP-002", - "os": { - "type": "windows", - "version": "Windows 10 x64" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-002" - ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "user": [ - "test34@demo.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-alert" - ], - "user": { - "name": "test34@demo.com" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 310b6e05d5..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,45 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: POST -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.url: {{hostname}}/vulnerability/assessment/api/v1/orgs/{{org_key}}/devices/vulnerabilities/summary/_search -request.transforms: - - set: - target: header.X-Auth-Token - value: {{custom_api_secret_key}}/{{custom_api_id}} - - set: - target: body.start - value: '0' - value_type: int - - set: - target: body.rows - value: '10000' - value_type: int -request.timeout: 2m -response.pagination: - - set: - target: body.start - value: '[[if (eq (len .last_response.body.results) 0)]][[.last_response.terminate_pagination]][[else]][[mul .last_response.page .body.rows]][[end]]' - value_type: int - fail_on_template_error: true -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 94f7482f37..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,132 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud Asset Vulnerability Summary. -processors: -- rename: - field: message - target_field: event.original - ignore_missing: true -- set: - field: ecs.version - value: '8.0.0' -- json: - field: event.original - target_field: json -- rename: - field: json.host_name - target_field: host.hostname - ignore_missing: true -- convert: - field: json.device_id - type: string - target_field: host.id - ignore_missing: true -- rename: - field: json.name - target_field: host.name - ignore_missing: true -- rename: - field: json.os_info.os_name - target_field: host.os.name - ignore_missing: true -- set: - field: host.os.type - value: windows - if: ctx?.json?.os_info.os_type == "WINDOWS" -- set: - field: host.os.type - value: ubuntu - if: ctx?.json?.os_info.os_type == "UBUNTU" -- set: - field: host.os.type - value: centos - if: ctx?.json?.os_info.os_type == "CENTOS" -- remove : - field: json.os_info.os_type - ignore_missing: true -- remove : - field: json.device_id - ignore_missing: true -- rename: - field: json.os_info.os_version - target_field: host.os.version - ignore_missing: true -- rename: - field: json.highest_risk_score - target_field: vulnerability.score.base - ignore_missing: true -- rename: - field: json.severity - target_field: vulnerability.severity - ignore_missing: true -- date: - field: json.last_sync_ts - formats: - - ISO8601 - target_field: carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp -- remove: - field: json.last_sync_ts - ignore_missing: true -- rename: - field: json.sync_status - target_field: carbon_black_cloud.asset_vulnerability_summary.sync.status - ignore_missing: true -- rename: - field: json.sync_type - target_field: carbon_black_cloud.asset_vulnerability_summary.sync.type - ignore_missing: true -- rename: - field: json.type - target_field: carbon_black_cloud.asset_vulnerability_summary.type - ignore_missing: true -- rename: - field: json.vm_id - target_field: carbon_black_cloud.asset_vulnerability_summary.vm.id - ignore_missing: true -- rename: - field: json.vm_name - target_field: carbon_black_cloud.asset_vulnerability_summary.vm.name - ignore_missing: true -- rename: - field: json.vuln_count - target_field: carbon_black_cloud.asset_vulnerability_summary.vuln_count - ignore_missing: true -- append: - field: related.hosts - value: "{{{host.hostname}}}" - allow_duplicates: false -- script: - description: Adds all the remaining fields in fields under carbon_black_cloud.asset_vulnerability_summary - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.asset_vulnerability_summary[m.getKey()] = m.getValue(); - } -- remove: - field: json - ignore_missing: true -- script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/base-fields.yml deleted file mode 100755 index e6791517a6..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset - value: carbon_black_cloud.asset_vulnerability_summary diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/ecs.yml b/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/ecs.yml deleted file mode 100755 index bae6099a14..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/ecs.yml +++ /dev/null @@ -1,57 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - name: vulnerability.score.base - type: float -- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - name: vulnerability.severity - type: keyword diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/fields.yml b/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/fields.yml deleted file mode 100755 index a70b2974e8..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/fields/fields.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: carbon_black_cloud.asset_vulnerability_summary - type: group - fields: - - name: os_info - type: group - fields: - - name: os_arch - type: keyword - description: The identifier is for the Operating system architecture. - - name: last_sync - type: group - fields: - - name: timestamp - type: date - description: The identifier is for the Last sync time. - - name: sync - type: group - fields: - - name: status - type: keyword - description: The identifier is for the Device sync status. - - name: type - type: keyword - description: The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. - - name: type - type: keyword - description: The identifier is for the Device type. - - name: vm - type: group - fields: - - name: id - type: keyword - description: The identifier is for the Virtual Machine ID. - - name: name - type: keyword - description: The identifier is for the Virtual Machine name. - - name: vuln_count - type: integer - description: The identifier is for the Number of vulnerabilities at this level. diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/manifest.yml b/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/manifest.yml deleted file mode 100755 index b7bf78f84d..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Asset Vulnerability Summary -type: logs -streams: - - input: httpjson - title: Collect asset vulnerability summary from Carbon Black Cloud - description: Collect asset vulnerability summary from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to query asset vulnerability summary in Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1h - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-asset-vulnerability-summary - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/sample_event.json deleted file mode 100755 index c31987aefe..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/asset_vulnerability_summary/sample_event.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "@timestamp": "2022-04-14T11:47:25.371Z", - "agent": { - "ephemeral_id": "377d9292-c7d0-4c30-bbee-faf4848d30d8", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "asset_vulnerability_summary": { - "last_sync": { - "timestamp": "2022-01-17T08:33:37.384Z" - }, - "os_info": { - "os_arch": "64-bit" - }, - "sync": { - "status": "COMPLETED", - "type": "SCHEDULED" - }, - "type": "ENDPOINT", - "vuln_count": 1770 - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:47:25.371Z", - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-04-14T11:47:26Z", - "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" - }, - "host": { - "hostname": "DESKTOP-008", - "id": "8", - "name": "DESKTOP-008KK", - "os": { - "name": "Microsoft Windows 10 Education", - "type": "windows", - "version": "10.0.17763" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-008" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-asset-vulnerability-summary" - ], - "vulnerability": { - "score": { - "base": 10 - }, - "severity": "CRITICAL" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.0/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2693bd2bbb..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: GET - -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} - -request.url: {{hostname}}/integrationServices/v3/auditlogs -request.transforms: - - set: - target: header.X-Auth-Token - value: {{api_secret_key}}/{{api_id}} -response.split: - target: body.notifications -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 09c8373acb..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud audit logs -processors: - - set: - field: ecs.version - value: '8.0.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.eventTime - target_field: "@timestamp" - ignore_failure: true - formats: - - UNIX_MS - - set: - field: event.kind - value: event - - set: - field: event.outcome - value: success - - set: - field: event.outcome - value: failed - if: ctx?.json?.flagged == true - - rename: - field: json.description - target_field: event.reason - - rename: - field: json.clientIp - target_field: client.ip - ignore_missing: true - - rename: - field: json.loginName - target_field: client.user.id - ignore_missing: true - - rename: - field: json.eventId - target_field: event.id - ignore_missing: true - - rename: - field: json.orgName - target_field: organization.name - ignore_missing: true - - urldecode: - field: json.requestUrl - target_field: url.original - ignore_missing: true - - rename: - field: json.verbose - target_field: carbon_black_cloud.audit.verbose - ignore_missing: true - - rename: - field: json.flagged - target_field: carbon_black_cloud.audit.flagged - ignore_missing: true - - append: - field: related.ip - value: "{{{client.ip}}}" - allow_duplicates: false - - remove: - field: json - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/agent.yml b/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index a14e71251a..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.audit diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/ecs.yml b/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/ecs.yml deleted file mode 100755 index b5cd2cc086..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,55 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/fields.yml b/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/fields.yml deleted file mode 100755 index 24af5d42b9..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: carbon_black_cloud.audit - type: group - fields: - - name: flagged - type: boolean - description: true if action is failed otherwise false. - - name: verbose - type: boolean - description: true if verbose audit log otherwise false. diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/audit/manifest.yml b/packages/carbon_black_cloud/1.0.0/data_stream/audit/manifest.yml deleted file mode 100755 index 929093a4ef..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/audit/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Audit -type: logs -streams: - - input: httpjson - title: Collect audit logs from Carbon Black Cloud - description: Collect audit logs from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch audit logs from Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/1.0.0/data_stream/audit/sample_event.json deleted file mode 100755 index 4ecd8ed454..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/audit/sample_event.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "@timestamp": "2022-02-10T16:04:30.263Z", - "agent": { - "ephemeral_id": "6472e86c-fc7c-478a-a6fd-12ed19fe05c9", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "audit": { - "flagged": false, - "verbose": false - } - }, - "client": { - "ip": "10.10.10.10", - "user": { - "id": "abc@demo.com" - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:48:30.094Z", - "dataset": "carbon_black_cloud.audit", - "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-04-14T11:48:31Z", - "kind": "event", - "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", - "outcome": "success", - "reason": "Logged in successfully" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "name": "cb-xxxx-xxxx.com" - }, - "related": { - "ip": [ - "10.10.10.10" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-audit" - ] -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3a6c8fc6df..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,587 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud Endpoint Events. -processors: - - set: - field: ecs.version - value: '8.0.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.action - target_field: event.action - ignore_missing: true - - rename: - field: json.event_id - target_field: event.id - ignore_missing: true - - rename: - field: json.event_description - target_field: event.reason - ignore_missing: true - - rename: - field: json.filemod_name - target_field: file.path - ignore_missing: true - - rename: - field: json.modload_name - target_field: dll.path - ignore_missing: true - - set: - field: network.transport - value: udp - if: ctx?.json?.netconn_protocol == "PROTO_UDP" - - set: - field: network.transport - value: tcp - if: ctx?.json?.netconn_protocol == "PROTO_TCP" - - set: - field: network.direction - value: inbound - if: ctx?.json?.netconn_inbound == true - - set: - field: network.direction - value: outbound - if: ctx?.json?.netconn_inbound == false - - rename: - field: json.remote_port - target_field: source.port - ignore_missing: true - - rename: - field: json.remote_ip - target_field: source.ip - ignore_missing: true - - rename: - field: json.netconn_domain - target_field: source.address - ignore_missing: true - - rename: - field: json.local_port - target_field: client.port - ignore_missing: true - - rename: - field: json.local_ip - target_field: client.ip - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - rename: - field: json.device_group - target_field: host.os.family - ignore_missing: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device_group - target_field: host.os.family - ignore_missing: true - - rename: - field: json.process_cmdline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_pid - target_field: process.pid - ignore_missing: true - - rename: - field: json.parent_cmdline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.parent_guid - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.parent_path - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.parent_pid - target_field: process.parent.pid - ignore_missing: true - - rename: - field: json.regmod_name - target_field: registry.path - ignore_missing: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - - "{{{json.netconn_proxy_ip}}}" - - "{{{source.ip}}}" - - "{{{client.ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{json.process_username}}}" - - "{{{json.childproc_username}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - script: - description: Dynamically map MD5 and SHA256 hash - lang: painless - source: | - void mapHashField(def ctx, def hashes, def key) { - for (hash in hashes) { - if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} - if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} - } - } - if (ctx.json?.process_hash instanceof List) { - mapHashField(ctx, ctx.json?.process_hash, "process_hash"); - } - if (ctx.json?.parent_hash instanceof List) { - mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); - } - if (ctx.json?.filemod_hash instanceof List) { - mapHashField(ctx, ctx.json?.filemod_hash, "filemod_hash"); - } - if (ctx.json?.childproc_hash instanceof List) { - mapHashField(ctx, ctx.json?.childproc_hash, "childproc_hash"); - } - if (ctx.json?.crossproc_hash instanceof List) { - mapHashField(ctx, ctx.json?.crossproc_hash, "crossproc_hash"); - } - if (ctx.json?.scriptload_hash instanceof List) { - mapHashField(ctx, ctx.json?.scriptload_hash, "scriptload_hash"); - } - - rename: - field: json.process_hash_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: json.process_hash_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: json.parent_hash_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: json.parent_hash_sha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - rename: - field: json.backend_timestamp - target_field: carbon_black_cloud.endpoint_event.backend.timestamp - ignore_missing: true - - rename: - field: json.device_timestamp - target_field: carbon_black_cloud.endpoint_event.device.timestamp - ignore_missing: true - - rename: - field: json.device_os - target_field: carbon_black_cloud.endpoint_event.device.os - ignore_missing: true - - rename: - field: json.childproc_name - target_field: carbon_black_cloud.endpoint_event.childproc.name - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.endpoint_event.organization_key - ignore_missing: true - - rename: - field: json.process_duration - target_field: carbon_black_cloud.endpoint_event.process.duration - ignore_missing: true - - foreach: - field: json.process_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.process_publisher - target_field: carbon_black_cloud.endpoint_event.process.publisher - ignore_missing: true - - rename: - field: json.process_reputation - target_field: carbon_black_cloud.endpoint_event.process.reputation - ignore_missing: true - - rename: - field: json.process_terminated - target_field: carbon_black_cloud.endpoint_event.process.terminated - ignore_missing: true - - rename: - field: json.process_username - target_field: carbon_black_cloud.endpoint_event.process.username - ignore_missing: true - - rename: - field: json.parent_reputation - target_field: carbon_black_cloud.endpoint_event.process.parent.reputation - ignore_missing: true - - rename: - field: json.target_cmdline - target_field: carbon_black_cloud.endpoint_event.target_cmdline - ignore_missing: true - - rename: - field: json.type - target_field: carbon_black_cloud.endpoint_event.type - ignore_missing: true - -# Mapping for endpoint.event.crossproc event type - - - rename: - field: json.crossproc_action - target_field: carbon_black_cloud.endpoint_event.crossproc.action - ignore_missing: true - - rename: - field: json.crossproc_api - target_field: carbon_black_cloud.endpoint_event.crossproc.api - ignore_missing: true - - rename: - field: json.crossproc_guid - target_field: carbon_black_cloud.endpoint_event.crossproc.guid - ignore_missing: true - - rename: - field: json.crossproc_name - target_field: carbon_black_cloud.endpoint_event.crossproc.name - ignore_missing: true - - rename: - field: json.crossproc_target - target_field: carbon_black_cloud.endpoint_event.crossproc.target - ignore_missing: true - - rename: - field: json.crossproc_reputation - target_field: carbon_black_cloud.endpoint_event.crossproc.reputation - ignore_missing: true - - foreach: - field: json.crossproc_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.crossproc_publisher - target_field: carbon_black_cloud.endpoint_event.crossproc.publisher - ignore_missing: true - - rename: - field: json.crossproc_hash_md5 - target_field: carbon_black_cloud.endpoint_event.crossproc.hash.md5 - ignore_missing: true - - rename: - field: json.crossproc_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.crossproc.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.filemod event type - - - rename: - field: json.filemod_hash_md5 - target_field: file.hash.md5 - ignore_missing: true - - rename: - field: json.filemod_hash_sha256 - target_field: file.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.fileless_scriptload event type - - - rename: - field: json.fileless_scriptload_cmdline - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline - ignore_missing: true - - rename: - field: json.fileless_scriptload_cmdline_length - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length - ignore_missing: true - - rename: - field: json.fileless_scriptload_hash_md5 - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 - ignore_missing: true - - rename: - field: json.fileless_scriptload_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.moduleload event type - - - rename: - field: json.modload_md5 - target_field: dll.hash.md5 - ignore_missing: true - - rename: - field: json.modload_sha256 - target_field: dll.hash.sha256 - ignore_missing: true - - rename: - field: json.modload_effective_reputation - target_field: carbon_black_cloud.endpoint_event.modload.effective_reputation - ignore_missing: true - - rename: - field: json.modload_count - target_field: carbon_black_cloud.endpoint_event.modload.count - ignore_missing: true - - foreach: - field: json.modload_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.modload_publisher - target_field: carbon_black_cloud.endpoint_event.modload.publisher - ignore_missing: true - -# Mapping for endpoint.event.netconn_proxy event type - - - rename: - field: json.netconn_proxy_domain - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.domain - ignore_missing: true - - rename: - field: json.netconn_proxy_port - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.port - ignore_missing: true - - rename: - field: json.netconn_proxy_ip - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.ip - ignore_missing: true - -# Mapping for endpoint.event.procstart event type - - - rename: - field: json.childproc_guid - target_field: carbon_black_cloud.endpoint_event.childproc.guid - ignore_missing: true - - rename: - field: json.childproc_name - target_field: carbon_black_cloud.endpoint_event.childproc.name - ignore_missing: true - - rename: - field: json.childproc_pid - target_field: carbon_black_cloud.endpoint_event.childproc.pid - ignore_missing: true - - foreach: - field: json.childproc_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.childproc_publisher - target_field: carbon_black_cloud.endpoint_event.childproc.publisher - ignore_missing: true - - rename: - field: json.childproc_reputation - target_field: carbon_black_cloud.endpoint_event.childproc.reputation - ignore_missing: true - - rename: - field: json.childproc_username - target_field: carbon_black_cloud.endpoint_event.childproc.username - ignore_missing: true - - rename: - field: json.childproc_hash_md5 - target_field: carbon_black_cloud.endpoint_event.childproc.hash.md5 - ignore_missing: true - - rename: - field: json.childproc_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.childproc.hash.sha256 - ignore_missing: true - -# Mapping for NGAV endpoint.event.scriptload event type - - - rename: - field: json.scriptload_name - target_field: carbon_black_cloud.endpoint_event.scriptload.name - ignore_missing: true - - foreach: - field: json.scriptload_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.scriptload_publisher - target_field: carbon_black_cloud.endpoint_event.scriptload.publisher - ignore_missing: true - - rename: - field: json.scriptload_count - target_field: carbon_black_cloud.endpoint_event.scriptload.count - ignore_missing: true - - rename: - field: json.scriptload_hash_md5 - target_field: carbon_black_cloud.endpoint_event.scriptload.hash.md5 - ignore_missing: true - - rename: - field: json.scriptload_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.scriptload.hash.sha256 - ignore_missing: true - - rename: - field: json.scriptload_effective_reputation - target_field: carbon_black_cloud.endpoint_event.scriptload.effective_reputation - ignore_missing: true - - rename: - field: json.scriptload_reputation - target_field: carbon_black_cloud.endpoint_event.scriptload.reputation - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.endpoint_event.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.endpoint_event.device.external_ip - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - - append: - field: related.hash - value: - - "{{{process.hash.md5}}}" - - "{{{process.hash.sha256}}}" - - "{{{process.parent.hash.md5}}}" - - "{{{process.parent.hash.sha256}}}" - - "{{{file.hash.md5}}}" - - "{{{file.hash.sha256}}}" - - "{{{dll.hash.md5}}}" - - "{{{dll.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.childproc.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.childproc.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.sha256}}}" - allow_duplicates: false - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.endpoint_event - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.endpoint_event[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.endpoint_event.create_time - - carbon_black_cloud.endpoint_event.device_id - - carbon_black_cloud.endpoint_event.process_hash - - carbon_black_cloud.endpoint_event.parent_hash - - carbon_black_cloud.endpoint_event.crossproc_hash - - carbon_black_cloud.endpoint_event.filemod_hash - - carbon_black_cloud.endpoint_event.childproc_hash - - carbon_black_cloud.endpoint_event.modload_hash - - carbon_black_cloud.endpoint_event.scriptload_hash - - carbon_black_cloud.endpoint_event.netconn_inbound - - carbon_black_cloud.endpoint_event.netconn_protocol - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Remove duplicate values - lang: painless - source: | - if (ctx?.related?.user != null) { - ctx.related.user = new HashSet(ctx.related.user) - } - if (ctx?.related?.hash != null) { - ctx.related.hash = new HashSet(ctx.related.hash) - } - if (ctx?.related?.ip != null) { - ctx.related.ip = new HashSet(ctx.related.ip) - } -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/base-fields.yml deleted file mode 100755 index 9b3253d2db..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.endpoint_event diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/ecs.yml deleted file mode 100755 index 11a1880a0a..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/ecs.yml +++ /dev/null @@ -1,193 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: MD5 hash. - name: dll.hash.md5 - type: keyword -- description: SHA256 hash. - name: dll.hash.sha256 - type: keyword -- description: Full file path of the library. - name: dll.path - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/fields.yml b/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/fields.yml deleted file mode 100755 index 199988ffb6..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/fields/fields.yml +++ /dev/null @@ -1,239 +0,0 @@ -- name: carbon_black_cloud.endpoint_event - type: group - fields: - - name: alert_id - type: keyword - description: The ID of the Alert this event is associated with. - - name: backend - type: group - fields: - - name: timestamp - type: keyword - description: Time when the backend received the batch of events. - - name: childproc - type: group - fields: - - name: guid - type: keyword - description: Unique ID of the child process. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the executable file backing the child process. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the executable file backing the child process. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: pid - type: long - description: OS-reported Process ID of the child process. - - name: publisher - type: group - description: Signature entry for the childproc as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the childproc. - - name: username - type: keyword - description: The username associated with the user context that the child process was started under. - - name: crossproc - type: group - fields: - - name: action - type: keyword - description: The action taken on cross-process. - - name: api - type: keyword - description: Name of the operating system API called by the actor process. - - name: guid - type: keyword - description: Unique ID of the cross process. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the target of the crossproc event. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the target of the crossproc event. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: publisher - type: group - description: Signature entry for the crossproc as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the crossproc. - - name: target - type: boolean - description: True if the process was the target of the cross-process event; false if the process was the actor. - - name: device - type: group - fields: - - name: os - type: keyword - description: Os name. - - name: timestamp - type: keyword - description: Time seen on sensor. - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: event_origin - type: keyword - description: Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. - - name: fileless_scriptload - type: group - fields: - - name: cmdline - type: keyword - description: Deobfuscated script content run in a fileless context by the process. - - name: cmdline_length - type: keyword - description: Character count of the deobfuscated script content run in a fileless context. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: MD5 hash of the deobfuscated script content run by the process in a fileless context. - - name: sha256 - type: keyword - description: SHA-256 hash of the deobfuscated script content run by the process in a fileless context. - - name: modload - type: group - fields: - - name: count - type: long - description: Count of modload events reported by the sensor since last initialization. - - name: effective_reputation - type: keyword - description: Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. - - name: publisher - type: group - description: Signature entry for the moduleload as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: netconn - type: group - fields: - - name: proxy - type: group - fields: - - name: domain - type: keyword - description: DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. - - name: ip - type: keyword - description: IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. - - name: port - type: keyword - description: UDP/TCP port number associated with the "proxy" end of this network connection. - - name: organization_key - type: keyword - description: The organization key associated with the console instance. - - name: process - type: group - fields: - - name: duration - type: long - description: The time difference in seconds between the process start and process terminate event. - - name: parent - type: group - fields: - - name: reputation - type: keyword - description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: publisher - type: group - description: Signature entry for the process as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: terminated - type: boolean - description: True if process was terminated elase false. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: schema - type: long - description: The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. - - name: scriptload - type: group - fields: - - name: count - type: long - description: Count of scriptload events across all processes reported by the sensor since last initialization. - - name: effective_reputation - type: keyword - description: Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the target of the scriptload event. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the target of the scriptload event. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: publisher - type: group - description: Signature entry for the scriptload as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the scriptload. - - name: sensor_action - type: keyword - description: The sensor action taken on event. - - name: target_cmdline - type: keyword - description: Process command line associated with the target process. - - name: type - type: keyword - description: The event type. diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/manifest.yml b/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/manifest.yml deleted file mode 100755 index 0f52e82022..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/manifest.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: Endpoint Event -type: logs -streams: - - input: aws-s3 - title: Collect endpoint events from Carbon Black Cloud - description: Collect endpoint events from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch endpoint events from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-endpoint-event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/sample_event.json b/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/sample_event.json deleted file mode 100755 index 958377158a..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/endpoint_event/sample_event.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "process": { - "parent": { - "pid": 1684, - "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", - "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", - "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", - "hash": { - "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", - "md5": "03dd698da2671383c9b4f868c9931879" - } - }, - "pid": 4880, - "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", - "command_line": "\"route.exe\" print", - "executable": "c:\\windows\\system32\\route.exe", - "hash": { - "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", - "md5": "2498272dc48446891182747428d02a30" - } - }, - "ecs": { - "version": "8.0.0" - }, - "carbon_black_cloud": { - "endpoint_event": { - "schema": 1, - "event_origin": "EDR", - "process": { - "duration": 2, - "parent": { - "reputation": "REP_RESOLVING" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_RESOLVING", - "terminated": true, - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "XXXXXXXX", - "backend": { - "timestamp": "2022-02-10 11:52:50 +0000 UTC" - }, - "target_cmdline": "\"route.exe\" print", - "type": "endpoint.event.procend", - "device": { - "os": "WINDOWS", - "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", - "external_ip": "67.43.156.12" - }, - "sensor_action": "ACTION_ALLOW" - } - }, - "host": { - "hostname": "client-cb2", - "id": "4034605", - "os": { - "type": "windows" - }, - "ip": [ - "67.43.156.13" - ] - }, - "event": { - "action": "ACTION_PROCESS_TERMINATE", - "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" - }, - "data_stream": { - "dataset": "carbon_black_cloud.endpoint_event", - "namespace": "ep", - "type": "logs" - }, - "elastic_agent": { - "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", - "snapshot": true, - "version": "8.0.0" - }, - "input": { - "type": "aws-s3" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-endpoint-event" - ] -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1699bc69c1..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,293 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud watchlist hit. -processors: - - set: - field: ecs.version - value: '8.0.0' - - set: - field: event.kind - value: event - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.severity - target_field: event.severity - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - rename: - field: json.device_os_version - target_field: host.os.version - ignore_missing: true - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.process_cmdline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_pid - target_field: process.pid - ignore_missing: true - - rename: - field: json.parent_cmdline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.parent_guid - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.parent_path - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.parent_pid - target_field: process.parent.pid - ignore_missing: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{json.parent_username}}}" - - "{{{json.process_username}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - script: - description: Dynamically map MD5 and SHA256 hash - lang: painless - source: | - void mapHashField(def ctx, def hashes, def key) { - for (hash in hashes) { - if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} - if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} - } - } - if (ctx.json?.process_hash instanceof List) { - mapHashField(ctx, ctx.json?.process_hash, "process_hash"); - } - if (ctx.json?.parent_hash instanceof List) { - mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); - } - - rename: - field: json.process_hash_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: json.process_hash_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: json.parent_hash_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: json.parent_hash_sha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: - - "{{{process.hash.md5}}}" - - "{{{process.hash.sha256}}}" - - "{{{process.parent.hash.md5}}}" - - "{{{process.parent.hash.sha256}}}" - allow_duplicates: false - - rename: - field: json.device_os - target_field: carbon_black_cloud.watchlist_hit.device.os - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.watchlist_hit.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.watchlist_hit.device.external_ip - ignore_missing: true - - rename: - field: json.ioc_hit - target_field: carbon_black_cloud.watchlist_hit.ioc.hit - ignore_missing: true - - rename: - field: json.ioc_id - target_field: carbon_black_cloud.watchlist_hit.ioc.id - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.watchlist_hit.organization_key - ignore_missing: true - - foreach: - field: json.parent_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.parent_publisher - target_field: carbon_black_cloud.watchlist_hit.process.parent.publisher - ignore_missing: true - - rename: - field: json.parent_reputation - target_field: carbon_black_cloud.watchlist_hit.process.parent.reputation - ignore_missing: true - - rename: - field: json.parent_username - target_field: carbon_black_cloud.watchlist_hit.process.parent.username - ignore_missing: true - - foreach: - field: json.process_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.process_publisher - target_field: carbon_black_cloud.watchlist_hit.process.publisher - ignore_missing: true - - rename: - field: json.process_reputation - target_field: carbon_black_cloud.watchlist_hit.process.reputation - ignore_missing: true - - rename: - field: json.process_username - target_field: carbon_black_cloud.watchlist_hit.process.username - ignore_missing: true - - rename: - field: json.report_id - target_field: carbon_black_cloud.watchlist_hit.report.id - ignore_missing: true - - rename: - field: json.report_name - target_field: carbon_black_cloud.watchlist_hit.report.name - ignore_missing: true - - rename: - field: json.report_tags - target_field: carbon_black_cloud.watchlist_hit.report.tags - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.watchlist_hit - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.watchlist_hit[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.watchlist_hit.create_time - - carbon_black_cloud.watchlist_hit.device_id - - carbon_black_cloud.watchlist_hit.process_hash - - carbon_black_cloud.watchlist_hit.parent_hash - ignore_missing: true - - script: - description: Remove duplicate values - lang: painless - source: | - if (ctx?.related?.user != null) { - ctx.related.user = new HashSet(ctx.related.user) - } - if (ctx?.related?.hash != null) { - ctx.related.hash = new HashSet(ctx.related.hash) - } -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/base-fields.yml deleted file mode 100755 index 89df536282..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.watchlist_hit diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/ecs.yml b/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/ecs.yml deleted file mode 100755 index 5257b0ad7a..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/ecs.yml +++ /dev/null @@ -1,127 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/fields.yml b/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/fields.yml deleted file mode 100755 index 25cb25005e..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/fields/fields.yml +++ /dev/null @@ -1,89 +0,0 @@ -- name: carbon_black_cloud.watchlist_hit - type: group - fields: - - name: device - type: group - fields: - - name: os - type: keyword - description: OS Type of device (Windows/OSX/Linux). - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: ioc - type: group - fields: - - name: field - type: keyword - description: Field the IOC hit contains. - - name: hit - type: keyword - description: IOC field value, or IOC query that matches. - - name: id - type: keyword - description: ID of the IOC that caused the hit. - - name: organization_key - type: keyword - description: The organization key associated with the console instance. - - name: process - type: group - fields: - - name: parent - type: group - fields: - - name: publisher - type: group - description: signature entry for the process as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: publisher - type: group - description: signature entry for the process as reported by the endpoint. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: report - type: group - fields: - - name: id - type: keyword - description: ID of the watchlist report(s) that detected a hit on the process. - - name: name - type: keyword - description: Name of the watchlist report(s) that detected a hit on the process. - - name: tags - type: keyword - description: List of tags associated with the report(s) that detected a hit on the process. - - name: schema - type: long - description: Schema version. - - name: type - type: keyword - description: The watchlist hit type. - - name: watchlists - type: group - description: List of watchlists that contain the report of the ioc hit. - fields: - - name: id - type: keyword - description: The ID of the watchlists. - - name: name - type: keyword - description: The name of the watchlists. diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/manifest.yml b/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/manifest.yml deleted file mode 100755 index 7782458210..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/manifest.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: Watchlist Hit -type: logs -streams: - - input: aws-s3 - title: Collect watchlist hit from Carbon Black Cloud - description: Collect watchlist hit from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch watchlist hit from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-watchlist-hit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/sample_event.json b/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/sample_event.json deleted file mode 100755 index 0a5e6c32fb..0000000000 --- a/packages/carbon_black_cloud/1.0.0/data_stream/watchlist_hit/sample_event.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-watchlist-hit" - ], - "input": { - "type": "aws-s3" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "carbon_black_cloud.watchlist_hit" - }, - "agent": { - "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "process": { - "parent": { - "pid": 4076, - "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", - "executable": "c:\\windows\\syswow64\\cmd.exe", - "hash": { - "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", - "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" - } - }, - "pid": 7516, - "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", - "command_line": "sc query aella_conf ", - "executable": "c:\\windows\\syswow64\\sc.exe", - "hash": { - "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", - "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" - } - }, - "carbon_black_cloud": { - "watchlist_hit": { - "schema": 1, - "process": { - "parent": { - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "xxxxxxxx", - "report": { - "name": "Discovery - System Service Discovery Detected", - "id": "CFnKBKLTv6hUkBGFobRdg-565571", - "tags": [ - "attack", - "attackframework", - "threathunting", - "hunting", - "t1007", - "recon", - "discovery", - "windows" - ] - }, - "watchlists": [ - { - "name": "ATT\u0026CK Framework", - "id": "P5f9AW29TGmTOvBW156Cig" - } - ], - "type": "watchlist.hit", - "ioc": { - "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", - "id": "565571-0" - }, - "device": { - "internal_ip": "10.10.156.12", - "external_ip": "67.43.156.12", - "os": "WINDOWS" - } - } - }, - "host": { - "hostname": "Carbonblack-win1", - "os": { - "type": "windows" - }, - "ip": [ - "10.10.156.12", - "67.43.156.12" - ], - "id": "4467271" - }, - "event": { - "kind": "event", - "severity": 3, - "agent_id_status": "verified", - "ingested": "2022-02-17T07:23:31Z", - "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", - "dataset": "carbon_black_cloud.watchlist_hit" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/docs/README.md b/packages/carbon_black_cloud/1.0.0/docs/README.md deleted file mode 100755 index b07163713d..0000000000 --- a/packages/carbon_black_cloud/1.0.0/docs/README.md +++ /dev/null @@ -1,1042 +0,0 @@ -# VMware Carbon Black Cloud - -The VMware Carbon Black Cloud integration collects and parses data from the Carbon Black Cloud REST APIs and AWS S3 bucket. - -## Compatibility - -This module has been tested against `Alerts API (v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`. - -## Requirements - -### In order to ingest data from the AWS S3 bucket you must: -1. Configure the [Data Forwarder](https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-F68F63DD-2271-4088-82C9-71D675CD0535.html) to ingest data into an AWS S3 bucket. -2. Create an [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - - -### In order to ingest data from the APIs you must generate API keys and API Secret Keys: -1. In Carbon Black Cloud, On the left navigation pane, click **Settings > API Access**. -2. Click Add API Key. -3. Give the API key a unique name and description. - - Select the appropriate access level type. Please check required Access Levels & Permissions for integration in below table. - **Note:** To use a custom access level, select Custom from the Access Level type drop-down menu and specify the Custom Access Level. - - Optional: Add authorized IP addresses. - - You can restrict the use of an API key to a specific set of IP addresses for security reasons. - **Note:** Authorized IP addresses are not available with Custom keys. -4. To apply the changes, click Save. - -#### Access Levels & Permissions -- The following tables indicate which type of API Key access level is required. If the type is Custom then the permission that is required will also be included. - -| Data stream | Access Level and Permissions | -| --------------------------- | ------------------------------------------ | -| Audit | API | -| Alert | Custom orgs.alerts (Read) | -| Asset Vulnerability Summary | Custom vulnerabilityAssessment.data (Read) | - - -## Note - -- The alert data stream has a 15-minute delay to ensure that no occurrences are missed. - -## Logs - -### Audit - -This is the `audit` dataset. - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2022-02-10T16:04:30.263Z", - "agent": { - "ephemeral_id": "6472e86c-fc7c-478a-a6fd-12ed19fe05c9", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "audit": { - "flagged": false, - "verbose": false - } - }, - "client": { - "ip": "10.10.10.10", - "user": { - "id": "abc@demo.com" - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:48:30.094Z", - "dataset": "carbon_black_cloud.audit", - "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-04-14T11:48:31Z", - "kind": "event", - "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", - "outcome": "success", - "reason": "Logged in successfully" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "name": "cb-xxxx-xxxx.com" - }, - "related": { - "ip": [ - "10.10.10.10" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-audit" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.audit.flagged | true if action is failed otherwise false. | boolean | -| carbon_black_cloud.audit.verbose | true if verbose audit log otherwise false. | boolean | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | - - -### Alert - -This is the `alert` dataset. - -An example event for `alert` looks as following: - -```json -{ - "@timestamp": "2020-11-17T22:05:13.000Z", - "agent": { - "ephemeral_id": "56053d91-103c-4c77-8f15-0a1006a80102", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "alert": { - "category": "warning", - "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", - "location": "UNKNOWN", - "os": "WINDOWS" - }, - "last_update_time": "2020-11-17T22:05:13Z", - "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", - "organization_key": "ABCD6X3T", - "policy": { - "applied": "APPLIED", - "id": 6997287, - "name": "Standard" - }, - "product_id": "0x5406", - "product_name": "U3 Cruzer Micro", - "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", - "run_state": "DID_NOT_RUN", - "sensor_action": "DENY", - "serial_number": "0875920EF7C2A304", - "target_value": "MEDIUM", - "threat_cause": { - "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", - "threat_category": "NON_MALWARE", - "vector": "REMOVABLE_MEDIA" - }, - "threat_id": "t5678", - "type": "DEVICE_CONTROL", - "vendor_id": "0x0781", - "vendor_name": "SanDisk", - "workflow": { - "changed_by": "Carbon Black", - "last_update_time": "2020-11-17T22:02:16Z", - "state": "OPEN" - } - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:46:13.154Z", - "dataset": "carbon_black_cloud.alert", - "end": "2020-11-17T22:02:16Z", - "id": "test1", - "ingested": "2022-04-14T11:46:14Z", - "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", - "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", - "severity": 3, - "start": "2020-11-17T22:02:16Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" - }, - "host": { - "hostname": "DESKTOP-002", - "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "name": "DESKTOP-002", - "os": { - "type": "windows", - "version": "Windows 10 x64" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-002" - ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "user": [ - "test34@demo.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-alert" - ], - "user": { - "name": "test34@demo.com" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.alert.blocked_threat_category | The category of threat which we were able to take action on. | keyword | -| carbon_black_cloud.alert.category | The category of the alert. | keyword | -| carbon_black_cloud.alert.count | | long | -| carbon_black_cloud.alert.created_by_event_id | Event identifier that initiated the alert. | keyword | -| carbon_black_cloud.alert.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.alert.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.alert.device.location | The Location of device. | keyword | -| carbon_black_cloud.alert.device.os | OS of the device. | keyword | -| carbon_black_cloud.alert.document_guid | Unique ID of document. | keyword | -| carbon_black_cloud.alert.ioc.field | The field the indicator of comprise (IOC) hit contains. | keyword | -| carbon_black_cloud.alert.ioc.hit | IOC field value or IOC query that matches. | keyword | -| carbon_black_cloud.alert.ioc.id | The identifier of the IOC that cause the hit. | keyword | -| carbon_black_cloud.alert.kill_chain_status | The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. | keyword | -| carbon_black_cloud.alert.last_update_time | The last time the alert was updated as an ISO 8601 UTC timestamp. | date | -| carbon_black_cloud.alert.legacy_alert_id | The legacy identifier for the alert. | keyword | -| carbon_black_cloud.alert.not_blocked_threat_category | Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). | keyword | -| carbon_black_cloud.alert.notes_present | Indicates if notes are associated with the threat_id. | boolean | -| carbon_black_cloud.alert.organization_key | The unique identifier for the organization associated with the alert. | keyword | -| carbon_black_cloud.alert.policy.applied | Whether a policy was applied. | keyword | -| carbon_black_cloud.alert.policy.id | The identifier for the policy associated with the device at the time of the alert. | long | -| carbon_black_cloud.alert.policy.name | The name of the policy associated with the device at the time of the alert. | keyword | -| carbon_black_cloud.alert.product_id | The hexadecimal id of the USB device's product. | keyword | -| carbon_black_cloud.alert.product_name | The name of the USB device’s vendor. | keyword | -| carbon_black_cloud.alert.reason_code | Shorthand enum for the full-text reason. | keyword | -| carbon_black_cloud.alert.report.id | The identifier of the report that contains the IOC. | keyword | -| carbon_black_cloud.alert.report.name | The name of the report that contains the IOC. | keyword | -| carbon_black_cloud.alert.run_state | Whether the threat in the alert ran. | keyword | -| carbon_black_cloud.alert.sensor_action | The action taken by the sensor, according to the rule of the policy. | keyword | -| carbon_black_cloud.alert.serial_number | The serial number of the USB device. | keyword | -| carbon_black_cloud.alert.status | status of alert. | keyword | -| carbon_black_cloud.alert.tags | Tags associated with the alert. | keyword | -| carbon_black_cloud.alert.target_value | The priority of the device assigned by the policy. | keyword | -| carbon_black_cloud.alert.threat_activity.c2 | Whether the alert involved a command and control (c2) server. | keyword | -| carbon_black_cloud.alert.threat_activity.dlp | Whether the alert involved data loss prevention (DLP). | keyword | -| carbon_black_cloud.alert.threat_activity.phish | Whether the alert involved phishing. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.md5 | MD5 of the threat cause actor. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.name | The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.process_pid | Process identifier (PID) of the actor process. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.sha256 | SHA256 of the threat cause actor. | keyword | -| carbon_black_cloud.alert.threat_cause.cause_event_id | ID of the Event that triggered the threat. | keyword | -| carbon_black_cloud.alert.threat_cause.process.guid | The global unique identifier of the process. | keyword | -| carbon_black_cloud.alert.threat_cause.process.parent.guid | The global unique identifier of the process. | keyword | -| carbon_black_cloud.alert.threat_cause.reputation | Reputation of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_cause.threat_category | Category of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_cause.vector | The source of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_id | The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. | keyword | -| carbon_black_cloud.alert.threat_indicators.process_name | Process name associated with threat. | keyword | -| carbon_black_cloud.alert.threat_indicators.sha256 | Sha256 associated with threat. | keyword | -| carbon_black_cloud.alert.threat_indicators.ttps | Tactics, techniques and procedures associated with threat. | keyword | -| carbon_black_cloud.alert.type | Type of alert. | keyword | -| carbon_black_cloud.alert.vendor_id | The hexadecimal id of the USB device's vendor. | keyword | -| carbon_black_cloud.alert.vendor_name | The name of the USB device’s vendor. | keyword | -| carbon_black_cloud.alert.watchlists.id | The identifier of watchlist. | keyword | -| carbon_black_cloud.alert.watchlists.name | The name of the watchlist. | keyword | -| carbon_black_cloud.alert.workflow.changed_by | The name of user who changed the workflow. | keyword | -| carbon_black_cloud.alert.workflow.comment | Comment associated with workflow. | keyword | -| carbon_black_cloud.alert.workflow.last_update_time | The last update time of workflow. | date | -| carbon_black_cloud.alert.workflow.remediation | N/A | keyword | -| carbon_black_cloud.alert.workflow.state | The state of workflow. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### Endpoint Event - -This is the `endpoint_event` dataset. - -An example event for `endpoint_event` looks as following: - -```json -{ - "process": { - "parent": { - "pid": 1684, - "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", - "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", - "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", - "hash": { - "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", - "md5": "03dd698da2671383c9b4f868c9931879" - } - }, - "pid": 4880, - "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", - "command_line": "\"route.exe\" print", - "executable": "c:\\windows\\system32\\route.exe", - "hash": { - "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", - "md5": "2498272dc48446891182747428d02a30" - } - }, - "ecs": { - "version": "8.0.0" - }, - "carbon_black_cloud": { - "endpoint_event": { - "schema": 1, - "event_origin": "EDR", - "process": { - "duration": 2, - "parent": { - "reputation": "REP_RESOLVING" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_RESOLVING", - "terminated": true, - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "XXXXXXXX", - "backend": { - "timestamp": "2022-02-10 11:52:50 +0000 UTC" - }, - "target_cmdline": "\"route.exe\" print", - "type": "endpoint.event.procend", - "device": { - "os": "WINDOWS", - "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", - "external_ip": "67.43.156.12" - }, - "sensor_action": "ACTION_ALLOW" - } - }, - "host": { - "hostname": "client-cb2", - "id": "4034605", - "os": { - "type": "windows" - }, - "ip": [ - "67.43.156.13" - ] - }, - "event": { - "action": "ACTION_PROCESS_TERMINATE", - "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" - }, - "data_stream": { - "dataset": "carbon_black_cloud.endpoint_event", - "namespace": "ep", - "type": "logs" - }, - "elastic_agent": { - "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", - "snapshot": true, - "version": "8.0.0" - }, - "input": { - "type": "aws-s3" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-endpoint-event" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.endpoint_event.alert_id | The ID of the Alert this event is associated with. | keyword | -| carbon_black_cloud.endpoint_event.backend.timestamp | Time when the backend received the batch of events. | keyword | -| carbon_black_cloud.endpoint_event.childproc.guid | Unique ID of the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.hash.md5 | Cryptographic MD5 hashes of the executable file backing the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.hash.sha256 | Cryptographic SHA256 hashes of the executable file backing the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.childproc.pid | OS-reported Process ID of the child process. | long | -| carbon_black_cloud.endpoint_event.childproc.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.childproc.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.childproc.reputation | Carbon Black Cloud Reputation string for the childproc. | keyword | -| carbon_black_cloud.endpoint_event.childproc.username | The username associated with the user context that the child process was started under. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.action | The action taken on cross-process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.api | Name of the operating system API called by the actor process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.guid | Unique ID of the cross process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.hash.md5 | Cryptographic MD5 hashes of the target of the crossproc event. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.hash.sha256 | Cryptographic SHA256 hashes of the target of the crossproc event. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.reputation | Carbon Black Cloud Reputation string for the crossproc. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.target | True if the process was the target of the cross-process event; false if the process was the actor. | boolean | -| carbon_black_cloud.endpoint_event.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.endpoint_event.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.endpoint_event.device.os | Os name. | keyword | -| carbon_black_cloud.endpoint_event.device.timestamp | Time seen on sensor. | keyword | -| carbon_black_cloud.endpoint_event.event_origin | Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline | Deobfuscated script content run in a fileless context by the process. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length | Character count of the deobfuscated script content run in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 | MD5 hash of the deobfuscated script content run by the process in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 | SHA-256 hash of the deobfuscated script content run by the process in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.modload.count | Count of modload events reported by the sensor since last initialization. | long | -| carbon_black_cloud.endpoint_event.modload.effective_reputation | Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. | keyword | -| carbon_black_cloud.endpoint_event.modload.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.modload.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.domain | DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.ip | IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.port | UDP/TCP port number associated with the "proxy" end of this network connection. | keyword | -| carbon_black_cloud.endpoint_event.organization_key | The organization key associated with the console instance. | keyword | -| carbon_black_cloud.endpoint_event.process.duration | The time difference in seconds between the process start and process terminate event. | long | -| carbon_black_cloud.endpoint_event.process.parent.reputation | Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.endpoint_event.process.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.process.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.endpoint_event.process.terminated | True if process was terminated elase false. | boolean | -| carbon_black_cloud.endpoint_event.process.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.endpoint_event.schema | The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. | long | -| carbon_black_cloud.endpoint_event.scriptload.count | Count of scriptload events across all processes reported by the sensor since last initialization. | long | -| carbon_black_cloud.endpoint_event.scriptload.effective_reputation | Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.hash.md5 | Cryptographic MD5 hashes of the target of the scriptload event. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.hash.sha256 | Cryptographic SHA256 hashes of the target of the scriptload event. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.reputation | Carbon Black Cloud Reputation string for the scriptload. | keyword | -| carbon_black_cloud.endpoint_event.sensor_action | The sensor action taken on event. | keyword | -| carbon_black_cloud.endpoint_event.target_cmdline | Process command line associated with the target process. | keyword | -| carbon_black_cloud.endpoint_event.type | The event type. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dll.hash.md5 | MD5 hash. | keyword | -| dll.hash.sha256 | SHA256 hash. | keyword | -| dll.path | Full file path of the library. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| registry.path | Full path, including hive, key and value | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | - - -### Watchlist Hit - -This is the `watchlist_hit` dataset. - -An example event for `watchlist_hit` looks as following: - -```json -{ - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-watchlist-hit" - ], - "input": { - "type": "aws-s3" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "carbon_black_cloud.watchlist_hit" - }, - "agent": { - "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "process": { - "parent": { - "pid": 4076, - "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", - "executable": "c:\\windows\\syswow64\\cmd.exe", - "hash": { - "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", - "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" - } - }, - "pid": 7516, - "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", - "command_line": "sc query aella_conf ", - "executable": "c:\\windows\\syswow64\\sc.exe", - "hash": { - "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", - "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" - } - }, - "carbon_black_cloud": { - "watchlist_hit": { - "schema": 1, - "process": { - "parent": { - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "xxxxxxxx", - "report": { - "name": "Discovery - System Service Discovery Detected", - "id": "CFnKBKLTv6hUkBGFobRdg-565571", - "tags": [ - "attack", - "attackframework", - "threathunting", - "hunting", - "t1007", - "recon", - "discovery", - "windows" - ] - }, - "watchlists": [ - { - "name": "ATT\u0026CK Framework", - "id": "P5f9AW29TGmTOvBW156Cig" - } - ], - "type": "watchlist.hit", - "ioc": { - "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", - "id": "565571-0" - }, - "device": { - "internal_ip": "10.10.156.12", - "external_ip": "67.43.156.12", - "os": "WINDOWS" - } - } - }, - "host": { - "hostname": "Carbonblack-win1", - "os": { - "type": "windows" - }, - "ip": [ - "10.10.156.12", - "67.43.156.12" - ], - "id": "4467271" - }, - "event": { - "kind": "event", - "severity": 3, - "agent_id_status": "verified", - "ingested": "2022-02-17T07:23:31Z", - "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", - "dataset": "carbon_black_cloud.watchlist_hit" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.watchlist_hit.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.watchlist_hit.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.watchlist_hit.device.os | OS Type of device (Windows/OSX/Linux). | keyword | -| carbon_black_cloud.watchlist_hit.ioc.field | Field the IOC hit contains. | keyword | -| carbon_black_cloud.watchlist_hit.ioc.hit | IOC field value, or IOC query that matches. | keyword | -| carbon_black_cloud.watchlist_hit.ioc.id | ID of the IOC that caused the hit. | keyword | -| carbon_black_cloud.watchlist_hit.organization_key | The organization key associated with the console instance. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.watchlist_hit.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.watchlist_hit.process.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.watchlist_hit.report.id | ID of the watchlist report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.report.name | Name of the watchlist report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.report.tags | List of tags associated with the report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.schema | Schema version. | long | -| carbon_black_cloud.watchlist_hit.type | The watchlist hit type. | keyword | -| carbon_black_cloud.watchlist_hit.watchlists.id | The ID of the watchlists. | keyword | -| carbon_black_cloud.watchlist_hit.watchlists.name | The name of the watchlists. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | - - -### Asset Vulnerability Summary - -This is the `asset_vulnerability_summary` dataset. - -An example event for `asset_vulnerability_summary` looks as following: - -```json -{ - "@timestamp": "2022-04-14T11:47:25.371Z", - "agent": { - "ephemeral_id": "377d9292-c7d0-4c30-bbee-faf4848d30d8", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "asset_vulnerability_summary": { - "last_sync": { - "timestamp": "2022-01-17T08:33:37.384Z" - }, - "os_info": { - "os_arch": "64-bit" - }, - "sync": { - "status": "COMPLETED", - "type": "SCHEDULED" - }, - "type": "ENDPOINT", - "vuln_count": 1770 - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:47:25.371Z", - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-04-14T11:47:26Z", - "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" - }, - "host": { - "hostname": "DESKTOP-008", - "id": "8", - "name": "DESKTOP-008KK", - "os": { - "name": "Microsoft Windows 10 Education", - "type": "windows", - "version": "10.0.17763" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-008" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-asset-vulnerability-summary" - ], - "vulnerability": { - "score": { - "base": 10 - }, - "severity": "CRITICAL" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp | The identifier is for the Last sync time. | date | -| carbon_black_cloud.asset_vulnerability_summary.os_info.os_arch | The identifier is for the Operating system architecture. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.sync.status | The identifier is for the Device sync status. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.sync.type | The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.type | The identifier is for the Device type. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vm.id | The identifier is for the Virtual Machine ID. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vm.name | The identifier is for the Virtual Machine name. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vuln_count | The identifier is for the Number of vulnerabilities at this level. | integer | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | diff --git a/packages/carbon_black_cloud/1.0.0/img/carbon_black_cloud-logo.svg b/packages/carbon_black_cloud/1.0.0/img/carbon_black_cloud-logo.svg deleted file mode 100755 index 180cc3d212..0000000000 --- a/packages/carbon_black_cloud/1.0.0/img/carbon_black_cloud-logo.svg +++ /dev/null @@ -1,91 +0,0 @@ - - - - -Created by potrace 1.16, written by Peter Selinger 2001-2019 - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/carbon_black_cloud/1.0.0/img/carbon_black_cloud-screenshot.png b/packages/carbon_black_cloud/1.0.0/img/carbon_black_cloud-screenshot.png deleted file mode 100755 index 6fda3c108d..0000000000 Binary files a/packages/carbon_black_cloud/1.0.0/img/carbon_black_cloud-screenshot.png and /dev/null differ diff --git a/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 129cd1c62a..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":831}]}}},\"gridData\":{\"h\":15,\"i\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Audit Logs", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json deleted file mode 100755 index e3f216759c..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"carbon_black_cloud.endpoint_event.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"title\":\"[Carbon Black Cloud] Top 10 Event Types\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"panelRefName\":\"panel_12\",\"title\":\"[Carbon Black Cloud] Top 10 Effective Reputation of Loaded Modules\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"w\":48,\"x\":0,\"y\":105},\"panelIndex\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"panelRefName\":\"panel_13\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Endpoint Event", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "f19543f7-04f5-42dd-849b-5f2fd8ca15f8:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", - "name": "panel_13", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 4a9c10d677..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":15,\"i\":\"a63e66da-6fdb-432e-8cd3-9beeceb7187e\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"a63e66da-6fdb-432e-8cd3-9beeceb7187e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":15,\"i\":\"3b39bb5c-6d43-4bac-9551-dd3db3def5da\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"3b39bb5c-6d43-4bac-9551-dd3db3def5da\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5e9e34e5-35be-4f6c-922a-fb15daf002ab\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"5e9e34e5-35be-4f6c-922a-fb15daf002ab\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7cba8aeb-90ad-4db5-8050-6093f8b51f56\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"7cba8aeb-90ad-4db5-8050-6093f8b51f56\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"bb01cff3-1557-42ad-ad1a-0cca9f44b658\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"bb01cff3-1557-42ad-ad1a-0cca9f44b658\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fdcee22b-9a7d-4b00-af40-ebe01d7e8b28\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"fdcee22b-9a7d-4b00-af40-ebe01d7e8b28\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3d50fe5a-b808-407c-830e-1badfb14b4b4\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"3d50fe5a-b808-407c-830e-1badfb14b4b4\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e7610078-a6b5-47e0-9739-ee08f84a39c8\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"e7610078-a6b5-47e0-9739-ee08f84a39c8\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93081e97-c841-4eb2-bfa3-6d214cb10282\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"93081e97-c841-4eb2-bfa3-6d214cb10282\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"920d0841-19a5-4052-a5c6-4c2bcea8feee\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"920d0841-19a5-4052-a5c6-4c2bcea8feee\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2aab11a6-0445-43ae-b852-de68e72bc9f6\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"2aab11a6-0445-43ae-b852-de68e72bc9f6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"64eae241-7f78-45c4-9ec8-f2c1195a5fa2\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"64eae241-7f78-45c4-9ec8-f2c1195a5fa2\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f0964cf-d899-481f-b1e2-138d3e24f67f\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"8f0964cf-d899-481f-b1e2-138d3e24f67f\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":1,\"width\":494}]}}},\"gridData\":{\"h\":15,\"i\":\"5cf45870-ceae-4231-9fe7-1dc62ff55c16\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"5cf45870-ceae-4231-9fe7-1dc62ff55c16\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"01a42219-92ef-4f03-b8a3-3eb1f498c1f7\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"01a42219-92ef-4f03-b8a3-3eb1f498c1f7\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"2afa241a-c05d-4c21-b993-d00d655e53f6\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"2afa241a-c05d-4c21-b993-d00d655e53f6\",\"panelRefName\":\"panel_15\",\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC Field\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5ac185d0-99d0-473f-9cf5-4898053b1fa8\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"5ac185d0-99d0-473f-9cf5-4898053b1fa8\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9248238a-0980-423a-a19c-44102fdc173c\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"9248238a-0980-423a-a19c-44102fdc173c\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"48aa679f-815f-4196-bca9-b3d7784aef73\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"48aa679f-815f-4196-bca9-b3d7784aef73\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"669a2361-cb74-4def-a571-4af3ab5082b9\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"669a2361-cb74-4def-a571-4af3ab5082b9\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"83e71096-5c60-41e7-a258-ec2036fcf872\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"83e71096-5c60-41e7-a258-ec2036fcf872\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ab2c450c-e97f-41ba-bffe-3c0672b64320\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"ab2c450c-e97f-41ba-bffe-3c0672b64320\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3df6d550-3202-40b6-a2ad-0909b7e5dd6b\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"3df6d550-3202-40b6-a2ad-0909b7e5dd6b\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":1134}]}}},\"gridData\":{\"h\":15,\"i\":\"bab343d8-bdda-4558-8353-f4530b69a3b9\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"bab343d8-bdda-4558-8353-f4530b69a3b9\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":27,\"i\":\"7a714638-9485-4da1-bc85-38df2ef49e99\",\"w\":48,\"x\":0,\"y\":180},\"panelIndex\":\"7a714638-9485-4da1-bc85-38df2ef49e99\",\"panelRefName\":\"panel_24\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"360b92d6-049c-42de-903f-f22ab75c0afc\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"360b92d6-049c-42de-903f-f22ab75c0afc\",\"title\":\"[Carbon Black Cloud] Top 10 Threat Cause Actor Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Alerts", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", - "name": "panel_24", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index ee0df3955b..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"panelRefName\":\"panel_0\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"panelRefName\":\"panel_2\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"panelRefName\":\"panel_3\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"panelRefName\":\"panel_4\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Risk Score\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"panelRefName\":\"panel_6\",\"title\":\"[Carbon Black Cloud] Top 10 OS Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":20,\"i\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"panelRefName\":\"panel_7\",\"title\":\"[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Asset Vulnerability Summary", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", - "name": "panel_7", - "type": "search" - }, - { - "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 94761c84e1..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.watchlist_hit.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IPs\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit Name\",\"field\":\"carbon_black_cloud.watchlist_hit.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Watchlist Hit Names\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Severity\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Parent Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"panelRefName\":\"panel_9\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"panelRefName\":\"panel_10\",\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":31,\"i\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"w\":48,\"x\":0,\"y\":120},\"panelIndex\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"panelRefName\":\"panel_11\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Watchlist Hit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "4f7b5cef-a7e9-44a9-8769-44d5326a8df4:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3d454d18-6baa-40de-aa94-4ebfaee9a759:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b0289aae-02bb-472e-8a22-07ff9f5d2372:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d29f5a98-736d-4f47-877e-b4552d15f889:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ae5c96d5-b7d6-45f8-b57b-42cc190f990b:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", - "name": "panel_11", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json deleted file mode 100755 index fde5382f93..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "carbon_black_cloud.watchlist_hit.watchlists.name", - "process.command_line", - "process.parent.command_line", - "process.executable", - "process.parent.executable", - "carbon_black_cloud.watchlist_hit.ioc.id", - "carbon_black_cloud.watchlist_hit.ioc.hit" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Watchlist Hit Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fdc104f3b2..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "client.user.id", - "event.reason", - "client.ip" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Audit Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 800a5cb006..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "carbon_black_cloud.endpoint_event.type", - "process.command_line", - "process.parent.command_line", - "dll.path", - "carbon_black_cloud.endpoint_event.target_cmdline", - "process.executable", - "process.parent.executable" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Endpoint Events Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1a37e59347..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "event.reason", - "event.url", - "carbon_black_cloud.alert.threat_indicators.process_name", - "carbon_black_cloud.alert.category" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Alerts Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index c060c3bd41..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "vulnerability.severity", - "vulnerability.score.base", - "carbon_black_cloud.asset_vulnerability_summary.vuln_count" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json deleted file mode 100755 index bf6bf9170c..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 329118ed72..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by OS, OS version", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by OS, OS version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fb78529067..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Client IPs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client IPs\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Client IPs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index edfb4ab922..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators TTPS\",\"field\":\"carbon_black_cloud.alert.threat_indicators.ttps\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index e058315a1e..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Actions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Top 10 Actions\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index e9926e3521..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by OS", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"carbon_black_cloud.watchlist_hit.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 5c97a8d4eb..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Severity", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 8bb3adabfb..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 7bec55f465..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":9},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index e4b7fe64f8..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 6b1cb56ea0..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Origin\",\"field\":\"carbon_black_cloud.endpoint_event.event_origin\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index c59f3f2623..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 0a01e78828..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 682f389163..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by OS", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device OS\",\"field\":\"carbon_black_cloud.endpoint_event.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 7af6d5ad55..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 IOC Hits", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.watchlist_hit.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hits\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1c116157a2..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Category", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3ced47d3fe..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 60cf2f819b..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by OS Type, OS Version", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Type\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 411603d6cc..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Distribution of Asset Vulnerability Summary by Type\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 811d8c6112..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.vector\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index e390c83ecc..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by IOC field", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Field\",\"field\":\"carbon_black_cloud.alert.ioc.field\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC field\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index bdd43d6d65..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by OS Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index a8622511b3..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by OS Architecture", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.architecture\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Architecture\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 02160d4bea..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 OS Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Names\",\"field\":\"host.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":false,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 OS Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 6c64141f00..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Highest Vulnerability Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Vulnerability Count\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.vuln_count\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 630d474e6e..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Workflow State", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Workflow State\",\"field\":\"carbon_black_cloud.alert.workflow.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Workflow State\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 228daf684c..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 1bd12c5d2e..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"vulnerability.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 0a3d26dad2..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Report Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Report Name\",\"field\":\"carbon_black_cloud.watchlist_hit.report.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Report Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 6e873422cb..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Highest Risk Score", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Risk Score\",\"field\":\"vulnerability.score.base\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Risk Score\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 48a0ff614a..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index b549ad14a1..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Sync Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 116934a90e..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index ebce21d74d..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Sync Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync Status\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 8f11ac69cf..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Severity", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Severity\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"vulnerability.severity\"},\"schema\":\"orderAgg\",\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Severity\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 5d57824451..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 IOC Hit", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.alert.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hit\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index dd5f86134d..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit\",\"field\":\"carbon_black_cloud.alert.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 60669ee962..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Reputation\",\"field\":\"carbon_black_cloud.alert.threat_cause.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 19ad6bf381..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Threat Indicators Process Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators Process Name\",\"field\":\"carbon_black_cloud.alert.threat_indicators.process_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Indicators Process Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 7992c14128..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Devices", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Devices\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index ebcc102bf4..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Run State", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Run State\",\"field\":\"carbon_black_cloud.alert.run_state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Run State\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bf3592d08f..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1025e00226..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Sensor Action", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.alert.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Sensor Action\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index c4ce665f33..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 7db345ec9b..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Audit Logs by Flag Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flagged\",\"field\":\"carbon_black_cloud.audit.flagged\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Audit Logs by Flag Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 37864260d1..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Effective Reputation of Loaded Modules\",\"field\":\"carbon_black_cloud.endpoint_event.modload.effective_reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index cf20544145..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index dd2d0ee97a..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Usernames", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Usernames\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json deleted file mode 100755 index bb4fb20b4b..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3a76cb6cae..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.endpoint_event.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 29d985b4d8..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit by Report Tag\",\"field\":\"carbon_black_cloud.watchlist_hit.report.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 50933d86cc..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Not Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.not_blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bf02f82c2e..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Policy Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"carbon_black_cloud.alert.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Policy Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bfebab9f24..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Reason Codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Reason Codes\",\"field\":\"carbon_black_cloud.alert.reason_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Reason Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 85bf297c56..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Usernames", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Usernames\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 2ad0964cbb..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Request URLs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Request URLs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index cb945df49b..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Kill Chain Status\",\"field\":\"carbon_black_cloud.alert.kill_chain_status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fc1c6812f0..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Process Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Name\",\"field\":\"process.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Process Name\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3c04444ca9..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device External IP", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.endpoint_event.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index a79db35e93..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Alert Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index d3f393c0d5..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 84fedf340e..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1c30c4f320..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Policy Applied", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Applied\",\"field\":\"carbon_black_cloud.alert.policy.applied\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Policy Applied\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 4a17555983..0000000000 --- a/packages/carbon_black_cloud/1.0.0/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Target Value", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Value\",\"field\":\"carbon_black_cloud.alert.target_value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Target Value\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.0/manifest.yml b/packages/carbon_black_cloud/1.0.0/manifest.yml deleted file mode 100755 index 0495bf783a..0000000000 --- a/packages/carbon_black_cloud/1.0.0/manifest.yml +++ /dev/null @@ -1,136 +0,0 @@ -format_version: 1.0.0 -name: carbon_black_cloud -title: VMware Carbon Black Cloud -version: 1.0.0 -license: basic -description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent. -type: integration -categories: - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/carbon_black_cloud-screenshot.png - title: Carbon Black Cloud alert dashboard screenshot - size: 600x600 - type: image/png -icons: - - src: /img/carbon_black_cloud-logo.svg - title: Carbon Black Cloud logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: carbon_black_cloud - title: Carbon Black Cloud - description: Collect Logs from Carbon Black Cloud - inputs: - - type: httpjson - title: Collect Carbon Black Cloud logs via API - description: Collect Carbon Black Cloud logs via API - vars: - - name: hostname - type: text - title: Hostname - description: Carbon Black Cloud console Hostname. Find hostname in the console dashboard at the beginning of the web address (Add https:// before the hostname). - required: true - - name: org_key - type: text - title: Organization Key - description: Organization Key. - required: true - - name: custom_api_id - type: text - title: Custom API ID - description: API ID with Custom Access Level type. - required: true - - name: custom_api_secret_key - type: password - title: Custom API Secret Key - description: API Secret Key with Custom Access Level type - required: true - - name: api_id - type: text - title: API ID - description: API ID with API Access Level type. - required: true - - name: api_secret_key - type: password - title: API Secret Key - description: API Secret Key with API Access Level type - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - type: aws-s3 - title: Collect Carbon Black Cloud logs via AWS S3 - description: Collect Carbon Black Cloud logs via AWS S3 - vars: - - name: bucket_arn - type: text - title: Bucket ARN - multi: false - required: true - show_user: true - - name: access_key_id - type: password - title: Access Key ID - multi: false - required: true - show_user: true - - name: secret_access_key - type: password - title: Secret Access Key - multi: false - required: true - show_user: true - - name: number_of_workers - type: integer - title: Number of Workers - multi: false - required: false - show_user: false - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. -owner: - github: elastic/security-external-integrations diff --git a/packages/carbon_black_cloud/1.0.1/changelog.yml b/packages/carbon_black_cloud/1.0.1/changelog.yml deleted file mode 100755 index 2280c850b8..0000000000 --- a/packages/carbon_black_cloud/1.0.1/changelog.yml +++ /dev/null @@ -1,26 +0,0 @@ -# newer versions go on top -- version: "1.0.1" - changes: - - description: Change event.outcome value from failure to failed according to ECS - type: bugfix - link: https://github.com/elastic/integrations/issues/3407 -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: 0.1.2 - changes: - - description: Add "VMware" to the title to make it "VMware Carbon Black Cloud". - type: enhancement - link: https://github.com/elastic/integrations/pull/3196 -- version: 0.1.1 - changes: - - description: Captured domain from username and hostname - type: enhancement - link: https://github.com/elastic/integrations/pull/3106 -- version: 0.1.0 - changes: - - description: Initial draft of the package. - type: enhancement - link: https://github.com/elastic/integrations/pull/2760 diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/alert/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.1/data_stream/alert/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/alert/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.1/data_stream/alert/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2f738b21a6..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/alert/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,52 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.timeout: 2m -request.method: POST - -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} - -request.url: {{hostname}}/appservices/v6/orgs/{{org_key}}/alerts/_search -request.transforms: - - set: - target: header.X-Auth-Token - value: {{custom_api_secret_key}}/{{custom_api_id}} - - set: - target: body.criteria.last_update_time.start - value: '[[.cursor.last_update_timestamp]]' - default: '[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "-15m")) "RFC3339"]]' - - set: - target: body.criteria.last_update_time.end - value: '[[formatDate (now (parseDuration "-15m")) "RFC3339"]]' - - set: - target: body.sort - value: '[{ "field": "last_update_time", "order": "ASC"}]' - value_type: json -response.pagination: - - set: - target: body.criteria.last_update_time.start - value: '[[if (ne .last_response.body.num_found .last_response.body.num_available)]][[.last_event.last_update_time]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_timestamp: - value: '[[.last_event.last_update_time]]' -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f6f5fc171e..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,313 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud alerts. -processors: - - set: - field: ecs.version - value: "8.0.0" - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.id - - json.create_time - - json.last_update_time - target_field: _id - ignore_missing: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - set: - field: event.kind - value: alert - - rename: - field: json.id - target_field: event.id - ignore_missing: true - - rename: - field: json.first_event_time - target_field: event.start - ignore_missing: true - - rename: - field: json.last_event_time - target_field: event.end - ignore_missing: true - - rename: - field: json.severity - target_field: event.severity - ignore_missing: true - - urldecode: - field: json.alert_url - target_field: event.url - ignore_missing: true - - rename: - field: json.reason - target_field: event.reason - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - set: - field: event.kind - value: alert - - rename: - field: json.device_os_version - target_field: host.os.version - ignore_missing: true - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device_username - target_field: user.name - ignore_missing: true - - grok: - field: user.name - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:user.name})$' - ignore_missing: true - ignore_failure: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{user.name}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - append: - field: related.hash - value: - - "{{{json.threat_cause_actor_md5}}}" - - "{{{json.threat_cause_actor_sha256}}}" - allow_duplicates: false - - rename: - field: json.process_name - target_field: process.name - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.vendor_name - target_field: carbon_black_cloud.alert.vendor_name - ignore_missing: true - - rename: - field: json.product_name - target_field: carbon_black_cloud.alert.product_name - ignore_missing: true - - rename: - field: json.serial_number - target_field: carbon_black_cloud.alert.serial_number - ignore_missing: true - - rename: - field: json.policy_id - target_field: carbon_black_cloud.alert.policy.id - ignore_missing: true - - rename: - field: json.policy_name - target_field: carbon_black_cloud.alert.policy.name - ignore_missing: true - - rename: - field: json.threat_id - target_field: carbon_black_cloud.alert.threat_id - ignore_missing: true - - rename: - field: json.policy_applied - target_field: carbon_black_cloud.alert.policy.applied - ignore_missing: true - - rename: - field: json.threat_activity_c2 - target_field: carbon_black_cloud.alert.threat_activity.c2 - ignore_missing: true - - rename: - field: json.threat_activity_dlp - target_field: carbon_black_cloud.alert.threat_activity.dlp - ignore_missing: true - - rename: - field: json.threat_activity_phish - target_field: carbon_black_cloud.alert.threat_activity.phish - ignore_missing: true - - rename: - field: json.threat_cause_actor_name - target_field: carbon_black_cloud.alert.threat_cause.actor.name - ignore_missing: true - - rename: - field: json.threat_cause_actor_process_pid - target_field: carbon_black_cloud.alert.threat_cause.actor.process_pid - ignore_missing: true - - rename: - field: json.threat_cause_actor_sha256 - target_field: carbon_black_cloud.alert.threat_cause.actor.sha256 - ignore_missing: true - - rename: - field: json.threat_cause_actor_md5 - target_field: carbon_black_cloud.alert.threat_cause.actor.md5 - ignore_missing: true - - rename: - field: json.threat_cause_cause_event_id - target_field: carbon_black_cloud.alert.threat_cause.cause_event_id - ignore_missing: true - - rename: - field: json.threat_cause_parent_guid - target_field: carbon_black_cloud.alert.threat_cause.process.parent.guid - ignore_missing: true - - rename: - field: json.threat_cause_process_guid - target_field: carbon_black_cloud.alert.threat_cause.process.guid - ignore_missing: true - - rename: - field: json.threat_cause_reputation - target_field: carbon_black_cloud.alert.threat_cause.reputation - ignore_missing: true - - rename: - field: json.threat_cause_threat_category - target_field: carbon_black_cloud.alert.threat_cause.threat_category - ignore_missing: true - - rename: - field: json.threat_cause_vector - target_field: carbon_black_cloud.alert.threat_cause.vector - ignore_missing: true - - rename: - field: json.ioc_field - target_field: carbon_black_cloud.alert.ioc.field - ignore_missing: true - - rename: - field: json.ioc_hit - target_field: carbon_black_cloud.alert.ioc.hit - ignore_missing: true - - rename: - field: json.ioc_id - target_field: carbon_black_cloud.alert.ioc.id - ignore_missing: true - - rename: - field: json.report_id - target_field: carbon_black_cloud.alert.report.id - ignore_missing: true - - rename: - field: json.report_name - target_field: carbon_black_cloud.alert.report.name - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.alert.organization_key - ignore_missing: true - - rename: - field: json.device_location - target_field: carbon_black_cloud.alert.device.location - ignore_missing: true - - rename: - field: json.device_os - target_field: carbon_black_cloud.alert.device.os - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.alert.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.alert.device.external_ip - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - lowercase: - field: json.category - ignore_missing: true - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.alert - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.alert[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.alert.create_time - - carbon_black_cloud.alert.device_id - - carbon_black_cloud.alert.alert_url - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/base-fields.yml deleted file mode 100755 index 14fb618ea4..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.alert diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/ecs.yml deleted file mode 100755 index cfad6817c1..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,117 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - URL linking to an external system to continue investigation of this event. - This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. - name: event.url - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/fields.yml b/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/fields.yml deleted file mode 100755 index 3eca3a1515..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/alert/fields/fields.yml +++ /dev/null @@ -1,218 +0,0 @@ -- name: carbon_black_cloud.alert - type: group - fields: - - name: blocked_threat_category - type: keyword - description: The category of threat which we were able to take action on. - - name: category - type: keyword - description: The category of the alert. - - name: count - type: long - - name: created_by_event_id - type: keyword - description: Event identifier that initiated the alert. - - name: device - type: group - fields: - - name: location - type: keyword - description: The Location of device. - - name: os - type: keyword - description: OS of the device. - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: document_guid - type: keyword - description: Unique ID of document. - - name: ioc - type: group - fields: - - name: field - type: keyword - description: The field the indicator of comprise (IOC) hit contains. - - name: hit - type: keyword - description: IOC field value or IOC query that matches. - - name: id - type: keyword - description: The identifier of the IOC that cause the hit. - - name: kill_chain_status - type: keyword - description: The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. - - name: last_update_time - type: date - description: The last time the alert was updated as an ISO 8601 UTC timestamp. - - name: legacy_alert_id - type: keyword - description: The legacy identifier for the alert. - - name: not_blocked_threat_category - type: keyword - description: Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). - - name: notes_present - type: boolean - description: Indicates if notes are associated with the threat_id. - - name: organization_key - type: keyword - description: The unique identifier for the organization associated with the alert. - - name: policy - type: group - fields: - - name: applied - type: keyword - description: Whether a policy was applied. - - name: id - type: long - description: The identifier for the policy associated with the device at the time of the alert. - - name: name - type: keyword - description: The name of the policy associated with the device at the time of the alert. - - name: product_id - type: keyword - description: The hexadecimal id of the USB device's product. - - name: product_name - type: keyword - description: The name of the USB device’s vendor. - - name: reason_code - type: keyword - description: Shorthand enum for the full-text reason. - - name: report - type: group - fields: - - name: id - type: keyword - description: The identifier of the report that contains the IOC. - - name: name - type: keyword - description: The name of the report that contains the IOC. - - name: run_state - type: keyword - description: Whether the threat in the alert ran. - - name: sensor_action - type: keyword - description: The action taken by the sensor, according to the rule of the policy. - - name: serial_number - type: keyword - description: The serial number of the USB device. - - name: status - type: keyword - description: status of alert. - - name: tags - type: keyword - description: Tags associated with the alert. - - name: target_value - type: keyword - description: The priority of the device assigned by the policy. - - name: threat_activity - type: group - fields: - - name: c2 - type: keyword - description: Whether the alert involved a command and control (c2) server. - - name: dlp - type: keyword - description: Whether the alert involved data loss prevention (DLP). - - name: phish - type: keyword - description: Whether the alert involved phishing. - - name: threat_cause - type: group - fields: - - name: actor - type: group - fields: - - name: md5 - type: keyword - description: MD5 of the threat cause actor. - - name: name - type: keyword - description: 'The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan.' - - name: process_pid - type: keyword - description: Process identifier (PID) of the actor process. - - name: sha256 - type: keyword - description: SHA256 of the threat cause actor. - - name: cause_event_id - type: keyword - description: ID of the Event that triggered the threat. - - name: process - type: group - fields: - - name: guid - type: keyword - description: The global unique identifier of the process. - - name: parent - type: group - fields: - - name: guid - type: keyword - description: The global unique identifier of the process. - - name: reputation - type: keyword - description: Reputation of the threat cause. - - name: threat_category - type: keyword - description: Category of the threat cause. - - name: vector - type: keyword - description: The source of the threat cause. - - name: threat_id - type: keyword - description: The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. - - name: threat_indicators - type: group - description: List of the threat indicators that make up the threat. - fields: - - name: process_name - type: keyword - description: Process name associated with threat. - - name: sha256 - type: keyword - description: Sha256 associated with threat. - - name: ttps - type: keyword - description: Tactics, techniques and procedures associated with threat. - - name: type - type: keyword - description: Type of alert. - - name: vendor_id - type: keyword - description: The hexadecimal id of the USB device's vendor. - - name: vendor_name - type: keyword - description: The name of the USB device’s vendor. - - name: watchlists - type: group - description: List of watchlists associated with an alert. - fields: - - name: id - type: keyword - description: The identifier of watchlist. - - name: name - type: keyword - description: The name of the watchlist. - - name: workflow - type: group - description: Tracking system for alerts as they are triaged and resolved. - fields: - - name: changed_by - type: keyword - description: The name of user who changed the workflow. - - name: comment - type: keyword - description: Comment associated with workflow. - - name: last_update_time - type: date - description: The last update time of workflow. - - name: remediation - type: keyword - description: N/A - - name: state - type: keyword - description: The state of workflow. diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/alert/manifest.yml b/packages/carbon_black_cloud/1.0.1/data_stream/alert/manifest.yml deleted file mode 100755 index 477667ce22..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/alert/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: Alert -type: logs -streams: - - input: httpjson - title: Collect alerts from Carbon Black Cloud - description: Collect alerts from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch alerts from Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1m - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the alerts from the Carbon Black Cloud API. - default: 24h - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: aws-s3 - title: Collect alerts from Carbon Black Cloud - description: Collect alerts from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch alerts from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/1.0.1/data_stream/alert/sample_event.json deleted file mode 100755 index 67e2c63a32..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/alert/sample_event.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "@timestamp": "2020-11-17T22:05:13.000Z", - "agent": { - "ephemeral_id": "56053d91-103c-4c77-8f15-0a1006a80102", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "alert": { - "category": "warning", - "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", - "location": "UNKNOWN", - "os": "WINDOWS" - }, - "last_update_time": "2020-11-17T22:05:13Z", - "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", - "organization_key": "ABCD6X3T", - "policy": { - "applied": "APPLIED", - "id": 6997287, - "name": "Standard" - }, - "product_id": "0x5406", - "product_name": "U3 Cruzer Micro", - "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", - "run_state": "DID_NOT_RUN", - "sensor_action": "DENY", - "serial_number": "0875920EF7C2A304", - "target_value": "MEDIUM", - "threat_cause": { - "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", - "threat_category": "NON_MALWARE", - "vector": "REMOVABLE_MEDIA" - }, - "threat_id": "t5678", - "type": "DEVICE_CONTROL", - "vendor_id": "0x0781", - "vendor_name": "SanDisk", - "workflow": { - "changed_by": "Carbon Black", - "last_update_time": "2020-11-17T22:02:16Z", - "state": "OPEN" - } - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:46:13.154Z", - "dataset": "carbon_black_cloud.alert", - "end": "2020-11-17T22:02:16Z", - "id": "test1", - "ingested": "2022-04-14T11:46:14Z", - "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", - "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", - "severity": 3, - "start": "2020-11-17T22:02:16Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" - }, - "host": { - "hostname": "DESKTOP-002", - "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "name": "DESKTOP-002", - "os": { - "type": "windows", - "version": "Windows 10 x64" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-002" - ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "user": [ - "test34@demo.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-alert" - ], - "user": { - "name": "test34@demo.com" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 310b6e05d5..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,45 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: POST -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.url: {{hostname}}/vulnerability/assessment/api/v1/orgs/{{org_key}}/devices/vulnerabilities/summary/_search -request.transforms: - - set: - target: header.X-Auth-Token - value: {{custom_api_secret_key}}/{{custom_api_id}} - - set: - target: body.start - value: '0' - value_type: int - - set: - target: body.rows - value: '10000' - value_type: int -request.timeout: 2m -response.pagination: - - set: - target: body.start - value: '[[if (eq (len .last_response.body.results) 0)]][[.last_response.terminate_pagination]][[else]][[mul .last_response.page .body.rows]][[end]]' - value_type: int - fail_on_template_error: true -response.split: - target: body.results -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 94f7482f37..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,132 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud Asset Vulnerability Summary. -processors: -- rename: - field: message - target_field: event.original - ignore_missing: true -- set: - field: ecs.version - value: '8.0.0' -- json: - field: event.original - target_field: json -- rename: - field: json.host_name - target_field: host.hostname - ignore_missing: true -- convert: - field: json.device_id - type: string - target_field: host.id - ignore_missing: true -- rename: - field: json.name - target_field: host.name - ignore_missing: true -- rename: - field: json.os_info.os_name - target_field: host.os.name - ignore_missing: true -- set: - field: host.os.type - value: windows - if: ctx?.json?.os_info.os_type == "WINDOWS" -- set: - field: host.os.type - value: ubuntu - if: ctx?.json?.os_info.os_type == "UBUNTU" -- set: - field: host.os.type - value: centos - if: ctx?.json?.os_info.os_type == "CENTOS" -- remove : - field: json.os_info.os_type - ignore_missing: true -- remove : - field: json.device_id - ignore_missing: true -- rename: - field: json.os_info.os_version - target_field: host.os.version - ignore_missing: true -- rename: - field: json.highest_risk_score - target_field: vulnerability.score.base - ignore_missing: true -- rename: - field: json.severity - target_field: vulnerability.severity - ignore_missing: true -- date: - field: json.last_sync_ts - formats: - - ISO8601 - target_field: carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp -- remove: - field: json.last_sync_ts - ignore_missing: true -- rename: - field: json.sync_status - target_field: carbon_black_cloud.asset_vulnerability_summary.sync.status - ignore_missing: true -- rename: - field: json.sync_type - target_field: carbon_black_cloud.asset_vulnerability_summary.sync.type - ignore_missing: true -- rename: - field: json.type - target_field: carbon_black_cloud.asset_vulnerability_summary.type - ignore_missing: true -- rename: - field: json.vm_id - target_field: carbon_black_cloud.asset_vulnerability_summary.vm.id - ignore_missing: true -- rename: - field: json.vm_name - target_field: carbon_black_cloud.asset_vulnerability_summary.vm.name - ignore_missing: true -- rename: - field: json.vuln_count - target_field: carbon_black_cloud.asset_vulnerability_summary.vuln_count - ignore_missing: true -- append: - field: related.hosts - value: "{{{host.hostname}}}" - allow_duplicates: false -- script: - description: Adds all the remaining fields in fields under carbon_black_cloud.asset_vulnerability_summary - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.asset_vulnerability_summary[m.getKey()] = m.getValue(); - } -- remove: - field: json - ignore_missing: true -- script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -- remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_missing: true -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/base-fields.yml deleted file mode 100755 index e6791517a6..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset - value: carbon_black_cloud.asset_vulnerability_summary diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/ecs.yml b/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/ecs.yml deleted file mode 100755 index bae6099a14..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/ecs.yml +++ /dev/null @@ -1,57 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Operating system version as a raw string. - name: host.os.version - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Scores can range from 0.0 to 10.0, with 10.0 being the most severe. - Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) - name: vulnerability.score.base - type: float -- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - name: vulnerability.severity - type: keyword diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/fields.yml b/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/fields.yml deleted file mode 100755 index a70b2974e8..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/fields/fields.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: carbon_black_cloud.asset_vulnerability_summary - type: group - fields: - - name: os_info - type: group - fields: - - name: os_arch - type: keyword - description: The identifier is for the Operating system architecture. - - name: last_sync - type: group - fields: - - name: timestamp - type: date - description: The identifier is for the Last sync time. - - name: sync - type: group - fields: - - name: status - type: keyword - description: The identifier is for the Device sync status. - - name: type - type: keyword - description: The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. - - name: type - type: keyword - description: The identifier is for the Device type. - - name: vm - type: group - fields: - - name: id - type: keyword - description: The identifier is for the Virtual Machine ID. - - name: name - type: keyword - description: The identifier is for the Virtual Machine name. - - name: vuln_count - type: integer - description: The identifier is for the Number of vulnerabilities at this level. diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/manifest.yml b/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/manifest.yml deleted file mode 100755 index b7bf78f84d..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Asset Vulnerability Summary -type: logs -streams: - - input: httpjson - title: Collect asset vulnerability summary from Carbon Black Cloud - description: Collect asset vulnerability summary from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to query asset vulnerability summary in Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1h - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-asset-vulnerability-summary - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/sample_event.json deleted file mode 100755 index c31987aefe..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/asset_vulnerability_summary/sample_event.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "@timestamp": "2022-04-14T11:47:25.371Z", - "agent": { - "ephemeral_id": "377d9292-c7d0-4c30-bbee-faf4848d30d8", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "asset_vulnerability_summary": { - "last_sync": { - "timestamp": "2022-01-17T08:33:37.384Z" - }, - "os_info": { - "os_arch": "64-bit" - }, - "sync": { - "status": "COMPLETED", - "type": "SCHEDULED" - }, - "type": "ENDPOINT", - "vuln_count": 1770 - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:47:25.371Z", - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-04-14T11:47:26Z", - "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" - }, - "host": { - "hostname": "DESKTOP-008", - "id": "8", - "name": "DESKTOP-008KK", - "os": { - "name": "Microsoft Windows 10 Education", - "type": "windows", - "version": "10.0.17763" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-008" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-asset-vulnerability-summary" - ], - "vulnerability": { - "score": { - "base": 10 - }, - "severity": "CRITICAL" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.1/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2693bd2bbb..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -config_version: 2 -interval: {{interval}} -request.method: GET - -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} - -request.url: {{hostname}}/integrationServices/v3/auditlogs -request.transforms: - - set: - target: header.X-Auth-Token - value: {{api_secret_key}}/{{api_id}} -response.split: - target: body.notifications -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 55cc7106f9..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud audit logs -processors: - - set: - field: ecs.version - value: '8.0.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.eventTime - target_field: "@timestamp" - ignore_failure: true - formats: - - UNIX_MS - - set: - field: event.kind - value: event - - set: - field: event.outcome - value: success - - set: - field: event.outcome - value: failure - if: ctx?.json?.flagged == true - - rename: - field: json.description - target_field: event.reason - - rename: - field: json.clientIp - target_field: client.ip - ignore_missing: true - - rename: - field: json.loginName - target_field: client.user.id - ignore_missing: true - - rename: - field: json.eventId - target_field: event.id - ignore_missing: true - - rename: - field: json.orgName - target_field: organization.name - ignore_missing: true - - urldecode: - field: json.requestUrl - target_field: url.original - ignore_missing: true - - rename: - field: json.verbose - target_field: carbon_black_cloud.audit.verbose - ignore_missing: true - - rename: - field: json.flagged - target_field: carbon_black_cloud.audit.flagged - ignore_missing: true - - append: - field: related.ip - value: "{{{client.ip}}}" - allow_duplicates: false - - remove: - field: json - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/agent.yml b/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index a14e71251a..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.audit diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/ecs.yml b/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/ecs.yml deleted file mode 100755 index b5cd2cc086..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,55 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Unique identifier of the user. - name: client.user.id - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/fields.yml b/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/fields.yml deleted file mode 100755 index 24af5d42b9..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: carbon_black_cloud.audit - type: group - fields: - - name: flagged - type: boolean - description: true if action is failed otherwise false. - - name: verbose - type: boolean - description: true if verbose audit log otherwise false. diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/audit/manifest.yml b/packages/carbon_black_cloud/1.0.1/data_stream/audit/manifest.yml deleted file mode 100755 index 929093a4ef..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/audit/manifest.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Audit -type: logs -streams: - - input: httpjson - title: Collect audit logs from Carbon Black Cloud - description: Collect audit logs from Carbon Black Cloud. - template_path: httpjson.yml.hbs - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch audit logs from Carbon Black Cloud. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/1.0.1/data_stream/audit/sample_event.json deleted file mode 100755 index 4ecd8ed454..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/audit/sample_event.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "@timestamp": "2022-02-10T16:04:30.263Z", - "agent": { - "ephemeral_id": "6472e86c-fc7c-478a-a6fd-12ed19fe05c9", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "audit": { - "flagged": false, - "verbose": false - } - }, - "client": { - "ip": "10.10.10.10", - "user": { - "id": "abc@demo.com" - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:48:30.094Z", - "dataset": "carbon_black_cloud.audit", - "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-04-14T11:48:31Z", - "kind": "event", - "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", - "outcome": "success", - "reason": "Logged in successfully" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "name": "cb-xxxx-xxxx.com" - }, - "related": { - "ip": [ - "10.10.10.10" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-audit" - ] -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3a6c8fc6df..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,587 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud Endpoint Events. -processors: - - set: - field: ecs.version - value: '8.0.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.action - target_field: event.action - ignore_missing: true - - rename: - field: json.event_id - target_field: event.id - ignore_missing: true - - rename: - field: json.event_description - target_field: event.reason - ignore_missing: true - - rename: - field: json.filemod_name - target_field: file.path - ignore_missing: true - - rename: - field: json.modload_name - target_field: dll.path - ignore_missing: true - - set: - field: network.transport - value: udp - if: ctx?.json?.netconn_protocol == "PROTO_UDP" - - set: - field: network.transport - value: tcp - if: ctx?.json?.netconn_protocol == "PROTO_TCP" - - set: - field: network.direction - value: inbound - if: ctx?.json?.netconn_inbound == true - - set: - field: network.direction - value: outbound - if: ctx?.json?.netconn_inbound == false - - rename: - field: json.remote_port - target_field: source.port - ignore_missing: true - - rename: - field: json.remote_ip - target_field: source.ip - ignore_missing: true - - rename: - field: json.netconn_domain - target_field: source.address - ignore_missing: true - - rename: - field: json.local_port - target_field: client.port - ignore_missing: true - - rename: - field: json.local_ip - target_field: client.ip - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - rename: - field: json.device_group - target_field: host.os.family - ignore_missing: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.device_group - target_field: host.os.family - ignore_missing: true - - rename: - field: json.process_cmdline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_pid - target_field: process.pid - ignore_missing: true - - rename: - field: json.parent_cmdline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.parent_guid - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.parent_path - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.parent_pid - target_field: process.parent.pid - ignore_missing: true - - rename: - field: json.regmod_name - target_field: registry.path - ignore_missing: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - - "{{{json.netconn_proxy_ip}}}" - - "{{{source.ip}}}" - - "{{{client.ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{json.process_username}}}" - - "{{{json.childproc_username}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - script: - description: Dynamically map MD5 and SHA256 hash - lang: painless - source: | - void mapHashField(def ctx, def hashes, def key) { - for (hash in hashes) { - if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} - if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} - } - } - if (ctx.json?.process_hash instanceof List) { - mapHashField(ctx, ctx.json?.process_hash, "process_hash"); - } - if (ctx.json?.parent_hash instanceof List) { - mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); - } - if (ctx.json?.filemod_hash instanceof List) { - mapHashField(ctx, ctx.json?.filemod_hash, "filemod_hash"); - } - if (ctx.json?.childproc_hash instanceof List) { - mapHashField(ctx, ctx.json?.childproc_hash, "childproc_hash"); - } - if (ctx.json?.crossproc_hash instanceof List) { - mapHashField(ctx, ctx.json?.crossproc_hash, "crossproc_hash"); - } - if (ctx.json?.scriptload_hash instanceof List) { - mapHashField(ctx, ctx.json?.scriptload_hash, "scriptload_hash"); - } - - rename: - field: json.process_hash_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: json.process_hash_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: json.parent_hash_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: json.parent_hash_sha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - rename: - field: json.backend_timestamp - target_field: carbon_black_cloud.endpoint_event.backend.timestamp - ignore_missing: true - - rename: - field: json.device_timestamp - target_field: carbon_black_cloud.endpoint_event.device.timestamp - ignore_missing: true - - rename: - field: json.device_os - target_field: carbon_black_cloud.endpoint_event.device.os - ignore_missing: true - - rename: - field: json.childproc_name - target_field: carbon_black_cloud.endpoint_event.childproc.name - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.endpoint_event.organization_key - ignore_missing: true - - rename: - field: json.process_duration - target_field: carbon_black_cloud.endpoint_event.process.duration - ignore_missing: true - - foreach: - field: json.process_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.process_publisher - target_field: carbon_black_cloud.endpoint_event.process.publisher - ignore_missing: true - - rename: - field: json.process_reputation - target_field: carbon_black_cloud.endpoint_event.process.reputation - ignore_missing: true - - rename: - field: json.process_terminated - target_field: carbon_black_cloud.endpoint_event.process.terminated - ignore_missing: true - - rename: - field: json.process_username - target_field: carbon_black_cloud.endpoint_event.process.username - ignore_missing: true - - rename: - field: json.parent_reputation - target_field: carbon_black_cloud.endpoint_event.process.parent.reputation - ignore_missing: true - - rename: - field: json.target_cmdline - target_field: carbon_black_cloud.endpoint_event.target_cmdline - ignore_missing: true - - rename: - field: json.type - target_field: carbon_black_cloud.endpoint_event.type - ignore_missing: true - -# Mapping for endpoint.event.crossproc event type - - - rename: - field: json.crossproc_action - target_field: carbon_black_cloud.endpoint_event.crossproc.action - ignore_missing: true - - rename: - field: json.crossproc_api - target_field: carbon_black_cloud.endpoint_event.crossproc.api - ignore_missing: true - - rename: - field: json.crossproc_guid - target_field: carbon_black_cloud.endpoint_event.crossproc.guid - ignore_missing: true - - rename: - field: json.crossproc_name - target_field: carbon_black_cloud.endpoint_event.crossproc.name - ignore_missing: true - - rename: - field: json.crossproc_target - target_field: carbon_black_cloud.endpoint_event.crossproc.target - ignore_missing: true - - rename: - field: json.crossproc_reputation - target_field: carbon_black_cloud.endpoint_event.crossproc.reputation - ignore_missing: true - - foreach: - field: json.crossproc_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.crossproc_publisher - target_field: carbon_black_cloud.endpoint_event.crossproc.publisher - ignore_missing: true - - rename: - field: json.crossproc_hash_md5 - target_field: carbon_black_cloud.endpoint_event.crossproc.hash.md5 - ignore_missing: true - - rename: - field: json.crossproc_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.crossproc.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.filemod event type - - - rename: - field: json.filemod_hash_md5 - target_field: file.hash.md5 - ignore_missing: true - - rename: - field: json.filemod_hash_sha256 - target_field: file.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.fileless_scriptload event type - - - rename: - field: json.fileless_scriptload_cmdline - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline - ignore_missing: true - - rename: - field: json.fileless_scriptload_cmdline_length - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length - ignore_missing: true - - rename: - field: json.fileless_scriptload_hash_md5 - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 - ignore_missing: true - - rename: - field: json.fileless_scriptload_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 - ignore_missing: true - -# Mapping for endpoint.event.moduleload event type - - - rename: - field: json.modload_md5 - target_field: dll.hash.md5 - ignore_missing: true - - rename: - field: json.modload_sha256 - target_field: dll.hash.sha256 - ignore_missing: true - - rename: - field: json.modload_effective_reputation - target_field: carbon_black_cloud.endpoint_event.modload.effective_reputation - ignore_missing: true - - rename: - field: json.modload_count - target_field: carbon_black_cloud.endpoint_event.modload.count - ignore_missing: true - - foreach: - field: json.modload_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.modload_publisher - target_field: carbon_black_cloud.endpoint_event.modload.publisher - ignore_missing: true - -# Mapping for endpoint.event.netconn_proxy event type - - - rename: - field: json.netconn_proxy_domain - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.domain - ignore_missing: true - - rename: - field: json.netconn_proxy_port - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.port - ignore_missing: true - - rename: - field: json.netconn_proxy_ip - target_field: carbon_black_cloud.endpoint_event.netconn.proxy.ip - ignore_missing: true - -# Mapping for endpoint.event.procstart event type - - - rename: - field: json.childproc_guid - target_field: carbon_black_cloud.endpoint_event.childproc.guid - ignore_missing: true - - rename: - field: json.childproc_name - target_field: carbon_black_cloud.endpoint_event.childproc.name - ignore_missing: true - - rename: - field: json.childproc_pid - target_field: carbon_black_cloud.endpoint_event.childproc.pid - ignore_missing: true - - foreach: - field: json.childproc_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.childproc_publisher - target_field: carbon_black_cloud.endpoint_event.childproc.publisher - ignore_missing: true - - rename: - field: json.childproc_reputation - target_field: carbon_black_cloud.endpoint_event.childproc.reputation - ignore_missing: true - - rename: - field: json.childproc_username - target_field: carbon_black_cloud.endpoint_event.childproc.username - ignore_missing: true - - rename: - field: json.childproc_hash_md5 - target_field: carbon_black_cloud.endpoint_event.childproc.hash.md5 - ignore_missing: true - - rename: - field: json.childproc_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.childproc.hash.sha256 - ignore_missing: true - -# Mapping for NGAV endpoint.event.scriptload event type - - - rename: - field: json.scriptload_name - target_field: carbon_black_cloud.endpoint_event.scriptload.name - ignore_missing: true - - foreach: - field: json.scriptload_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.scriptload_publisher - target_field: carbon_black_cloud.endpoint_event.scriptload.publisher - ignore_missing: true - - rename: - field: json.scriptload_count - target_field: carbon_black_cloud.endpoint_event.scriptload.count - ignore_missing: true - - rename: - field: json.scriptload_hash_md5 - target_field: carbon_black_cloud.endpoint_event.scriptload.hash.md5 - ignore_missing: true - - rename: - field: json.scriptload_hash_sha256 - target_field: carbon_black_cloud.endpoint_event.scriptload.hash.sha256 - ignore_missing: true - - rename: - field: json.scriptload_effective_reputation - target_field: carbon_black_cloud.endpoint_event.scriptload.effective_reputation - ignore_missing: true - - rename: - field: json.scriptload_reputation - target_field: carbon_black_cloud.endpoint_event.scriptload.reputation - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.endpoint_event.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.endpoint_event.device.external_ip - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - - append: - field: related.hash - value: - - "{{{process.hash.md5}}}" - - "{{{process.hash.sha256}}}" - - "{{{process.parent.hash.md5}}}" - - "{{{process.parent.hash.sha256}}}" - - "{{{file.hash.md5}}}" - - "{{{file.hash.sha256}}}" - - "{{{dll.hash.md5}}}" - - "{{{dll.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.childproc.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.childproc.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256}}}" - - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.md5}}}" - - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.sha256}}}" - allow_duplicates: false - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.endpoint_event - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.endpoint_event[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.endpoint_event.create_time - - carbon_black_cloud.endpoint_event.device_id - - carbon_black_cloud.endpoint_event.process_hash - - carbon_black_cloud.endpoint_event.parent_hash - - carbon_black_cloud.endpoint_event.crossproc_hash - - carbon_black_cloud.endpoint_event.filemod_hash - - carbon_black_cloud.endpoint_event.childproc_hash - - carbon_black_cloud.endpoint_event.modload_hash - - carbon_black_cloud.endpoint_event.scriptload_hash - - carbon_black_cloud.endpoint_event.netconn_inbound - - carbon_black_cloud.endpoint_event.netconn_protocol - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Remove duplicate values - lang: painless - source: | - if (ctx?.related?.user != null) { - ctx.related.user = new HashSet(ctx.related.user) - } - if (ctx?.related?.hash != null) { - ctx.related.hash = new HashSet(ctx.related.hash) - } - if (ctx?.related?.ip != null) { - ctx.related.ip = new HashSet(ctx.related.ip) - } -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/base-fields.yml deleted file mode 100755 index 9b3253d2db..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.endpoint_event diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/ecs.yml deleted file mode 100755 index 11a1880a0a..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/ecs.yml +++ /dev/null @@ -1,193 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: MD5 hash. - name: dll.hash.md5 - type: keyword -- description: SHA256 hash. - name: dll.hash.sha256 - type: keyword -- description: Full file path of the library. - name: dll.path - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: SHA256 hash. - name: file.hash.sha256 - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: host.os.family - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/fields.yml b/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/fields.yml deleted file mode 100755 index 199988ffb6..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/fields/fields.yml +++ /dev/null @@ -1,239 +0,0 @@ -- name: carbon_black_cloud.endpoint_event - type: group - fields: - - name: alert_id - type: keyword - description: The ID of the Alert this event is associated with. - - name: backend - type: group - fields: - - name: timestamp - type: keyword - description: Time when the backend received the batch of events. - - name: childproc - type: group - fields: - - name: guid - type: keyword - description: Unique ID of the child process. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the executable file backing the child process. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the executable file backing the child process. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: pid - type: long - description: OS-reported Process ID of the child process. - - name: publisher - type: group - description: Signature entry for the childproc as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the childproc. - - name: username - type: keyword - description: The username associated with the user context that the child process was started under. - - name: crossproc - type: group - fields: - - name: action - type: keyword - description: The action taken on cross-process. - - name: api - type: keyword - description: Name of the operating system API called by the actor process. - - name: guid - type: keyword - description: Unique ID of the cross process. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the target of the crossproc event. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the target of the crossproc event. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: publisher - type: group - description: Signature entry for the crossproc as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the crossproc. - - name: target - type: boolean - description: True if the process was the target of the cross-process event; false if the process was the actor. - - name: device - type: group - fields: - - name: os - type: keyword - description: Os name. - - name: timestamp - type: keyword - description: Time seen on sensor. - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: event_origin - type: keyword - description: Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. - - name: fileless_scriptload - type: group - fields: - - name: cmdline - type: keyword - description: Deobfuscated script content run in a fileless context by the process. - - name: cmdline_length - type: keyword - description: Character count of the deobfuscated script content run in a fileless context. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: MD5 hash of the deobfuscated script content run by the process in a fileless context. - - name: sha256 - type: keyword - description: SHA-256 hash of the deobfuscated script content run by the process in a fileless context. - - name: modload - type: group - fields: - - name: count - type: long - description: Count of modload events reported by the sensor since last initialization. - - name: effective_reputation - type: keyword - description: Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. - - name: publisher - type: group - description: Signature entry for the moduleload as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: netconn - type: group - fields: - - name: proxy - type: group - fields: - - name: domain - type: keyword - description: DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. - - name: ip - type: keyword - description: IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. - - name: port - type: keyword - description: UDP/TCP port number associated with the "proxy" end of this network connection. - - name: organization_key - type: keyword - description: The organization key associated with the console instance. - - name: process - type: group - fields: - - name: duration - type: long - description: The time difference in seconds between the process start and process terminate event. - - name: parent - type: group - fields: - - name: reputation - type: keyword - description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: publisher - type: group - description: Signature entry for the process as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: terminated - type: boolean - description: True if process was terminated elase false. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: schema - type: long - description: The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. - - name: scriptload - type: group - fields: - - name: count - type: long - description: Count of scriptload events across all processes reported by the sensor since last initialization. - - name: effective_reputation - type: keyword - description: Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. - - name: hash - type: group - fields: - - name: md5 - type: keyword - description: Cryptographic MD5 hashes of the target of the scriptload event. - - name: sha256 - type: keyword - description: Cryptographic SHA256 hashes of the target of the scriptload event. - - name: name - type: keyword - description: Full path to the target of the crossproc event on the device's local file system. - - name: publisher - type: group - description: Signature entry for the scriptload as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Carbon Black Cloud Reputation string for the scriptload. - - name: sensor_action - type: keyword - description: The sensor action taken on event. - - name: target_cmdline - type: keyword - description: Process command line associated with the target process. - - name: type - type: keyword - description: The event type. diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/manifest.yml b/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/manifest.yml deleted file mode 100755 index 0f52e82022..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/manifest.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: Endpoint Event -type: logs -streams: - - input: aws-s3 - title: Collect endpoint events from Carbon Black Cloud - description: Collect endpoint events from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch endpoint events from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-endpoint-event - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/sample_event.json b/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/sample_event.json deleted file mode 100755 index 958377158a..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/endpoint_event/sample_event.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "process": { - "parent": { - "pid": 1684, - "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", - "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", - "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", - "hash": { - "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", - "md5": "03dd698da2671383c9b4f868c9931879" - } - }, - "pid": 4880, - "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", - "command_line": "\"route.exe\" print", - "executable": "c:\\windows\\system32\\route.exe", - "hash": { - "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", - "md5": "2498272dc48446891182747428d02a30" - } - }, - "ecs": { - "version": "8.0.0" - }, - "carbon_black_cloud": { - "endpoint_event": { - "schema": 1, - "event_origin": "EDR", - "process": { - "duration": 2, - "parent": { - "reputation": "REP_RESOLVING" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_RESOLVING", - "terminated": true, - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "XXXXXXXX", - "backend": { - "timestamp": "2022-02-10 11:52:50 +0000 UTC" - }, - "target_cmdline": "\"route.exe\" print", - "type": "endpoint.event.procend", - "device": { - "os": "WINDOWS", - "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", - "external_ip": "67.43.156.12" - }, - "sensor_action": "ACTION_ALLOW" - } - }, - "host": { - "hostname": "client-cb2", - "id": "4034605", - "os": { - "type": "windows" - }, - "ip": [ - "67.43.156.13" - ] - }, - "event": { - "action": "ACTION_PROCESS_TERMINATE", - "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" - }, - "data_stream": { - "dataset": "carbon_black_cloud.endpoint_event", - "namespace": "ep", - "type": "logs" - }, - "elastic_agent": { - "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", - "snapshot": true, - "version": "8.0.0" - }, - "input": { - "type": "aws-s3" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-endpoint-event" - ] -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index e02c596614..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -bucket_arn: {{bucket_arn}} -number_of_workers: {{number_of_workers}} -bucket_list_interval: {{interval}} -access_key_id: {{access_key_id}} -secret_access_key: {{secret_access_key}} -bucket_list_prefix: {{bucket_list_prefix}} -expand_event_list_from_field: Records -{{#if proxy_url}} -proxy_url: {{proxy_url}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1699bc69c1..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,293 +0,0 @@ ---- -description: Pipeline for parsing Carbon Black Cloud watchlist hit. -processors: - - set: - field: ecs.version - value: '8.0.0' - - set: - field: event.kind - value: event - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - date: - field: json.create_time - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.severity - target_field: event.severity - ignore_missing: true - - convert: - field: json.device_id - target_field: host.id - type: string - ignore_missing: true - - set: - field: host.os.type - value: windows - if: ctx?.json?.device_os == "WINDOWS" - - set: - field: host.os.type - value: linux - if: ctx?.json?.device_os == "LINUX" - - set: - field: host.os.type - value: macos - if: ctx?.json?.device_os == "MAC" - - rename: - field: json.device_os_version - target_field: host.os.version - ignore_missing: true - - rename: - field: json.device_name - target_field: host.hostname - ignore_missing: true - - grok: - field: host.hostname - patterns: - - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' - ignore_missing: true - ignore_failure: true - - set: - field: host.name - value: "{{{host.hostname}}}" - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_internal_ip}}}" - if: ctx?.json?.device_internal_ip != null - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: "{{{json.device_external_ip}}}" - if: ctx?.json?.device_external_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.process_cmdline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.process_guid - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.process_path - target_field: process.executable - ignore_missing: true - - rename: - field: json.process_pid - target_field: process.pid - ignore_missing: true - - rename: - field: json.parent_cmdline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.parent_guid - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.parent_path - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.parent_pid - target_field: process.parent.pid - ignore_missing: true - - append: - field: related.ip - value: - - "{{{json.device_internal_ip}}}" - - "{{{json.device_external_ip}}}" - allow_duplicates: false - - append: - field: related.user - value: - - "{{{json.parent_username}}}" - - "{{{json.process_username}}}" - allow_duplicates: false - - append: - field: related.hosts - value: - - "{{{host.hostname}}}" - - "{{{user.domain}}}" - allow_duplicates: false - - script: - description: Dynamically map MD5 and SHA256 hash - lang: painless - source: | - void mapHashField(def ctx, def hashes, def key) { - for (hash in hashes) { - if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;} - if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;} - } - } - if (ctx.json?.process_hash instanceof List) { - mapHashField(ctx, ctx.json?.process_hash, "process_hash"); - } - if (ctx.json?.parent_hash instanceof List) { - mapHashField(ctx, ctx.json?.parent_hash, "parent_hash"); - } - - rename: - field: json.process_hash_md5 - target_field: process.hash.md5 - ignore_missing: true - - rename: - field: json.process_hash_sha256 - target_field: process.hash.sha256 - ignore_missing: true - - rename: - field: json.parent_hash_md5 - target_field: process.parent.hash.md5 - ignore_missing: true - - rename: - field: json.parent_hash_sha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: - - "{{{process.hash.md5}}}" - - "{{{process.hash.sha256}}}" - - "{{{process.parent.hash.md5}}}" - - "{{{process.parent.hash.sha256}}}" - allow_duplicates: false - - rename: - field: json.device_os - target_field: carbon_black_cloud.watchlist_hit.device.os - ignore_missing: true - - rename: - field: json.device_internal_ip - target_field: carbon_black_cloud.watchlist_hit.device.internal_ip - ignore_missing: true - - rename: - field: json.device_external_ip - target_field: carbon_black_cloud.watchlist_hit.device.external_ip - ignore_missing: true - - rename: - field: json.ioc_hit - target_field: carbon_black_cloud.watchlist_hit.ioc.hit - ignore_missing: true - - rename: - field: json.ioc_id - target_field: carbon_black_cloud.watchlist_hit.ioc.id - ignore_missing: true - - rename: - field: json.org_key - target_field: carbon_black_cloud.watchlist_hit.organization_key - ignore_missing: true - - foreach: - field: json.parent_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.parent_publisher - target_field: carbon_black_cloud.watchlist_hit.process.parent.publisher - ignore_missing: true - - rename: - field: json.parent_reputation - target_field: carbon_black_cloud.watchlist_hit.process.parent.reputation - ignore_missing: true - - rename: - field: json.parent_username - target_field: carbon_black_cloud.watchlist_hit.process.parent.username - ignore_missing: true - - foreach: - field: json.process_publisher - processor: - split: - field: _ingest._value.state - separator: " \\| " - ignore_missing: true - ignore_missing: true - ignore_failure: true - - rename: - field: json.process_publisher - target_field: carbon_black_cloud.watchlist_hit.process.publisher - ignore_missing: true - - rename: - field: json.process_reputation - target_field: carbon_black_cloud.watchlist_hit.process.reputation - ignore_missing: true - - rename: - field: json.process_username - target_field: carbon_black_cloud.watchlist_hit.process.username - ignore_missing: true - - rename: - field: json.report_id - target_field: carbon_black_cloud.watchlist_hit.report.id - ignore_missing: true - - rename: - field: json.report_name - target_field: carbon_black_cloud.watchlist_hit.report.name - ignore_missing: true - - rename: - field: json.report_tags - target_field: carbon_black_cloud.watchlist_hit.report.tags - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - - script: - description: Adds all the remaining fields in fields under carbon_black_cloud.watchlist_hit - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.carbon_black_cloud.watchlist_hit[m.getKey()] = m.getValue(); - } - - remove: - field: - - json - - carbon_black_cloud.watchlist_hit.create_time - - carbon_black_cloud.watchlist_hit.device_id - - carbon_black_cloud.watchlist_hit.process_hash - - carbon_black_cloud.watchlist_hit.parent_hash - ignore_missing: true - - script: - description: Remove duplicate values - lang: painless - source: | - if (ctx?.related?.user != null) { - ctx.related.user = new HashSet(ctx.related.user) - } - if (ctx?.related?.hash != null) { - ctx.related.hash = new HashSet(ctx.related.hash) - } -on_failure: - - set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/base-fields.yml deleted file mode 100755 index 89df536282..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: carbon_black_cloud -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: carbon_black_cloud.watchlist_hit diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/ecs.yml b/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/ecs.yml deleted file mode 100755 index 5257b0ad7a..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/ecs.yml +++ /dev/null @@ -1,127 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - Unique host id. - As hostname is not always unique, use values that are meaningful in your environment. - Example: The current usage of `beat.name`. - name: host.id - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: Process id. - name: process.pid - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/fields.yml b/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/fields.yml deleted file mode 100755 index 25cb25005e..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/fields/fields.yml +++ /dev/null @@ -1,89 +0,0 @@ -- name: carbon_black_cloud.watchlist_hit - type: group - fields: - - name: device - type: group - fields: - - name: os - type: keyword - description: OS Type of device (Windows/OSX/Linux). - - name: internal_ip - type: ip - description: Internal IP of the device. - - name: external_ip - type: ip - description: External IP of the device. - - name: ioc - type: group - fields: - - name: field - type: keyword - description: Field the IOC hit contains. - - name: hit - type: keyword - description: IOC field value, or IOC query that matches. - - name: id - type: keyword - description: ID of the IOC that caused the hit. - - name: organization_key - type: keyword - description: The organization key associated with the console instance. - - name: process - type: group - fields: - - name: parent - type: group - fields: - - name: publisher - type: group - description: signature entry for the process as reported by the endpoint. - fields: - - name: name - type: keyword - description: The name of the publisher. - - name: state - type: keyword - description: The state of the publisher. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: publisher - type: group - description: signature entry for the process as reported by the endpoint. - - name: reputation - type: keyword - description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. - - name: username - type: keyword - description: The username associated with the user context that this process was started under. - - name: report - type: group - fields: - - name: id - type: keyword - description: ID of the watchlist report(s) that detected a hit on the process. - - name: name - type: keyword - description: Name of the watchlist report(s) that detected a hit on the process. - - name: tags - type: keyword - description: List of tags associated with the report(s) that detected a hit on the process. - - name: schema - type: long - description: Schema version. - - name: type - type: keyword - description: The watchlist hit type. - - name: watchlists - type: group - description: List of watchlists that contain the report of the ioc hit. - fields: - - name: id - type: keyword - description: The ID of the watchlists. - - name: name - type: keyword - description: The name of the watchlists. diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/manifest.yml b/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/manifest.yml deleted file mode 100755 index 7782458210..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/manifest.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: Watchlist Hit -type: logs -streams: - - input: aws-s3 - title: Collect watchlist hit from Carbon Black Cloud - description: Collect watchlist hit from Carbon Black Cloud. - template_path: aws-s3.yml.hbs - vars: - - name: bucket_list_prefix - type: text - title: Bucket Prefix - description: Prefix to apply for the list request to the S3 bucket. - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval - description: Interval to fetch watchlist hit from AWS S3 bucket. - multi: false - required: true - show_user: true - default: 1m - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - carbon_black_cloud-watchlist-hit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/sample_event.json b/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/sample_event.json deleted file mode 100755 index 0a5e6c32fb..0000000000 --- a/packages/carbon_black_cloud/1.0.1/data_stream/watchlist_hit/sample_event.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-watchlist-hit" - ], - "input": { - "type": "aws-s3" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "carbon_black_cloud.watchlist_hit" - }, - "agent": { - "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "process": { - "parent": { - "pid": 4076, - "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", - "executable": "c:\\windows\\syswow64\\cmd.exe", - "hash": { - "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", - "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" - } - }, - "pid": 7516, - "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", - "command_line": "sc query aella_conf ", - "executable": "c:\\windows\\syswow64\\sc.exe", - "hash": { - "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", - "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" - } - }, - "carbon_black_cloud": { - "watchlist_hit": { - "schema": 1, - "process": { - "parent": { - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "xxxxxxxx", - "report": { - "name": "Discovery - System Service Discovery Detected", - "id": "CFnKBKLTv6hUkBGFobRdg-565571", - "tags": [ - "attack", - "attackframework", - "threathunting", - "hunting", - "t1007", - "recon", - "discovery", - "windows" - ] - }, - "watchlists": [ - { - "name": "ATT\u0026CK Framework", - "id": "P5f9AW29TGmTOvBW156Cig" - } - ], - "type": "watchlist.hit", - "ioc": { - "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", - "id": "565571-0" - }, - "device": { - "internal_ip": "10.10.156.12", - "external_ip": "67.43.156.12", - "os": "WINDOWS" - } - } - }, - "host": { - "hostname": "Carbonblack-win1", - "os": { - "type": "windows" - }, - "ip": [ - "10.10.156.12", - "67.43.156.12" - ], - "id": "4467271" - }, - "event": { - "kind": "event", - "severity": 3, - "agent_id_status": "verified", - "ingested": "2022-02-17T07:23:31Z", - "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", - "dataset": "carbon_black_cloud.watchlist_hit" - } -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/docs/README.md b/packages/carbon_black_cloud/1.0.1/docs/README.md deleted file mode 100755 index b07163713d..0000000000 --- a/packages/carbon_black_cloud/1.0.1/docs/README.md +++ /dev/null @@ -1,1042 +0,0 @@ -# VMware Carbon Black Cloud - -The VMware Carbon Black Cloud integration collects and parses data from the Carbon Black Cloud REST APIs and AWS S3 bucket. - -## Compatibility - -This module has been tested against `Alerts API (v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`. - -## Requirements - -### In order to ingest data from the AWS S3 bucket you must: -1. Configure the [Data Forwarder](https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-F68F63DD-2271-4088-82C9-71D675CD0535.html) to ingest data into an AWS S3 bucket. -2. Create an [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys). - - -### In order to ingest data from the APIs you must generate API keys and API Secret Keys: -1. In Carbon Black Cloud, On the left navigation pane, click **Settings > API Access**. -2. Click Add API Key. -3. Give the API key a unique name and description. - - Select the appropriate access level type. Please check required Access Levels & Permissions for integration in below table. - **Note:** To use a custom access level, select Custom from the Access Level type drop-down menu and specify the Custom Access Level. - - Optional: Add authorized IP addresses. - - You can restrict the use of an API key to a specific set of IP addresses for security reasons. - **Note:** Authorized IP addresses are not available with Custom keys. -4. To apply the changes, click Save. - -#### Access Levels & Permissions -- The following tables indicate which type of API Key access level is required. If the type is Custom then the permission that is required will also be included. - -| Data stream | Access Level and Permissions | -| --------------------------- | ------------------------------------------ | -| Audit | API | -| Alert | Custom orgs.alerts (Read) | -| Asset Vulnerability Summary | Custom vulnerabilityAssessment.data (Read) | - - -## Note - -- The alert data stream has a 15-minute delay to ensure that no occurrences are missed. - -## Logs - -### Audit - -This is the `audit` dataset. - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2022-02-10T16:04:30.263Z", - "agent": { - "ephemeral_id": "6472e86c-fc7c-478a-a6fd-12ed19fe05c9", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "audit": { - "flagged": false, - "verbose": false - } - }, - "client": { - "ip": "10.10.10.10", - "user": { - "id": "abc@demo.com" - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:48:30.094Z", - "dataset": "carbon_black_cloud.audit", - "id": "2122f8ce8xxxxxxxxxxxxx", - "ingested": "2022-04-14T11:48:31Z", - "kind": "event", - "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}", - "outcome": "success", - "reason": "Logged in successfully" - }, - "input": { - "type": "httpjson" - }, - "organization": { - "name": "cb-xxxx-xxxx.com" - }, - "related": { - "ip": [ - "10.10.10.10" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-audit" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.audit.flagged | true if action is failed otherwise false. | boolean | -| carbon_black_cloud.audit.verbose | true if verbose audit log otherwise false. | boolean | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | - - -### Alert - -This is the `alert` dataset. - -An example event for `alert` looks as following: - -```json -{ - "@timestamp": "2020-11-17T22:05:13.000Z", - "agent": { - "ephemeral_id": "56053d91-103c-4c77-8f15-0a1006a80102", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "alert": { - "category": "warning", - "device": { - "external_ip": "81.2.69.143", - "internal_ip": "81.2.69.144", - "location": "UNKNOWN", - "os": "WINDOWS" - }, - "last_update_time": "2020-11-17T22:05:13Z", - "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720", - "organization_key": "ABCD6X3T", - "policy": { - "applied": "APPLIED", - "id": 6997287, - "name": "Standard" - }, - "product_id": "0x5406", - "product_name": "U3 Cruzer Micro", - "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC", - "run_state": "DID_NOT_RUN", - "sensor_action": "DENY", - "serial_number": "0875920EF7C2A304", - "target_value": "MEDIUM", - "threat_cause": { - "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E", - "threat_category": "NON_MALWARE", - "vector": "REMOVABLE_MEDIA" - }, - "threat_id": "t5678", - "type": "DEVICE_CONTROL", - "vendor_id": "0x0781", - "vendor_name": "SanDisk", - "workflow": { - "changed_by": "Carbon Black", - "last_update_time": "2020-11-17T22:02:16Z", - "state": "OPEN" - } - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.alert", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:46:13.154Z", - "dataset": "carbon_black_cloud.alert", - "end": "2020-11-17T22:02:16Z", - "id": "test1", - "ingested": "2022-04-14T11:46:14Z", - "kind": "alert", - "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}", - "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.", - "severity": 3, - "start": "2020-11-17T22:02:16Z", - "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976" - }, - "host": { - "hostname": "DESKTOP-002", - "id": "2", - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "name": "DESKTOP-002", - "os": { - "type": "windows", - "version": "Windows 10 x64" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-002" - ], - "ip": [ - "81.2.69.144", - "81.2.69.143" - ], - "user": [ - "test34@demo.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-alert" - ], - "user": { - "name": "test34@demo.com" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.alert.blocked_threat_category | The category of threat which we were able to take action on. | keyword | -| carbon_black_cloud.alert.category | The category of the alert. | keyword | -| carbon_black_cloud.alert.count | | long | -| carbon_black_cloud.alert.created_by_event_id | Event identifier that initiated the alert. | keyword | -| carbon_black_cloud.alert.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.alert.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.alert.device.location | The Location of device. | keyword | -| carbon_black_cloud.alert.device.os | OS of the device. | keyword | -| carbon_black_cloud.alert.document_guid | Unique ID of document. | keyword | -| carbon_black_cloud.alert.ioc.field | The field the indicator of comprise (IOC) hit contains. | keyword | -| carbon_black_cloud.alert.ioc.hit | IOC field value or IOC query that matches. | keyword | -| carbon_black_cloud.alert.ioc.id | The identifier of the IOC that cause the hit. | keyword | -| carbon_black_cloud.alert.kill_chain_status | The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. | keyword | -| carbon_black_cloud.alert.last_update_time | The last time the alert was updated as an ISO 8601 UTC timestamp. | date | -| carbon_black_cloud.alert.legacy_alert_id | The legacy identifier for the alert. | keyword | -| carbon_black_cloud.alert.not_blocked_threat_category | Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). | keyword | -| carbon_black_cloud.alert.notes_present | Indicates if notes are associated with the threat_id. | boolean | -| carbon_black_cloud.alert.organization_key | The unique identifier for the organization associated with the alert. | keyword | -| carbon_black_cloud.alert.policy.applied | Whether a policy was applied. | keyword | -| carbon_black_cloud.alert.policy.id | The identifier for the policy associated with the device at the time of the alert. | long | -| carbon_black_cloud.alert.policy.name | The name of the policy associated with the device at the time of the alert. | keyword | -| carbon_black_cloud.alert.product_id | The hexadecimal id of the USB device's product. | keyword | -| carbon_black_cloud.alert.product_name | The name of the USB device’s vendor. | keyword | -| carbon_black_cloud.alert.reason_code | Shorthand enum for the full-text reason. | keyword | -| carbon_black_cloud.alert.report.id | The identifier of the report that contains the IOC. | keyword | -| carbon_black_cloud.alert.report.name | The name of the report that contains the IOC. | keyword | -| carbon_black_cloud.alert.run_state | Whether the threat in the alert ran. | keyword | -| carbon_black_cloud.alert.sensor_action | The action taken by the sensor, according to the rule of the policy. | keyword | -| carbon_black_cloud.alert.serial_number | The serial number of the USB device. | keyword | -| carbon_black_cloud.alert.status | status of alert. | keyword | -| carbon_black_cloud.alert.tags | Tags associated with the alert. | keyword | -| carbon_black_cloud.alert.target_value | The priority of the device assigned by the policy. | keyword | -| carbon_black_cloud.alert.threat_activity.c2 | Whether the alert involved a command and control (c2) server. | keyword | -| carbon_black_cloud.alert.threat_activity.dlp | Whether the alert involved data loss prevention (DLP). | keyword | -| carbon_black_cloud.alert.threat_activity.phish | Whether the alert involved phishing. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.md5 | MD5 of the threat cause actor. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.name | The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.process_pid | Process identifier (PID) of the actor process. | keyword | -| carbon_black_cloud.alert.threat_cause.actor.sha256 | SHA256 of the threat cause actor. | keyword | -| carbon_black_cloud.alert.threat_cause.cause_event_id | ID of the Event that triggered the threat. | keyword | -| carbon_black_cloud.alert.threat_cause.process.guid | The global unique identifier of the process. | keyword | -| carbon_black_cloud.alert.threat_cause.process.parent.guid | The global unique identifier of the process. | keyword | -| carbon_black_cloud.alert.threat_cause.reputation | Reputation of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_cause.threat_category | Category of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_cause.vector | The source of the threat cause. | keyword | -| carbon_black_cloud.alert.threat_id | The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. | keyword | -| carbon_black_cloud.alert.threat_indicators.process_name | Process name associated with threat. | keyword | -| carbon_black_cloud.alert.threat_indicators.sha256 | Sha256 associated with threat. | keyword | -| carbon_black_cloud.alert.threat_indicators.ttps | Tactics, techniques and procedures associated with threat. | keyword | -| carbon_black_cloud.alert.type | Type of alert. | keyword | -| carbon_black_cloud.alert.vendor_id | The hexadecimal id of the USB device's vendor. | keyword | -| carbon_black_cloud.alert.vendor_name | The name of the USB device’s vendor. | keyword | -| carbon_black_cloud.alert.watchlists.id | The identifier of watchlist. | keyword | -| carbon_black_cloud.alert.watchlists.name | The name of the watchlist. | keyword | -| carbon_black_cloud.alert.workflow.changed_by | The name of user who changed the workflow. | keyword | -| carbon_black_cloud.alert.workflow.comment | Comment associated with workflow. | keyword | -| carbon_black_cloud.alert.workflow.last_update_time | The last update time of workflow. | date | -| carbon_black_cloud.alert.workflow.remediation | N/A | keyword | -| carbon_black_cloud.alert.workflow.state | The state of workflow. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### Endpoint Event - -This is the `endpoint_event` dataset. - -An example event for `endpoint_event` looks as following: - -```json -{ - "process": { - "parent": { - "pid": 1684, - "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62", - "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe", - "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe", - "hash": { - "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5", - "md5": "03dd698da2671383c9b4f868c9931879" - } - }, - "pid": 4880, - "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37", - "command_line": "\"route.exe\" print", - "executable": "c:\\windows\\system32\\route.exe", - "hash": { - "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6", - "md5": "2498272dc48446891182747428d02a30" - } - }, - "ecs": { - "version": "8.0.0" - }, - "carbon_black_cloud": { - "endpoint_event": { - "schema": 1, - "event_origin": "EDR", - "process": { - "duration": 2, - "parent": { - "reputation": "REP_RESOLVING" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_RESOLVING", - "terminated": true, - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "XXXXXXXX", - "backend": { - "timestamp": "2022-02-10 11:52:50 +0000 UTC" - }, - "target_cmdline": "\"route.exe\" print", - "type": "endpoint.event.procend", - "device": { - "os": "WINDOWS", - "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC", - "external_ip": "67.43.156.12" - }, - "sensor_action": "ACTION_ALLOW" - } - }, - "host": { - "hostname": "client-cb2", - "id": "4034605", - "os": { - "type": "windows" - }, - "ip": [ - "67.43.156.13" - ] - }, - "event": { - "action": "ACTION_PROCESS_TERMINATE", - "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}" - }, - "data_stream": { - "dataset": "carbon_black_cloud.endpoint_event", - "namespace": "ep", - "type": "logs" - }, - "elastic_agent": { - "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5", - "snapshot": true, - "version": "8.0.0" - }, - "input": { - "type": "aws-s3" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-endpoint-event" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.endpoint_event.alert_id | The ID of the Alert this event is associated with. | keyword | -| carbon_black_cloud.endpoint_event.backend.timestamp | Time when the backend received the batch of events. | keyword | -| carbon_black_cloud.endpoint_event.childproc.guid | Unique ID of the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.hash.md5 | Cryptographic MD5 hashes of the executable file backing the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.hash.sha256 | Cryptographic SHA256 hashes of the executable file backing the child process. | keyword | -| carbon_black_cloud.endpoint_event.childproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.childproc.pid | OS-reported Process ID of the child process. | long | -| carbon_black_cloud.endpoint_event.childproc.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.childproc.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.childproc.reputation | Carbon Black Cloud Reputation string for the childproc. | keyword | -| carbon_black_cloud.endpoint_event.childproc.username | The username associated with the user context that the child process was started under. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.action | The action taken on cross-process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.api | Name of the operating system API called by the actor process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.guid | Unique ID of the cross process. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.hash.md5 | Cryptographic MD5 hashes of the target of the crossproc event. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.hash.sha256 | Cryptographic SHA256 hashes of the target of the crossproc event. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.reputation | Carbon Black Cloud Reputation string for the crossproc. | keyword | -| carbon_black_cloud.endpoint_event.crossproc.target | True if the process was the target of the cross-process event; false if the process was the actor. | boolean | -| carbon_black_cloud.endpoint_event.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.endpoint_event.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.endpoint_event.device.os | Os name. | keyword | -| carbon_black_cloud.endpoint_event.device.timestamp | Time seen on sensor. | keyword | -| carbon_black_cloud.endpoint_event.event_origin | Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline | Deobfuscated script content run in a fileless context by the process. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length | Character count of the deobfuscated script content run in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 | MD5 hash of the deobfuscated script content run by the process in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 | SHA-256 hash of the deobfuscated script content run by the process in a fileless context. | keyword | -| carbon_black_cloud.endpoint_event.modload.count | Count of modload events reported by the sensor since last initialization. | long | -| carbon_black_cloud.endpoint_event.modload.effective_reputation | Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. | keyword | -| carbon_black_cloud.endpoint_event.modload.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.modload.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.domain | DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.ip | IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. | keyword | -| carbon_black_cloud.endpoint_event.netconn.proxy.port | UDP/TCP port number associated with the "proxy" end of this network connection. | keyword | -| carbon_black_cloud.endpoint_event.organization_key | The organization key associated with the console instance. | keyword | -| carbon_black_cloud.endpoint_event.process.duration | The time difference in seconds between the process start and process terminate event. | long | -| carbon_black_cloud.endpoint_event.process.parent.reputation | Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.endpoint_event.process.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.process.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.endpoint_event.process.terminated | True if process was terminated elase false. | boolean | -| carbon_black_cloud.endpoint_event.process.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.endpoint_event.schema | The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. | long | -| carbon_black_cloud.endpoint_event.scriptload.count | Count of scriptload events across all processes reported by the sensor since last initialization. | long | -| carbon_black_cloud.endpoint_event.scriptload.effective_reputation | Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.hash.md5 | Cryptographic MD5 hashes of the target of the scriptload event. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.hash.sha256 | Cryptographic SHA256 hashes of the target of the scriptload event. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.name | Full path to the target of the crossproc event on the device's local file system. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.endpoint_event.scriptload.reputation | Carbon Black Cloud Reputation string for the scriptload. | keyword | -| carbon_black_cloud.endpoint_event.sensor_action | The sensor action taken on event. | keyword | -| carbon_black_cloud.endpoint_event.target_cmdline | Process command line associated with the target process. | keyword | -| carbon_black_cloud.endpoint_event.type | The event type. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| dll.hash.md5 | MD5 hash. | keyword | -| dll.hash.sha256 | SHA256 hash. | keyword | -| dll.path | Full file path of the library. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| registry.path | Full path, including hive, key and value | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | - - -### Watchlist Hit - -This is the `watchlist_hit` dataset. - -An example event for `watchlist_hit` looks as following: - -```json -{ - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-watchlist-hit" - ], - "input": { - "type": "aws-s3" - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "carbon_black_cloud.watchlist_hit" - }, - "agent": { - "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80", - "type": "filebeat", - "version": "8.0.0" - }, - "ecs": { - "version": "8.0.0" - }, - "process": { - "parent": { - "pid": 4076, - "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1", - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"", - "executable": "c:\\windows\\syswow64\\cmd.exe", - "hash": { - "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22", - "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b" - } - }, - "pid": 7516, - "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6", - "command_line": "sc query aella_conf ", - "executable": "c:\\windows\\syswow64\\sc.exe", - "hash": { - "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2", - "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8" - } - }, - "carbon_black_cloud": { - "watchlist_hit": { - "schema": 1, - "process": { - "parent": { - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "publisher": [ - { - "name": "Microsoft Windows", - "state": [ - "FILE_SIGNATURE_STATE_SIGNED", - "FILE_SIGNATURE_STATE_VERIFIED", - "FILE_SIGNATURE_STATE_TRUSTED", - "FILE_SIGNATURE_STATE_OS", - "FILE_SIGNATURE_STATE_CATALOG_SIGNED" - ] - } - ], - "reputation": "REP_WHITE", - "username": "NT AUTHORITY\\SYSTEM" - }, - "organization_key": "xxxxxxxx", - "report": { - "name": "Discovery - System Service Discovery Detected", - "id": "CFnKBKLTv6hUkBGFobRdg-565571", - "tags": [ - "attack", - "attackframework", - "threathunting", - "hunting", - "t1007", - "recon", - "discovery", - "windows" - ] - }, - "watchlists": [ - { - "name": "ATT\u0026CK Framework", - "id": "P5f9AW29TGmTOvBW156Cig" - } - ], - "type": "watchlist.hit", - "ioc": { - "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true", - "id": "565571-0" - }, - "device": { - "internal_ip": "10.10.156.12", - "external_ip": "67.43.156.12", - "os": "WINDOWS" - } - } - }, - "host": { - "hostname": "Carbonblack-win1", - "os": { - "type": "windows" - }, - "ip": [ - "10.10.156.12", - "67.43.156.12" - ], - "id": "4467271" - }, - "event": { - "kind": "event", - "severity": 3, - "agent_id_status": "verified", - "ingested": "2022-02-17T07:23:31Z", - "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}", - "dataset": "carbon_black_cloud.watchlist_hit" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.watchlist_hit.device.external_ip | External IP of the device. | ip | -| carbon_black_cloud.watchlist_hit.device.internal_ip | Internal IP of the device. | ip | -| carbon_black_cloud.watchlist_hit.device.os | OS Type of device (Windows/OSX/Linux). | keyword | -| carbon_black_cloud.watchlist_hit.ioc.field | Field the IOC hit contains. | keyword | -| carbon_black_cloud.watchlist_hit.ioc.hit | IOC field value, or IOC query that matches. | keyword | -| carbon_black_cloud.watchlist_hit.ioc.id | ID of the IOC that caused the hit. | keyword | -| carbon_black_cloud.watchlist_hit.organization_key | The organization key associated with the console instance. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.publisher.name | The name of the publisher. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.publisher.state | The state of the publisher. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.watchlist_hit.process.parent.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.watchlist_hit.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | -| carbon_black_cloud.watchlist_hit.process.username | The username associated with the user context that this process was started under. | keyword | -| carbon_black_cloud.watchlist_hit.report.id | ID of the watchlist report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.report.name | Name of the watchlist report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.report.tags | List of tags associated with the report(s) that detected a hit on the process. | keyword | -| carbon_black_cloud.watchlist_hit.schema | Schema version. | long | -| carbon_black_cloud.watchlist_hit.type | The watchlist hit type. | keyword | -| carbon_black_cloud.watchlist_hit.watchlists.id | The ID of the watchlists. | keyword | -| carbon_black_cloud.watchlist_hit.watchlists.name | The name of the watchlists. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.pid | Process id. | long | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | - - -### Asset Vulnerability Summary - -This is the `asset_vulnerability_summary` dataset. - -An example event for `asset_vulnerability_summary` looks as following: - -```json -{ - "@timestamp": "2022-04-14T11:47:25.371Z", - "agent": { - "ephemeral_id": "377d9292-c7d0-4c30-bbee-faf4848d30d8", - "hostname": "docker-fleet-agent", - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "carbon_black_cloud": { - "asset_vulnerability_summary": { - "last_sync": { - "timestamp": "2022-01-17T08:33:37.384Z" - }, - "os_info": { - "os_arch": "64-bit" - }, - "sync": { - "status": "COMPLETED", - "type": "SCHEDULED" - }, - "type": "ENDPOINT", - "vuln_count": 1770 - } - }, - "data_stream": { - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0", - "snapshot": false, - "version": "7.17.0" - }, - "event": { - "agent_id_status": "verified", - "created": "2022-04-14T11:47:25.371Z", - "dataset": "carbon_black_cloud.asset_vulnerability_summary", - "ingested": "2022-04-14T11:47:26Z", - "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}" - }, - "host": { - "hostname": "DESKTOP-008", - "id": "8", - "name": "DESKTOP-008KK", - "os": { - "name": "Microsoft Windows 10 Education", - "type": "windows", - "version": "10.0.17763" - } - }, - "input": { - "type": "httpjson" - }, - "related": { - "hosts": [ - "DESKTOP-008" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "carbon_black_cloud-asset-vulnerability-summary" - ], - "vulnerability": { - "score": { - "base": 10 - }, - "severity": "CRITICAL" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp | The identifier is for the Last sync time. | date | -| carbon_black_cloud.asset_vulnerability_summary.os_info.os_arch | The identifier is for the Operating system architecture. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.sync.status | The identifier is for the Device sync status. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.sync.type | The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.type | The identifier is for the Device type. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vm.id | The identifier is for the Virtual Machine ID. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vm.name | The identifier is for the Virtual Machine name. | keyword | -| carbon_black_cloud.asset_vulnerability_summary.vuln_count | The identifier is for the Number of vulnerabilities at this level. | integer | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float | -| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword | diff --git a/packages/carbon_black_cloud/1.0.1/img/carbon_black_cloud-logo.svg b/packages/carbon_black_cloud/1.0.1/img/carbon_black_cloud-logo.svg deleted file mode 100755 index 180cc3d212..0000000000 --- a/packages/carbon_black_cloud/1.0.1/img/carbon_black_cloud-logo.svg +++ /dev/null @@ -1,91 +0,0 @@ - - - - -Created by potrace 1.16, written by Peter Selinger 2001-2019 - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/carbon_black_cloud/1.0.1/img/carbon_black_cloud-screenshot.png b/packages/carbon_black_cloud/1.0.1/img/carbon_black_cloud-screenshot.png deleted file mode 100755 index 6fda3c108d..0000000000 Binary files a/packages/carbon_black_cloud/1.0.1/img/carbon_black_cloud-screenshot.png and /dev/null differ diff --git a/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 129cd1c62a..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":831}]}}},\"gridData\":{\"h\":15,\"i\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Audit Logs", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", - "name": "panel_3", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json deleted file mode 100755 index e3f216759c..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"carbon_black_cloud.endpoint_event.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"title\":\"[Carbon Black Cloud] Top 10 Event Types\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"panelRefName\":\"panel_12\",\"title\":\"[Carbon Black Cloud] Top 10 Effective Reputation of Loaded Modules\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"w\":48,\"x\":0,\"y\":105},\"panelIndex\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"panelRefName\":\"panel_13\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Endpoint Event", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "f19543f7-04f5-42dd-849b-5f2fd8ca15f8:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", - "name": "panel_13", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 4a9c10d677..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":15,\"i\":\"a63e66da-6fdb-432e-8cd3-9beeceb7187e\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"a63e66da-6fdb-432e-8cd3-9beeceb7187e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":15,\"i\":\"3b39bb5c-6d43-4bac-9551-dd3db3def5da\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"3b39bb5c-6d43-4bac-9551-dd3db3def5da\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5e9e34e5-35be-4f6c-922a-fb15daf002ab\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"5e9e34e5-35be-4f6c-922a-fb15daf002ab\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7cba8aeb-90ad-4db5-8050-6093f8b51f56\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"7cba8aeb-90ad-4db5-8050-6093f8b51f56\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"bb01cff3-1557-42ad-ad1a-0cca9f44b658\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"bb01cff3-1557-42ad-ad1a-0cca9f44b658\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fdcee22b-9a7d-4b00-af40-ebe01d7e8b28\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"fdcee22b-9a7d-4b00-af40-ebe01d7e8b28\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3d50fe5a-b808-407c-830e-1badfb14b4b4\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"3d50fe5a-b808-407c-830e-1badfb14b4b4\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e7610078-a6b5-47e0-9739-ee08f84a39c8\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"e7610078-a6b5-47e0-9739-ee08f84a39c8\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93081e97-c841-4eb2-bfa3-6d214cb10282\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"93081e97-c841-4eb2-bfa3-6d214cb10282\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"920d0841-19a5-4052-a5c6-4c2bcea8feee\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"920d0841-19a5-4052-a5c6-4c2bcea8feee\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2aab11a6-0445-43ae-b852-de68e72bc9f6\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"2aab11a6-0445-43ae-b852-de68e72bc9f6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"64eae241-7f78-45c4-9ec8-f2c1195a5fa2\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"64eae241-7f78-45c4-9ec8-f2c1195a5fa2\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f0964cf-d899-481f-b1e2-138d3e24f67f\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"8f0964cf-d899-481f-b1e2-138d3e24f67f\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":1,\"width\":494}]}}},\"gridData\":{\"h\":15,\"i\":\"5cf45870-ceae-4231-9fe7-1dc62ff55c16\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"5cf45870-ceae-4231-9fe7-1dc62ff55c16\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"01a42219-92ef-4f03-b8a3-3eb1f498c1f7\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"01a42219-92ef-4f03-b8a3-3eb1f498c1f7\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"2afa241a-c05d-4c21-b993-d00d655e53f6\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"2afa241a-c05d-4c21-b993-d00d655e53f6\",\"panelRefName\":\"panel_15\",\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC Field\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5ac185d0-99d0-473f-9cf5-4898053b1fa8\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"5ac185d0-99d0-473f-9cf5-4898053b1fa8\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9248238a-0980-423a-a19c-44102fdc173c\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"9248238a-0980-423a-a19c-44102fdc173c\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"48aa679f-815f-4196-bca9-b3d7784aef73\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"48aa679f-815f-4196-bca9-b3d7784aef73\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"669a2361-cb74-4def-a571-4af3ab5082b9\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"669a2361-cb74-4def-a571-4af3ab5082b9\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"83e71096-5c60-41e7-a258-ec2036fcf872\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"83e71096-5c60-41e7-a258-ec2036fcf872\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ab2c450c-e97f-41ba-bffe-3c0672b64320\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"ab2c450c-e97f-41ba-bffe-3c0672b64320\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3df6d550-3202-40b6-a2ad-0909b7e5dd6b\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"3df6d550-3202-40b6-a2ad-0909b7e5dd6b\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":1134}]}}},\"gridData\":{\"h\":15,\"i\":\"bab343d8-bdda-4558-8353-f4530b69a3b9\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"bab343d8-bdda-4558-8353-f4530b69a3b9\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":27,\"i\":\"7a714638-9485-4da1-bc85-38df2ef49e99\",\"w\":48,\"x\":0,\"y\":180},\"panelIndex\":\"7a714638-9485-4da1-bc85-38df2ef49e99\",\"panelRefName\":\"panel_24\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"360b92d6-049c-42de-903f-f22ab75c0afc\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"360b92d6-049c-42de-903f-f22ab75c0afc\",\"title\":\"[Carbon Black Cloud] Top 10 Threat Cause Actor Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Alerts", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", - "name": "panel_11", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", - "name": "panel_12", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", - "name": "panel_13", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", - "name": "panel_14", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", - "name": "panel_15", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", - "name": "panel_16", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", - "name": "panel_17", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", - "name": "panel_18", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", - "name": "panel_19", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", - "name": "panel_20", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", - "name": "panel_21", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", - "name": "panel_22", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", - "name": "panel_23", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", - "name": "panel_24", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index ee0df3955b..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"panelRefName\":\"panel_0\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"panelRefName\":\"panel_2\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"panelRefName\":\"panel_3\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"panelRefName\":\"panel_4\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Risk Score\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"panelRefName\":\"panel_6\",\"title\":\"[Carbon Black Cloud] Top 10 OS Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":20,\"i\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"panelRefName\":\"panel_7\",\"title\":\"[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Asset Vulnerability Summary", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", - "name": "panel_7", - "type": "search" - }, - { - "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 94761c84e1..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.watchlist_hit.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IPs\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit Name\",\"field\":\"carbon_black_cloud.watchlist_hit.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Watchlist Hit Names\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Severity\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Parent Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"panelRefName\":\"panel_9\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"panelRefName\":\"panel_10\",\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":31,\"i\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"w\":48,\"x\":0,\"y\":120},\"panelIndex\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"panelRefName\":\"panel_11\",\"type\":\"search\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Carbon Black Cloud] Watchlist Hit", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "4f7b5cef-a7e9-44a9-8769-44d5326a8df4:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3d454d18-6baa-40de-aa94-4ebfaee9a759:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b0289aae-02bb-472e-8a22-07ff9f5d2372:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d29f5a98-736d-4f47-877e-b4552d15f889:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ae5c96d5-b7d6-45f8-b57b-42cc190f990b:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", - "name": "panel_10", - "type": "visualization" - }, - { - "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", - "name": "panel_11", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json deleted file mode 100755 index fde5382f93..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "carbon_black_cloud.watchlist_hit.watchlists.name", - "process.command_line", - "process.parent.command_line", - "process.executable", - "process.parent.executable", - "carbon_black_cloud.watchlist_hit.ioc.id", - "carbon_black_cloud.watchlist_hit.ioc.hit" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Watchlist Hit Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fdc104f3b2..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "client.user.id", - "event.reason", - "client.ip" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Audit Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 800a5cb006..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "carbon_black_cloud.endpoint_event.type", - "process.command_line", - "process.parent.command_line", - "dll.path", - "carbon_black_cloud.endpoint_event.target_cmdline", - "process.executable", - "process.parent.executable" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Endpoint Events Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1a37e59347..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.id", - "event.reason", - "event.url", - "carbon_black_cloud.alert.threat_indicators.process_name", - "carbon_black_cloud.alert.category" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Alerts Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index c060c3bd41..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "vulnerability.severity", - "vulnerability.score.base", - "carbon_black_cloud.asset_vulnerability_summary.vuln_count" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json deleted file mode 100755 index bf6bf9170c..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 329118ed72..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by OS, OS version", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by OS, OS version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fb78529067..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Client IPs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client IPs\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Client IPs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index edfb4ab922..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators TTPS\",\"field\":\"carbon_black_cloud.alert.threat_indicators.ttps\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index e058315a1e..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Actions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Top 10 Actions\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index e9926e3521..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by OS", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"carbon_black_cloud.watchlist_hit.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 5c97a8d4eb..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Severity", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 8bb3adabfb..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 7bec55f465..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":9},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index e4b7fe64f8..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 6b1cb56ea0..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Origin\",\"field\":\"carbon_black_cloud.endpoint_event.event_origin\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index c59f3f2623..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 0a01e78828..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 682f389163..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by OS", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device OS\",\"field\":\"carbon_black_cloud.endpoint_event.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 7af6d5ad55..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 IOC Hits", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.watchlist_hit.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hits\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1c116157a2..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Category", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3ced47d3fe..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 60cf2f819b..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by OS Type, OS Version", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Type\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 411603d6cc..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Distribution of Asset Vulnerability Summary by Type\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 811d8c6112..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.vector\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index e390c83ecc..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by IOC field", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Field\",\"field\":\"carbon_black_cloud.alert.ioc.field\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC field\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index bdd43d6d65..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by OS Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index a8622511b3..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by OS Architecture", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.architecture\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Architecture\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 02160d4bea..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 OS Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Names\",\"field\":\"host.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":false,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 OS Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 6c64141f00..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Highest Vulnerability Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Vulnerability Count\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.vuln_count\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 630d474e6e..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Workflow State", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Workflow State\",\"field\":\"carbon_black_cloud.alert.workflow.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Workflow State\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 228daf684c..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 1bd12c5d2e..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"vulnerability.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 0a3d26dad2..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Report Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Report Name\",\"field\":\"carbon_black_cloud.watchlist_hit.report.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Report Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 6e873422cb..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Highest Risk Score", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Risk Score\",\"field\":\"vulnerability.score.base\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Risk Score\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 48a0ff614a..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index b549ad14a1..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Sync Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 116934a90e..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Publisher State", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher State\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index ebce21d74d..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Distribution of Asset Vulnerability Summary by Sync Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync Status\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json deleted file mode 100755 index 8f11ac69cf..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}" - }, - "title": "Top 10 Hosts with Severity", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Severity\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"vulnerability.severity\"},\"schema\":\"orderAgg\",\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Severity\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 5d57824451..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 IOC Hit", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.alert.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hit\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index dd5f86134d..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit\",\"field\":\"carbon_black_cloud.alert.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 60669ee962..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Reputation\",\"field\":\"carbon_black_cloud.alert.threat_cause.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 19ad6bf381..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Threat Indicators Process Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators Process Name\",\"field\":\"carbon_black_cloud.alert.threat_indicators.process_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Indicators Process Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 7992c14128..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Devices", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Devices\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index ebcc102bf4..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Run State", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Run State\",\"field\":\"carbon_black_cloud.alert.run_state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Run State\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bf3592d08f..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1025e00226..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Sensor Action", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.alert.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Sensor Action\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index c4ce665f33..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 7db345ec9b..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Audit Logs by Flag Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flagged\",\"field\":\"carbon_black_cloud.audit.flagged\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Audit Logs by Flag Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 37864260d1..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Effective Reputation of Loaded Modules\",\"field\":\"carbon_black_cloud.endpoint_event.modload.effective_reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index cf20544145..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Child Process Publisher Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index dd2d0ee97a..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Usernames", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Usernames\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json deleted file mode 100755 index bb4fb20b4b..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3a76cb6cae..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.endpoint_event.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 29d985b4d8..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit by Report Tag\",\"field\":\"carbon_black_cloud.watchlist_hit.report.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 50933d86cc..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Not Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.not_blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bf02f82c2e..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Policy Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"carbon_black_cloud.alert.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Policy Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index bfebab9f24..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Reason Codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Reason Codes\",\"field\":\"carbon_black_cloud.alert.reason_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Reason Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json deleted file mode 100755 index 85bf297c56..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Parent Process Usernames", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Usernames\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 2ad0964cbb..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Request URLs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Request URLs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index cb945df49b..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Kill Chain Status\",\"field\":\"carbon_black_cloud.alert.kill_chain_status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index fc1c6812f0..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Process Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Name\",\"field\":\"process.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Process Name\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 3c04444ca9..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Device External IP", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.endpoint_event.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index a79db35e93..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Alert Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index d3f393c0d5..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json deleted file mode 100755 index 84fedf340e..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Top 10 Process Username", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Username\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 1c30c4f320..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Policy Applied", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Applied\",\"field\":\"carbon_black_cloud.alert.policy.applied\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Policy Applied\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json deleted file mode 100755 index 4a17555983..0000000000 --- a/packages/carbon_black_cloud/1.0.1/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}" - }, - "title": "[Carbon Black Cloud] Distribution of Alerts by Target Value", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Value\",\"field\":\"carbon_black_cloud.alert.target_value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Target Value\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/carbon_black_cloud/1.0.1/manifest.yml b/packages/carbon_black_cloud/1.0.1/manifest.yml deleted file mode 100755 index f7ae5c76f0..0000000000 --- a/packages/carbon_black_cloud/1.0.1/manifest.yml +++ /dev/null @@ -1,136 +0,0 @@ -format_version: 1.0.0 -name: carbon_black_cloud -title: VMware Carbon Black Cloud -version: 1.0.1 -license: basic -description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent. -type: integration -categories: - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/carbon_black_cloud-screenshot.png - title: Carbon Black Cloud alert dashboard screenshot - size: 600x600 - type: image/png -icons: - - src: /img/carbon_black_cloud-logo.svg - title: Carbon Black Cloud logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: carbon_black_cloud - title: Carbon Black Cloud - description: Collect Logs from Carbon Black Cloud - inputs: - - type: httpjson - title: Collect Carbon Black Cloud logs via API - description: Collect Carbon Black Cloud logs via API - vars: - - name: hostname - type: text - title: Hostname - description: Carbon Black Cloud console Hostname. Find hostname in the console dashboard at the beginning of the web address (Add https:// before the hostname). - required: true - - name: org_key - type: text - title: Organization Key - description: Organization Key. - required: true - - name: custom_api_id - type: text - title: Custom API ID - description: API ID with Custom Access Level type. - required: true - - name: custom_api_secret_key - type: password - title: Custom API Secret Key - description: API Secret Key with Custom Access Level type - required: true - - name: api_id - type: text - title: API ID - description: API ID with API Access Level type. - required: true - - name: api_secret_key - type: password - title: API Secret Key - description: API Secret Key with API Access Level type - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - - type: aws-s3 - title: Collect Carbon Black Cloud logs via AWS S3 - description: Collect Carbon Black Cloud logs via AWS S3 - vars: - - name: bucket_arn - type: text - title: Bucket ARN - multi: false - required: true - show_user: true - - name: access_key_id - type: password - title: Access Key ID - multi: false - required: true - show_user: true - - name: secret_access_key - type: password - title: Secret Access Key - multi: false - required: true - show_user: true - - name: number_of_workers - type: integer - title: Number of Workers - multi: false - required: false - show_user: false - default: 5 - description: Number of workers that will process the S3 objects listed. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. -owner: - github: elastic/security-external-integrations diff --git a/packages/cisco_umbrella/1.0.0/changelog.yml b/packages/cisco_umbrella/1.0.0/changelog.yml deleted file mode 100755 index 7896c19512..0000000000 --- a/packages/cisco_umbrella/1.0.0/changelog.yml +++ /dev/null @@ -1,71 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.7.0" - changes: - - description: Add Audit Logs - type: enhancement - link: https://github.com/elastic/integrations/pull/3332 -- version: "0.6.1" - changes: - - description: Fix use of destination.ip instead of source.nat.ip in DNS logs - type: bugfix - link: https://github.com/elastic/integrations/pull/3218 -- version: "0.6.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2778 -- version: "0.5.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.5.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2396 -- version: "0.4.0" - changes: - - description: Update config to support Cisco Managed S3 - type: bugfix - link: https://github.com/elastic/integrations/pull/2462 -- version: "0.3.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.3.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.3.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2269 -- version: "0.2.2" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1959 -- version: "0.2.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1810 -- version: "0.2.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1787 -- version: "0.1.0" - changes: - - description: Initial migration from Filebeat Module - type: enhancement - link: https://github.com/elastic/integrations/pull/1646 diff --git a/packages/cisco_umbrella/1.0.0/data_stream/log/agent/stream/aws-s3.yml.hbs b/packages/cisco_umbrella/1.0.0/data_stream/log/agent/stream/aws-s3.yml.hbs deleted file mode 100755 index 13c48cb366..0000000000 --- a/packages/cisco_umbrella/1.0.0/data_stream/log/agent/stream/aws-s3.yml.hbs +++ /dev/null @@ -1,70 +0,0 @@ -{{#if queue_url}} -queue_url: {{queue_url}} -{{/if}} -{{#if bucket_arn}} -bucket_arn: {{bucket_arn}} -{{/if}} -{{#if bucket_list_prefix}} -bucket_list_prefix: {{bucket_list_prefix}}/ -{{/if}} -{{#if bucket_list_prefix}} -file_selectors: - - regex: {{bucket_list_prefix}}/dnslogs/.+ - - regex: {{bucket_list_prefix}}/proxylogs/.+ - - regex: {{bucket_list_prefix}}/cloudfirewalllogs/.+ - - regex: {{bucket_list_prefix}}/iplogs/.+ - - regex: {{bucket_list_prefix}}/auditlogs/.+ -{{/if}} -{{#if region}} -default_region: {{region}} -{{/if}} -{{#if credential_profile_name}} -credential_profile_name: {{credential_profile_name}} -{{/if}} -{{#if shared_credential_file}} -shared_credential_file: {{shared_credential_file}} -{{/if}} -{{#if visibility_timeout}} -visibility_timeout: {{visibility_timeout}} -{{/if}} -{{#if api_timeout}} -api_timeout: {{api_timeout}} -{{/if}} -{{#if endpoint}} -endpoint: {{endpoint}} -{{/if}} -{{#if access_key_id}} -access_key_id: {{access_key_id}} -{{/if}} -{{#if secret_access_key}} -secret_access_key: {{secret_access_key}} -{{/if}} -{{#if session_token}} -session_token: {{session_token}} -{{/if}} -{{#if role_arn}} -role_arn: {{role_arn}} -{{/if}} -{{#if fips_enabled}} -fips_enabled: {{fips_enabled}} -{{/if}} -{{#if number_of_workers}} -number_of_workers: {{number_of_workers}} -{{/if}} -{{#if bucket_list_interval}} -bucket_list_interval: {{bucket_list_interval}} -{{/if}} -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.0.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_umbrella/1.0.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cadb340add..0000000000 --- a/packages/cisco_umbrella/1.0.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,423 +0,0 @@ ---- -description: Pipeline for Cisco Umbrella - -processors: - - set: - field: ecs.version - value: "8.2.0" - - set: - field: observer.vendor - value: Cisco - - set: - field: observer.product - value: Umbrella - - rename: - field: message - target_field: event.original - ############ - # DNS Logs # - ############ - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - cisco.umbrella.identities - - source.address - - source.nat.ip - - cisco.umbrella.action - - dns.question.type - - dns.response_code - - dns.question.name - - cisco.umbrella.categories - - cisco.umbrella.policy_identity_type - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - if: ctx?.log?.file?.path.contains('dnslogs') - - - set: - field: observer.type - value: dns - if: ctx?.log?.file?.path.contains('dnslogs') - ########### - # IP Logs # - ########### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - user.name - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.categories - if: ctx?.log?.file?.path.contains('iplogs') - - - set: - field: observer.type - value: firewall - if: ctx?.log?.file?.path.contains('iplogs') - - ############## - # Proxy Logs # - ############## - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.computer_name - - cisco.umbrella.identities - - source.address - - source.nat.ip - - destination.address - - cisco.umbrella.content_type - - cisco.umbrella.verdict - - url.full - - http.request.referrer - - user_agent.original - - http.response.status_code - - http.request.bytes - - http.response.bytes - - http.response.body.bytes - - cisco.umbrella.sha_sha256 - - cisco.umbrella.categories - - cisco.umbrella.av_detections - - cisco.umbrella.puas - - cisco.umbrella.amp_disposition - - cisco.umbrella.amp_malware_name - - cisco.umbrella.amp_score - - cisco.umbrella.identity_types - - cisco.umbrella.blocked_categories - - cisco.umbrella.identity_types - - cisco.umbrella.request_method - - cisco.umbrella.dlp_status - - cisco.umbrella.certificate_errors - - cisco.umbrella.file_name - - cisco.umbrella.ruleset_id - - cisco.umbrella.rule_id - - cisco.umbrella.destination_lists_id - if: ctx?.log?.file?.path.contains('proxylogs') - - - set: - field: observer.type - value: proxy - if: ctx?.log?.file?.path.contains('proxylogs') - - ####################### - # Cloud Firewall Logs # - ####################### - - csv: - field: event.original - target_fields: - - cisco.umbrella._tmp.time - - cisco.umbrella.origin_id - - user.name - - cisco.umbrella.identity_types - - cisco.umbrella.direction - - network.transport - - source.bytes - - source.address - - source.port - - destination.address - - destination.port - - cisco.umbrella.datacenter - - cisco.umbrella.ruleid - - cisco.umbrella.verdict - if: ctx?.log?.file?.path.contains('cloudfirewalllogs') - - - set: - field: observer.type - value: firewall - if: ctx?.log?.file?.path.contains('cloudfirewalllogs') - - ####################### - # Audit Logs # - ####################### - - csv: - field: event.original - target_fields: - - event.id - - cisco.umbrella._tmp.time - - user.email - - user.name - - cisco.umbrella.audit.type - - event.action - - source.address - - cisco.umbrella.audit.before - - cisco.umbrella.audit.after - if: ctx?.log?.file?.path.contains('auditlogs') - - - uri_parts: - field: url.full - ignore_failure: true - if: ctx?.url?.full != null - - # Identifies is a field that includes any sort of username, device or other asset that is included in the request. - # Converting this to an array to make it easier to use in searches and visualizations - - split: - field: cisco.umbrella.identities - separator: "," - preserve_trailing: false - if: "ctx?.log?.file?.path.contains('dnslogs') && ctx?.cisco?.umbrella?.identities != null" - - - split: - field: cisco.umbrella.categories - separator: "," - preserve_trailing: false - if: "ctx?.log?.file?.path.contains('dnslogs') && ctx?.cisco?.umbrella?.categories != null" - - split: - field: cisco.umbrella.blocked_categories - separator: "," - preserve_trailing: false - if: "ctx?.log?.file?.path.contains('dnslogs') && ctx?.cisco?.umbrella?.blocked_categories != null" - ###################### - # General ECS Fields # - ###################### - # This field is always in UTC, so no timezone should need to be set - - date: - field: cisco.umbrella._tmp.time - target_field: "@timestamp" - formats: - - "yyyy-MM-dd HH:mm:ss" - - ISO8601 - if: ctx?.cisco?.umbrella?._tmp?.time != null - ################## - # DNS ECS Fields # - ################## - - set: - field: dns.type - value: query - if: ctx?.cisco?.umbrella?.action != null - ###################### - # Network ECS Fields # - ###################### - - lowercase: - field: cisco.umbrella.direction - target_field: network.direction - if: ctx?.cisco?.umbrella?.direction != null - - convert: - field: source.bytes - type: long - if: ctx?.source?.bytes != null - - convert: - field: source.port - type: long - if: ctx?.source?.port != null - - convert: - field: destination.port - type: long - if: ctx?.destination?.port != null - ################### - # HTTP ECS Fields # - ################### - - convert: - field: http.request.bytes - type: long - if: ctx?.http?.request?.bytes != null - - convert: - field: http.response.bytes - type: long - if: ctx?.http?.response?.bytes != null - - convert: - field: http.response.status_code - type: long - if: ctx?.http?.response?.status_code != null - ################### - # Rule ECS Fields # - ################### - - rename: - field: cisco.umbrella.ruleid - target_field: rule.id - if: ctx?.cisco?.umbrella?.ruleid != null - - #################### - # Event ECS Fields # - #################### - - set: - field: event.action - value: "dns-request-{{cisco.umbrella.action}}" - if: ctx?.cisco?.umbrella?.action != null - - set: - field: event.category - value: network - if: "!ctx?.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: allowed - if: "ctx?.cisco?.umbrella?.action == 'Allowed' || ['ALLOWED','ALLOW'].contains(ctx?.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: denied - if: "ctx?.cisco?.umbrella?.action == 'Blocked' || ['BLOCKED','BLOCK'].contains(ctx?.cisco?.umbrella?.verdict)" - - append: - field: event.type - value: connection - if: ctx?.cisco?.umbrella?.action != null - - set: - field: event.category - value: configuration - if: "ctx?.log?.file?.path.contains('auditlogs')" - - append: - field: event.type - value: creation - if: "ctx?.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'create'" - - append: - field: event.type - value: change - if: "ctx?.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'update'" - - append: - field: event.type - value: deletion - if: "ctx?.log?.file?.path.contains('auditlogs') && ctx.event?.action.toLowerCase() == 'delete'" - # Converting address fields to either ip or domain - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - on_failure: - - set: - copy_from: source.address - field: source.domain - override: true - - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - on_failure: - - set: - field: destination.domain - copy_from: destination.address - override: true - - # For nat, there's no address or domain subfield. - # If the value is not a valid IP, it must be removed - # or ingestion will fail. Probably just an empty value. - - convert: - field: source.nat.ip - type: ip - ignore_missing: true - on_failure: - - remove: - field: source.nat.ip - - - community_id: - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - ###################### - # Related ECS Fields # - ###################### - - append: - field: related.user - value: "{{user.name}}" - if: ctx?.source?.user?.name != null - - append: - field: related.ip - value: "{{source.ip}}" - if: ctx?.source?.ip != null - - append: - field: related.ip - value: "{{source.nat.ip}}" - if: ctx?.source?.nat?.ip != null - - append: - field: related.ip - value: "{{destination.ip}}" - if: ctx?.destination?.ip != null - - append: - field: related.hosts - value: "{{source.domain}}" - if: ctx?.source?.domain != null - - append: - field: related.hosts - value: "{{dns.question.name}}" - if: ctx?.dns?.question?.name != null - - append: - field: related.hash - value: "{{cisco.umbrella.sha_sha256}}" - if: ctx?.cisco?.umbrella?.sha_sha256 != null - - script: - if: ctx?.cisco?.umbrella?.identities != null && ctx.cisco.umbrella.identities instanceof List - lang: painless - description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user" - source: |- - void addRelatedUser(def ctx, def x) { - if (ctx?.related == null) { - Map map = new HashMap(); - ctx.put("related", map); - } - if (ctx?.related?.user == null) { - ArrayList al = new ArrayList(); - ctx.related.put("user", al); - } - if (!ctx.related.user.contains(x)) { - ctx.related.user.add(x); - } - } - for (cisco_identity in ctx.cisco.umbrella.identities) { - if (cisco_identity.contains('@')) { - addRelatedUser(ctx, cisco_identity); - } - } - - ########### - # Cleanup # - ########### - - remove: - field: - - cisco.umbrella._tmp - - cisco.umbrella.direction - - cisco.umbrella.action - - cisco.umbrella.verdict - ignore_missing: true - - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_umbrella/1.0.0/data_stream/log/fields/agent.yml b/packages/cisco_umbrella/1.0.0/data_stream/log/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/cisco_umbrella/1.0.0/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/cisco_umbrella/1.0.0/data_stream/log/fields/base-fields.yml b/packages/cisco_umbrella/1.0.0/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 1fb9b67d57..0000000000 --- a/packages/cisco_umbrella/1.0.0/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cisco_umbrella -- name: event.dataset - type: constant_keyword - description: Event dataset - value: cisco_umbrella.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_umbrella/1.0.0/data_stream/log/fields/ecs.yml b/packages/cisco_umbrella/1.0.0/data_stream/log/fields/ecs.yml deleted file mode 100755 index fbb3a4deb7..0000000000 --- a/packages/cisco_umbrella/1.0.0/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,406 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: |- - The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: client.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: client.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: client.top_level_domain - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Port of the source. - name: source.port - type: long -- description: |- - The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: source.registered_domain - type: keyword -- description: |- - The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: source.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: source.top_level_domain - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword diff --git a/packages/cisco_umbrella/1.0.0/data_stream/log/fields/fields.yml b/packages/cisco_umbrella/1.0.0/data_stream/log/fields/fields.yml deleted file mode 100755 index 930527b81d..0000000000 --- a/packages/cisco_umbrella/1.0.0/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,108 +0,0 @@ -- name: cisco.umbrella - type: group - description: > - Fields for Cisco Umbrella. - - fields: - - name: identities - type: keyword - description: > - An array of the different identities related to the event. - - - name: computer_name - type: keyword - description: > - The computer name related to the event. - - - name: categories - type: keyword - description: > - The security or content categories that the destination matches. - - - name: policy_identity_type - type: keyword - description: > - The first identity type matched with this request. Available in version 3 and above. - - - name: identity_types - type: keyword - description: > - The type of identity that made the request. For example, Roaming Computer or Network. - - - name: blocked_categories - type: keyword - description: > - The categories that resulted in the destination being blocked. Available in version 4 and above. - - - name: content_type - type: keyword - description: > - The type of web content, typically text/html. - - - name: sha_sha256 - type: keyword - description: > - Hex digest of the response content. - - - name: av_detections - type: keyword - description: > - The detection name according to the antivirus engine used in file inspection. - - - name: puas - type: keyword - description: > - A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. - - - name: amp_disposition - type: keyword - description: > - The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. - - - name: amp_malware_name - type: keyword - description: > - If Malicious, the name of the malware according to AMP. - - - name: amp_score - type: keyword - description: > - The score of the malware from AMP. This field is not currently used and will be blank. - - - name: datacenter - type: keyword - description: > - The name of the Umbrella Data Center that processed the user-generated traffic. - - - name: origin_id - type: keyword - description: > - The unique identity of the network tunnel. - - - name: identities - type: keyword - - name: identity_types - type: keyword - - name: request_method - type: keyword - - name: dlp_status - type: keyword - - name: certificate_errors - type: keyword - - name: file_name - type: keyword - - name: ruleset_id - type: keyword - - name: rule_id - type: keyword - - name: destination_lists_id - type: keyword - - name: audit.type - type: keyword - description: Where the change was made, such as settings or a policy. - - name: audit.before - type: keyword - description: The policy or setting before the change was made. - - name: audit.after - type: keyword - description: The policy or setting after the change was made. diff --git a/packages/cisco_umbrella/1.0.0/data_stream/log/manifest.yml b/packages/cisco_umbrella/1.0.0/data_stream/log/manifest.yml deleted file mode 100755 index 9908a895a4..0000000000 --- a/packages/cisco_umbrella/1.0.0/data_stream/log/manifest.yml +++ /dev/null @@ -1,148 +0,0 @@ -title: Cisco Umbrella logs -release: experimental -type: logs -streams: - - input: aws-s3 - enabled: false - title: Cisco Umbrella logs - description: Collect Cisco Umbrella logs - template_path: aws-s3.yml.hbs - vars: - - name: queue_url - type: text - title: Queue URL - multi: false - required: false - show_user: true - description: URL of the AWS SQS queue that messages will be received from. For Cisco Managed S3 buckets or S3 without SQS, use Bucket ARN. - - name: bucket_arn - type: text - title: Bucket ARN - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. If the S3 bucket does not use SQS, this is the address for the S3 bucket, one example is `arn:aws:s3:::cisco-managed-eu-central-1` For a list of Cisco Managed buckets, please see https://docs.umbrella.com/mssp-deployment/docs/enable-logging-to-a-cisco-managed-s3-bucket. - - name: region - type: text - title: Bucket Region - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. The region the bucket is located in. - - name: bucket_list_prefix - type: text - title: Bucket List Prefix - multi: false - required: false - show_user: true - description: >- - Required for Cisco Managed S3. This sets the root folder of the S3 bucket that should be monitored, found in the S3 Web UI. Example value: `1235_654vcasd23431e5dd6f7fsad457sdf1fd5`. Forward slash at the end required for Cisco Managed S3. - - name: number_of_workers - type: text - title: Number of Workers - multi: false - required: false - show_user: true - default: 1 - description: Required for Cisco Managed S3. Number of workers that will process the S3 objects listed. Minimum is 1. - - name: bucket_list_interval - type: text - title: Bucket List Interval - multi: false - required: false - show_user: true - description: Time interval for polling listing of the S3 bucket. Defaults to 120s. - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file. - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - - name: access_key_id - type: text - title: Access Key ID - multi: false - required: false - show_user: true - - name: secret_access_key - type: text - title: Secret Access Key - multi: false - required: false - show_user: true - - name: session_token - type: text - title: Session Token - multi: false - required: false - show_user: true - - name: role_arn - type: text - title: Role ARN - multi: false - required: false - show_user: false - - name: endpoint - type: text - title: Endpoint - multi: false - required: false - show_user: false - default: "amazonaws.com" - description: URL of the entry point for an AWS web service. - - name: visibility_timeout - type: text - title: Visibility Timeout - multi: false - required: false - show_user: false - description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. - - name: api_timeout - type: text - title: API Timeout - multi: false - required: false - show_user: false - description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: fips_enabled - type: bool - title: Enable S3 FIPS - default: false - multi: false - required: false - show_user: false - description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - cisco-umbrella - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_umbrella/1.0.0/data_stream/log/sample_event.json b/packages/cisco_umbrella/1.0.0/data_stream/log/sample_event.json deleted file mode 100755 index f2356b0269..0000000000 --- a/packages/cisco_umbrella/1.0.0/data_stream/log/sample_event.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.2.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} \ No newline at end of file diff --git a/packages/cisco_umbrella/1.0.0/docs/README.md b/packages/cisco_umbrella/1.0.0/docs/README.md deleted file mode 100755 index 10abae0590..0000000000 --- a/packages/cisco_umbrella/1.0.0/docs/README.md +++ /dev/null @@ -1,276 +0,0 @@ -# Cisco Umbrella Integration - -This integration is for Cisco Umbrella . It includes the following -datasets for receiving logs from an AWS S3 bucket using an SQS notification queue and Cisco Managed S3 bucket without SQS: - -- `log` dataset: supports Cisco Umbrella logs. - -## Logs - -### Umbrella - -When using Cisco Managed S3 buckets that does not use SQS there is no load balancing possibilities for multiple agents, a single agent should be configured to poll the S3 bucket for new and updated files, and the number of workers can be configured to scale vertically. - -The `log` dataset collects Cisco Umbrella logs. - -An example event for `log` looks as following: - -```json -{ - "destination": { - "geo": { - "continent_name": "North America", - "country_name": "United States", - "location": { - "lon": -97.822, - "lat": 37.751 - }, - "country_iso_code": "US" - }, - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "address": "8.8.8.8", - "ip": "8.8.8.8" - }, - "source": { - "nat": { - "ip": "1.1.1.1" - }, - "address": "192.168.1.1", - "ip": "192.168.1.1" - }, - "url": { - "path": "/blog/ext_id=Anyclip", - "original": "https://elastic.co/blog/ext_id=Anyclip", - "scheme": "https", - "domain": "elastic.co", - "full": "https://elastic.co/blog/ext_id=Anyclip" - }, - "tags": [ - "preserve_original_event" - ], - "observer": { - "type": "proxy", - "product": "Umbrella", - "vendor": "Cisco" - }, - "@timestamp": "2020-07-23T23:48:56.000Z", - "ecs": { - "version": "8.2.0" - }, - "related": { - "hash": [ - "" - ], - "ip": [ - "192.168.1.1", - "1.1.1.1", - "8.8.8.8" - ] - }, - "http": { - "request": { - "referrer": "https://google.com/elastic", - "bytes": 850 - }, - "response": { - "status_code": 200 - } - }, - "event": { - "ingested": "2021-09-13T00:16:24.480432923Z", - "original": "\"2020-07-23 23:48:56\",\"elasticuser\",\"someotheruser\",\"192.168.1.1\",\"1.1.1.1\",\"8.8.8.8\",\"\",\"ALLOWED\",\"https://elastic.co/blog/ext_id=Anyclip\",\"https://google.com/elastic\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36\",\"200\",\"850\",\"\",\"\",\"\",\"Business Services\",\"AVDetectionName\",\"Malicious\",\"MalwareName\",\"\",\"\",\"Roaming Computers\",\"\"", - "category": "network", - "type": [ - "allowed" - ] - }, - "cisco": { - "umbrella": { - "amp_score": "", - "puas": "Malicious", - "identities": [ - "someotheruser" - ], - "content_type": "", - "identity_types": "Roaming Computers", - "blocked_categories": "", - "sha_sha256": "", - "amp_disposition": "MalwareName", - "categories": "Business Services", - "av_detections": "AVDetectionName", - "amp_malware_name": "" - } - }, - "user": { - "name": "elasticuser" - }, - "user_agent": { - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| cisco.umbrella.amp_disposition | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. | keyword | -| cisco.umbrella.amp_malware_name | If Malicious, the name of the malware according to AMP. | keyword | -| cisco.umbrella.amp_score | The score of the malware from AMP. This field is not currently used and will be blank. | keyword | -| cisco.umbrella.audit.after | The policy or setting after the change was made. | keyword | -| cisco.umbrella.audit.before | The policy or setting before the change was made. | keyword | -| cisco.umbrella.audit.type | Where the change was made, such as settings or a policy. | keyword | -| cisco.umbrella.av_detections | The detection name according to the antivirus engine used in file inspection. | keyword | -| cisco.umbrella.blocked_categories | The categories that resulted in the destination being blocked. Available in version 4 and above. | keyword | -| cisco.umbrella.categories | The security or content categories that the destination matches. | keyword | -| cisco.umbrella.certificate_errors | | keyword | -| cisco.umbrella.computer_name | The computer name related to the event. | keyword | -| cisco.umbrella.content_type | The type of web content, typically text/html. | keyword | -| cisco.umbrella.datacenter | The name of the Umbrella Data Center that processed the user-generated traffic. | keyword | -| cisco.umbrella.destination_lists_id | | keyword | -| cisco.umbrella.dlp_status | | keyword | -| cisco.umbrella.file_name | | keyword | -| cisco.umbrella.identities | | keyword | -| cisco.umbrella.identity_types | | keyword | -| cisco.umbrella.origin_id | The unique identity of the network tunnel. | keyword | -| cisco.umbrella.policy_identity_type | The first identity type matched with this request. Available in version 3 and above. | keyword | -| cisco.umbrella.puas | A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. | keyword | -| cisco.umbrella.request_method | | keyword | -| cisco.umbrella.rule_id | | keyword | -| cisco.umbrella.ruleset_id | | keyword | -| cisco.umbrella.sha_sha256 | Hex digest of the response content. | keyword | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - diff --git a/packages/cisco_umbrella/1.0.0/img/cisco.svg b/packages/cisco_umbrella/1.0.0/img/cisco.svg deleted file mode 100755 index 20ebebf197..0000000000 --- a/packages/cisco_umbrella/1.0.0/img/cisco.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/cisco_umbrella/1.0.0/manifest.yml b/packages/cisco_umbrella/1.0.0/manifest.yml deleted file mode 100755 index 3a7ccb1531..0000000000 --- a/packages/cisco_umbrella/1.0.0/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: cisco_umbrella -title: Cisco Umbrella -version: 1.0.0 -license: basic -description: Collect logs from Cisco Umbrella with Elastic Agent. -type: integration -categories: - - network - - security -release: ga -conditions: - kibana.version: "^8.0.0" -icons: - - src: /img/cisco.svg - title: cisco - size: 216x216 - type: image/svg+xml -policy_templates: - - name: cisco_umbrella - title: Cisco Umbrella logs - description: Collect logs from Cisco Umbrella instances - inputs: - - type: aws-s3 - title: Collect logs from Cisco Umbrella - description: Collecting logs from Cisco Umbrella -owner: - github: elastic/security-external-integrations diff --git a/packages/github/1.0.0/changelog.yml b/packages/github/1.0.0/changelog.yml deleted file mode 100755 index 1bceef1bb0..0000000000 --- a/packages/github/1.0.0/changelog.yml +++ /dev/null @@ -1,61 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2779 -- version: "0.3.4" - changes: - - description: Fix typo in config template for ignoring host enrichment - type: bugfix - link: https://github.com/elastic/integrations/pull/3092 -- version: "0.3.3" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.3.2" - changes: - - description: Fix date format used in queries. - type: bugfix - link: https://github.com/elastic/integrations/pull/2732 -- version: "0.3.1" - changes: - - description: Resolve invalid query operator - type: bugfix - link: https://github.com/elastic/integrations/pull/2664 -- version: "0.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2407 -- version: "0.2.2" - changes: - - description: Removes saved search used for testing - type: bugfix - link: https://github.com/elastic/integrations/pull/2554 -- version: "0.2.1" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2259 -- version: "0.1.1" - changes: - - description: Update Title and Description. - type: bugfix - link: https://github.com/elastic/integrations/pull/1997 -- version: "0.1.0" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1760 diff --git a/packages/github/1.0.0/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/github/1.0.0/data_stream/audit/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 9dbed92e60..0000000000 --- a/packages/github/1.0.0/data_stream/audit/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,69 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" -request.url: {{api_url}}/orgs/{{organization}}/audit-log -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} - -{{!-- https://github.community/t/new-feature-audit-log-rest-api-check-it-out/161512 --}} -request.transforms: - - set: - target: header.Authorization - value: "Bearer {{access_token}}" - - set: - target: header.Accept - value: "application/vnd.github.v3+json" - - set: - target: url.params.phrase - value: '[[sprintf "created:>=%s" (formatDate .cursor.last_timestamp "2006-01-02T15:04:05-07:00")]]' - default: '[[sprintf "created:>=%s" (formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05-07:00")]]' - - set: - target: url.params.per_page - value: 100 - - set: - target: url.params.include - value: all - - set: - target: url.params.order - value: asc - -request.rate_limit.limit: '[[ .last_response.header.Get "X-RateLimit-Limit" ]]' -request.rate_limit.reset: '[[ .last_response.header.Get "X-RateLimit-Reset" ]]' -request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaining" ]]' - -response.pagination: - - set: - target: url.value - value: '[[ getRFC5988Link "next" .last_response.header.Link ]]' - fail_on_template_error: true - -cursor: - last_timestamp: - value: '[[ .last_event.created_at ]]' - -{{#if tags.length}} -tags: -{{else if preserve_original_event}} -tags: -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/github/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/github/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c75e40eef0..0000000000 --- a/packages/github/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- -description: Pipeline for parsing GitHub audit logs -processors: -- set: - field: event.kind - value: event -- set: - field: ecs.version - value: "8.2.0" -- append: - field: event.type - value: access -- append: - field: event.category - value: web -- append: - field: event.category - value: iam -- rename: - field: message - target_field: event.original - ignore_missing: true -- json: - field: event.original - target_field: json -- fingerprint: - fields: - - json._document_id - target_field: "_id" - ignore_missing: true -- date: - field: json.created_at - formats: - - UNIX_MS - timezone: UTC - target_field: "@timestamp" -- rename: - field: json._document_id - target_field: event.id - ignore_missing: true -- rename: - field: json.action - target_field: event.action - ignore_missing: true -- rename: - field: json.actor - target_field: user.name - ignore_missing: true -- append: - field: related.user - value: "{{user.name}}" - if: ctx.user?.name != null -- rename: - field: json.org - target_field: github.org - ignore_missing: true -- rename: - field: json.user - target_field: user.target.name - ignore_missing: true -- append: - field: related.user - value: "{{user.target.name}}" - if: ctx.user?.target?.name != null -- rename: - field: json.repo - target_field: github.repo - ignore_missing: true -- rename: - field: json.team - target_field: github.team - ignore_missing: true -- rename: - field: json.data.team - target_field: github.team - ignore_missing: true - if: ctx.github?.team == null -- set: - field: group.name - copy_from: github.team - ignore_empty_value: true - if: ctx.event?.action.startsWith("team.") -- set: - field: user.target.group.name - copy_from: github.team - ignore_empty_value: true - if: ctx.event?.action.startsWith("team.") && ctx.user?.target?.name != null -- set: - field: group.name - copy_from: github.org - ignore_empty_value: true - if: ctx.event?.action.startsWith("org.") -- set: - field: user.target.group.name - copy_from: github.org - ignore_empty_value: true - if: ctx.event?.action.startsWith("org.") && ctx.user?.target?.name != null -- rename: - field: json.data.old_user - target_field: user.target.group.name - ignore_missing: true -- rename: - field: json.data.old_user - target_field: user.target.group.name - ignore_missing: true - if: ctx.user?.target?.group?.name == null -- rename: - field: json.actor_location.country_code - target_field: client.geo.country_iso_code - ignore_missing: true -- grok: - field: event.action - ignore_missing: true - patterns: - - '^%{GH_CAT:github.category}\.%{GREEDYDATA}' - pattern_definitions: - GH_CAT: '[a-z_]+' -- remove: - field: - - json - ignore_missing: true -- remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/github/1.0.0/data_stream/audit/fields/agent.yml b/packages/github/1.0.0/data_stream/audit/fields/agent.yml deleted file mode 100755 index 4d9a6f7b36..0000000000 --- a/packages/github/1.0.0/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,114 +0,0 @@ -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/github/1.0.0/data_stream/audit/fields/base-fields.yml b/packages/github/1.0.0/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index f087bfee14..0000000000 --- a/packages/github/1.0.0/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: github -- name: event.dataset - type: constant_keyword - description: Event dataset - value: github.audit -- name: "@timestamp" - type: date - description: Event timestamp. -- name: input.type - type: keyword - description: Type of Filebeat input. diff --git a/packages/github/1.0.0/data_stream/audit/fields/ecs.yml b/packages/github/1.0.0/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 089f10244c..0000000000 --- a/packages/github/1.0.0/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,88 +0,0 @@ -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: Name of the group. - name: user.target.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/github/1.0.0/data_stream/audit/fields/fields.yml b/packages/github/1.0.0/data_stream/audit/fields/fields.yml deleted file mode 100755 index 59930fc9dc..0000000000 --- a/packages/github/1.0.0/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,17 +0,0 @@ -- name: github.org - type: keyword - description: > - GitHub organization name - -- name: github.team - type: keyword - description: >- - GitHub team name -- name: github.repo - type: keyword - description: >- - GitHub repository name -- name: github.category - type: keyword - description: >- - GitHub action category diff --git a/packages/github/1.0.0/data_stream/audit/manifest.yml b/packages/github/1.0.0/data_stream/audit/manifest.yml deleted file mode 100755 index fd72fb7ea5..0000000000 --- a/packages/github/1.0.0/data_stream/audit/manifest.yml +++ /dev/null @@ -1,91 +0,0 @@ -type: logs -title: GitHub Audit Logs -release: experimental -streams: - - input: httpjson - vars: - - name: access_token - type: text - title: Personal Access Token - description: the GitHub Personal Access Token. Requires the 'admin:org' scope - multi: false - required: true - show_user: true - - name: organization - type: text - title: Organization Name - description: The GitHub organization name/ID - multi: false - required: true - show_user: true - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: true - default: 60s - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - description: Interval at which the logs will be pulled. The value must be between 2m and 1h. - default: 1h - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - default: 730h # 30 days - description: Initial interval to poll for events. Default is 730 hours (30 days). - - name: api_url - type: text - title: API URL. - description: The API URL without the path. - multi: false - required: true - show_user: false - default: https://api.github.com - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - forwarded - - github-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" - template_path: httpjson.yml.hbs - title: GitHub audit logs - description: Collect GitHub audit logs via the API diff --git a/packages/github/1.0.0/data_stream/audit/sample_event.json b/packages/github/1.0.0/data_stream/audit/sample_event.json deleted file mode 100755 index 04e6483361..0000000000 --- a/packages/github/1.0.0/data_stream/audit/sample_event.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "@timestamp": "2020-11-18T17:05:48.837Z", - "agent": { - "ephemeral_id": "95d78df4-1364-43b9-ab4f-62fc70d21b04", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "github.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "repo.destroy", - "agent_id_status": "verified", - "category": [ - "web", - "iam" - ], - "created": "2022-02-03T12:34:05.664Z", - "dataset": "github.audit", - "id": "LwW2vpJZCDS-WUmo9Z-ifw", - "ingested": "2022-02-03T12:34:06Z", - "kind": "event", - "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}", - "type": [ - "access" - ] - }, - "github": { - "category": "repo", - "org": "mona-org", - "repo": "mona-org/mona-test-repo" - }, - "host": { - "name": "docker-fleet-agent" - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "monalisa" - ] - }, - "tags": [ - "forwarded", - "github-audit", - "preserve_original_event" - ], - "user": { - "name": "monalisa" - } -} \ No newline at end of file diff --git a/packages/github/1.0.0/docs/README.md b/packages/github/1.0.0/docs/README.md deleted file mode 100755 index 8971a5d008..0000000000 --- a/packages/github/1.0.0/docs/README.md +++ /dev/null @@ -1,136 +0,0 @@ -# GitHub Integration - -The GitHub integration collects audit events from the GitHub API. - -## Logs - -### Audit - -The GitHub audit log records all events related to the GitHub organization. See [https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#audit-log-actions](https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#audit-log-actions) for more details. - -To use this integration, you must be an organization owner, and you must use an Personal Access Token with the admin:org scope. - -*This integration is not compatible with GitHub Enterprise server.* - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.geo.country_iso_code | Country ISO code. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| github.category | GitHub action category | keyword | -| github.org | GitHub organization name | keyword | -| github.repo | GitHub repository name | keyword | -| github.team | GitHub team name | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.group.name | Name of the group. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2020-11-18T17:05:48.837Z", - "agent": { - "ephemeral_id": "95d78df4-1364-43b9-ab4f-62fc70d21b04", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "data_stream": { - "dataset": "github.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "action": "repo.destroy", - "agent_id_status": "verified", - "category": [ - "web", - "iam" - ], - "created": "2022-02-03T12:34:05.664Z", - "dataset": "github.audit", - "id": "LwW2vpJZCDS-WUmo9Z-ifw", - "ingested": "2022-02-03T12:34:06Z", - "kind": "event", - "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}", - "type": [ - "access" - ] - }, - "github": { - "category": "repo", - "org": "mona-org", - "repo": "mona-org/mona-test-repo" - }, - "host": { - "name": "docker-fleet-agent" - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "monalisa" - ] - }, - "tags": [ - "forwarded", - "github-audit", - "preserve_original_event" - ], - "user": { - "name": "monalisa" - } -} -``` \ No newline at end of file diff --git a/packages/github/1.0.0/img/github-audit-dashboard.png b/packages/github/1.0.0/img/github-audit-dashboard.png deleted file mode 100755 index e6738cf99f..0000000000 Binary files a/packages/github/1.0.0/img/github-audit-dashboard.png and /dev/null differ diff --git a/packages/github/1.0.0/img/github-user-dashboard.png b/packages/github/1.0.0/img/github-user-dashboard.png deleted file mode 100755 index d31984b7fa..0000000000 Binary files a/packages/github/1.0.0/img/github-user-dashboard.png and /dev/null differ diff --git a/packages/github/1.0.0/img/github.svg b/packages/github/1.0.0/img/github.svg deleted file mode 100755 index a8d1174049..0000000000 --- a/packages/github/1.0.0/img/github.svg +++ /dev/null @@ -1,3 +0,0 @@ - - - diff --git a/packages/github/1.0.0/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 50358b3d23..0000000000 --- a/packages/github/1.0.0/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"af01806a-78b1-4068-8d69-fa2ca952f365\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"af01806a-78b1-4068-8d69-fa2ca952f365\",\"panelRefName\":\"panel_af01806a-78b1-4068-8d69-fa2ca952f365\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"7d42442c-83c9-420d-8ef4-883eeb150687\",\"w\":24,\"x\":0,\"y\":7},\"panelIndex\":\"7d42442c-83c9-420d-8ef4-883eeb150687\",\"panelRefName\":\"panel_7d42442c-83c9-420d-8ef4-883eeb150687\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"w\":24,\"x\":24,\"y\":7},\"panelIndex\":\"76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"panelRefName\":\"panel_76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"w\":48,\"x\":0,\"y\":22},\"panelIndex\":\"1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"panelRefName\":\"panel_1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"type\":\"search\",\"version\":\"7.16.0\"}]", - "timeRestore": false, - "title": "[GitHub] User Change Audit", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "github-8bfd8310-205c-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0", - "name": "af01806a-78b1-4068-8d69-fa2ca952f365:panel_af01806a-78b1-4068-8d69-fa2ca952f365", - "type": "visualization" - }, - { - "id": "github-97737b60-20b5-11ec-8b10-11a4c5e322a0", - "name": "7d42442c-83c9-420d-8ef4-883eeb150687:panel_7d42442c-83c9-420d-8ef4-883eeb150687", - "type": "visualization" - }, - { - "id": "github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0", - "name": "76db3a0d-7562-4436-acd5-3cbfd4f6d044:panel_76db3a0d-7562-4436-acd5-3cbfd4f6d044", - "type": "visualization" - }, - { - "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0", - "name": "1e435c96-c37f-4eb5-a4e5-2d446b2bf464:panel_1e435c96-c37f-4eb5-a4e5-2d446b2bf464", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 506153bc21..0000000000 --- a/packages/github/1.0.0/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"w\":41,\"x\":0,\"y\":0},\"panelIndex\":\"63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"panelRefName\":\"panel_63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"b37e0c71-2cc3-4895-b839-383ce53561a8\",\"w\":7,\"x\":41,\"y\":0},\"panelIndex\":\"b37e0c71-2cc3-4895-b839-383ce53561a8\",\"panelRefName\":\"panel_b37e0c71-2cc3-4895-b839-383ce53561a8\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"panelRefName\":\"panel_fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-540},\"mapCenter\":{\"lat\":27.08856,\"lon\":-30.5613,\"zoom\":1},\"openTOCDetails\":[]},\"gridData\":{\"h\":18,\"i\":\"88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"w\":37,\"x\":0,\"y\":26},\"panelIndex\":\"88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"panelRefName\":\"panel_88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"type\":\"map\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":18,\"i\":\"0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"w\":11,\"x\":37,\"y\":26},\"panelIndex\":\"0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"panelRefName\":\"panel_0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"w\":25,\"x\":0,\"y\":44},\"panelIndex\":\"108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"panelRefName\":\"panel_108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"9ed1cfce-9337-4813-8df5-14a1280bb351\",\"w\":23,\"x\":25,\"y\":44},\"panelIndex\":\"9ed1cfce-9337-4813-8df5-14a1280bb351\",\"panelRefName\":\"panel_9ed1cfce-9337-4813-8df5-14a1280bb351\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"d48a66a5-50e7-4cab-9b16-767bfa427860\",\"w\":48,\"x\":0,\"y\":63},\"panelIndex\":\"d48a66a5-50e7-4cab-9b16-767bfa427860\",\"panelRefName\":\"panel_d48a66a5-50e7-4cab-9b16-767bfa427860\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[GitHub] Audit Log Activity", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "github-dcee84c0-2059-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0", - "name": "63210180-c999-4d93-8d7a-f2fcb810ad1b:panel_63210180-c999-4d93-8d7a-f2fcb810ad1b", - "type": "visualization" - }, - { - "id": "github-d7343340-20b3-11ec-8b10-11a4c5e322a0", - "name": "b37e0c71-2cc3-4895-b839-383ce53561a8:panel_b37e0c71-2cc3-4895-b839-383ce53561a8", - "type": "visualization" - }, - { - "id": "github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0", - "name": "fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9:panel_fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9", - "type": "visualization" - }, - { - "id": "github-871e5750-205e-11ec-8b10-11a4c5e322a0", - "name": "88887e58-b192-4c9b-85c7-14d18a6c1c0d:panel_88887e58-b192-4c9b-85c7-14d18a6c1c0d", - "type": "map" - }, - { - "id": "github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0", - "name": "0c469087-fb3f-46d3-8962-c49d2e50f70c:panel_0c469087-fb3f-46d3-8962-c49d2e50f70c", - "type": "visualization" - }, - { - "id": "github-61f60d00-20b4-11ec-8b10-11a4c5e322a0", - "name": "108cd1b7-ce79-4558-ae38-5f1bb93961fe:panel_108cd1b7-ce79-4558-ae38-5f1bb93961fe", - "type": "visualization" - }, - { - "id": "github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0", - "name": "9ed1cfce-9337-4813-8df5-14a1280bb351:panel_9ed1cfce-9337-4813-8df5-14a1280bb351", - "type": "visualization" - }, - { - "id": "github-c803b110-20b4-11ec-8b10-11a4c5e322a0", - "name": "d48a66a5-50e7-4cab-9b16-767bfa427860:panel_d48a66a5-50e7-4cab-9b16-767bfa427860", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 28e6fd92ec..0000000000 --- a/packages/github/1.0.0/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": "[{\"alpha\":0.75,\"id\":\"a427cb7d-077b-4c8a-8741-74f8f03283e2\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"],\"type\":\"EMS_FILE\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#6092C0\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#4379aa\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true},{\"alpha\":0.75,\"id\":\"a0ea096b-e0eb-43dd-8f75-c0d8c0e4ac9a\",\"includeInFitToBounds\":true,\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"id\":\"167d9148-ad58-4fa1-99eb-c3e75fc75f96\",\"indexPatternRefName\":\"layer_1_join_0_index_pattern\",\"indexPatternTitle\":\"logs-*\",\"term\":\"client.geo.country_iso_code\",\"type\":\"ES_TERM_SOURCE\"}}],\"label\":\"Events by Country\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"],\"type\":\"EMS_FILE\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":0,\"lon\":-29.82486},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-18M\",\"to\":\"now\"},\"zoom\":0.56}", - "title": "Activity Map by Actor Location [GitHub]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-871e5750-205e-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "map": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "layer_1_join_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 3becd882e0..0000000000 --- a/packages/github/1.0.0/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.target.name", - "github.org", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"user.target.name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.target.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "GitHub Audit Users", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 6fcc2915aa..0000000000 --- a/packages/github/1.0.0/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "GitHub Audit", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index e74ffec7ff..0000000000 --- a/packages/github/1.0.0/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Event Types [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 5 Event Types [GitHub]\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-61f60d00-20b4-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index bee75a85b9..0000000000 --- a/packages/github/1.0.0/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 5 Active Users [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 5 Active Users [GitHub]\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index ffb543647f..0000000000 --- a/packages/github/1.0.0/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "Controls Audit [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"github.org\",\"id\":\"1632831213212\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Organization\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"github.repo\",\"id\":\"1632831234336\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Repository\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user.name\",\"id\":\"1632872599896\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Actor\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user.target.name\",\"id\":\"1632872564349\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Users\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"event.action\",\"id\":\"1632874177516\",\"indexPatternRefName\":\"control_4_index_pattern\",\"label\":\"Action\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Controls Audit [GitHub]\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_3_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "control_4_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 0b63b91066..0000000000 --- a/packages/github/1.0.0/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Events per Organization [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"github.org\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"value\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Events per Organization [GitHub]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 2adad09de2..0000000000 --- a/packages/github/1.0.0/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Changes [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":0,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"value\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"User Changes [GitHub]\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-97737b60-20b5-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index ab96e88761..0000000000 --- a/packages/github/1.0.0/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "User Change Timeline [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-18M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"1w\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Change Timeline [GitHub]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 862ffe3f0b..0000000000 --- a/packages/github/1.0.0/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Events over time [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-18M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"1w\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Events over time [GitHub]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index e833f96f8f..0000000000 --- a/packages/github/1.0.0/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Top 10 Active Repositories [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Repository\",\"field\":\"github.repo\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 10 Active Repositories [GitHub]\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-c803b110-20b4-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.0/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.0/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json deleted file mode 100755 index 1b32797c76..0000000000 --- a/packages/github/1.0.0/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "Total Events [GitHub]", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\" \"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total Events [GitHub]\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "github-d7343340-20b3-11ec-8b10-11a4c5e322a0", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/github/1.0.0/manifest.yml b/packages/github/1.0.0/manifest.yml deleted file mode 100755 index 505e50360f..0000000000 --- a/packages/github/1.0.0/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: github -title: GitHub -version: 1.0.0 -release: ga -description: Collect events from GitHub with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/github.svg - title: GitHub - size: 1024x1024 - type: image/svg+xml -screenshots: - - src: /img/github-audit-dashboard.png - title: GitHub audit overview - size: 3000x1788 - type: image/png - - src: /img/github-user-dashboard.png - title: GitHub user overview - size: 2998x1631 - type: image/png -policy_templates: - - name: github - title: GitHub logs - description: Collect logs from GitHub - inputs: - - type: httpjson - title: "Collect GitHub logs via API" - description: "Collecting logs from GitHub via API" -owner: - github: elastic/security-external-integrations diff --git a/packages/microsoft_dhcp/1.4.2/changelog.yml b/packages/microsoft_dhcp/1.4.2/changelog.yml deleted file mode 100755 index 0dc3997b95..0000000000 --- a/packages/microsoft_dhcp/1.4.2/changelog.yml +++ /dev/null @@ -1,61 +0,0 @@ -# newer versions go on top -- version: "1.4.2" - changes: - - description: Change event.type value from end to stop according to ECS - type: bugfix - link: https://github.com/elastic/integrations/issues/3406 -- version: "1.4.1" - changes: - - description: Format observer.mac as per ECS and add missing mappings for event.category, event.outcome, and event.type. - type: bugfix - link: https://github.com/elastic/integrations/pull/3300 -- version: "1.4.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "1.3.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.3.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2423 -- version: "1.2.0" - changes: - - description: Add DHCPv6 Server support - type: enhancement - link: https://github.com/elastic/integrations/pull/2473 -- version: "1.1.0" - changes: - - description: Add more event.action and event.outcome values - type: enhancement - link: https://github.com/elastic/integrations/pull/2296 -- version: "1.0.0" - changes: - - description: GA integration - type: enhancement - link: https://github.com/elastic/integrations/pull/2360 -- version: "0.2.1" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.2.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2276 -- version: "0.1.1" - changes: - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1972 -- version: "0.1.0" - changes: - - description: Initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/1793 diff --git a/packages/microsoft_dhcp/1.4.2/data_stream/log/agent/stream/logfile.yml.hbs b/packages/microsoft_dhcp/1.4.2/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index 2b61987446..0000000000 --- a/packages/microsoft_dhcp/1.4.2/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,32 +0,0 @@ -paths: -{{#each paths as |path i|}} - - '{{path}}' -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if tz_offset}} -fields_under_root: true -fields: - _conf: - tz_offset: {{tz_offset}} -{{/if}} -processors: -- drop_event: - when: - not: - regexp: - message: "^[0-9]+,.*" -- add_observer_metadata: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_dhcp/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 5f2a5b4cad..0000000000 --- a/packages/microsoft_dhcp/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -description: Pipeline for processing Microsoft DHCP Server logs. -processors: - - set: - field: ecs.version - value: "8.2.0" - - set: - field: event.kind - value: event - - set: - field: event.timezone - value: "{{{_conf.tz_offset}}}" - if: "ctx?._conf?.tz_offset != null && ctx._conf.tz_offset != 'local'" - - set: - field: event.original - override: false - copy_from: message - - remove: - field: message - ignore_missing: true - - rename: - field: message - target_field: event.original - ignore_missing: true - - pipeline: - name: '{{ IngestPipeline "dhcp" }}' - if: "ctx?.log?.file?.path != null && !ctx.log.file.path.contains('V6')" - - pipeline: - name: '{{ IngestPipeline "dhcpv6" }}' - if: "ctx?.log?.file?.path != null && ctx.log.file.path.contains('V6')" - - foreach: - field: observer.mac - ignore_missing: true - processor: - gsub: - field: _ingest._value - pattern: '[:]' - replacement: '-' - - foreach: - field: observer.mac - ignore_missing: true - processor: - uppercase: - field: _ingest._value - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - _tmp_ - - _conf - ignore_missing: true -on_failure: - - set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" - - remove: - field: - - _tmp_ - - _conf diff --git a/packages/microsoft_dhcp/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml b/packages/microsoft_dhcp/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml deleted file mode 100755 index 6f891b51df..0000000000 --- a/packages/microsoft_dhcp/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/dhcp.yml +++ /dev/null @@ -1,345 +0,0 @@ ---- -## Reference document for DHCP field mapping: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd183591(v=ws.10) -description: Pipeline for processing Microsoft DHCP Server logs. -processors: - - csv: - field: event.original - target_fields: - - event.code - - _tmp_.date - - _tmp_.time - - message - - host.ip - - host.domain - - _tmp_.mac - - user.name - - microsoft.dhcp.transaction_id - - microsoft.dhcp.result - - microsoft.dhcp.probation_time - - microsoft.dhcp.correlation_id - - microsoft.dhcp.dhc_id - - microsoft.dhcp.vendor.hex - - microsoft.dhcp.vendor.string - - microsoft.dhcp.user.hex - - microsoft.dhcp.user.string - - microsoft.dhcp.relay_agent_info - - microsoft.dhcp.dns_error_code - ignore_failure: true - - set: - field: _tmp_.timestamp - value: "{{{_tmp_.date}}} {{{_tmp_.time}}}" - - date: - field: _tmp_.timestamp - formats: - - "MM/dd/yy HH:mm:ss" - timezone: "{{{event.timezone}}}" - - script: - description: Set event action, category, outcome, and type for all known event types. - lang: painless - tag: Add ECS categorization fields - params: - "00": - action: log-start - category: - - process - type: - - start - "01": - action: log-end - category: - - process - type: - - end - "02": - action: log-pause - category: - - process - type: - - change - outcome: failure - "10": - action: dhcp-new - category: - - network - type: - - allowed - - connection - "11": - action: dhcp-renew - category: - - network - type: - - allowed - - connection - "12": - action: dhcp-release - category: - - network - type: - - allowed - - connection - "13": - category: - - network - type: - - connection - "14": - category: - - network - type: - - connection - - denied - outcome: failure - "15": - action: dhcp-deny - category: - - network - type: - - connection - - denied - outcome: failure - "16": - action: dhcp-delete - category: - - network - type: - - connection - "17": - action: dhcp-expire - category: - - network - type: - - connection - "18": - action: dhcp-expire - category: - - network - type: - - connection - "20": - category: - - network - type: - - allowed - - connection - "21": - category: - - network - type: - - allowed - - connection - "22": - category: - - network - type: - - connection - - denied - outcome: failure - "23": - category: - - network - type: - - connection - - denied - outcome: failure - "24": - action: ip-cleanup-start - category: - - process - type: - - start - "25": - action: ip-cleanup-end - category: - - process - type: - - start - "30": - action: dhcp-dns-update - category: - - network - type: - - connection - "31": - action: dhcp-dns-update - category: - - network - type: - - connection - outcome: failure - "32": - action: dhcp-dns-update - category: - - network - type: - - connection - "33": - category: - - network - type: - - connection - outcome: failure - "34": - action: dhcp-dns-update - category: - - network - type: - - connection - outcome: failure - "35": - action: dhcp-dns-update - category: - - network - type: - - connection - - denied - outcome: failure - "36": - category: - - network - type: - - connection - - denied - outcome: failure - "50": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - outcome: failure - "51": - action: rogue-server-detection - category: - - authentication - - network - type: - - allowed - - connection - "52": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "53": - action: rogue-server-detection - category: - - authentication - - network - type: - - allowed - - connection - "54": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - - denied - outcome: failure - "55": - action: rogue-server-detection - category: - - authentication - - network - type: - - allowed - - connection - "56": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - - denied - outcome: failure - "57": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "58": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - outcome: failure - "59": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - outcome: failure - "60": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "61": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "62": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "63": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - "64": - action: rogue-server-detection - category: - - authentication - - network - type: - - connection - source: |- - if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { - return; - } - def hm = new HashMap(params[ctx.event.code]); - hm.forEach((k, v) -> ctx.event[k] = v); - - set: - field: event.outcome - value: success - if: ctx?.event?.outcome == null - - gsub: - field: _tmp_.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true - - uppercase: - field: _tmp_.mac - ignore_missing: true - - append: - if: ctx?._tmp_?.mac != null - field: host.mac - value: '{{{_tmp_.mac}}}' -on_failure: - - set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_dhcp/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml b/packages/microsoft_dhcp/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml deleted file mode 100755 index 7c808cad13..0000000000 --- a/packages/microsoft_dhcp/1.4.2/data_stream/log/elasticsearch/ingest_pipeline/dhcpv6.yml +++ /dev/null @@ -1,244 +0,0 @@ ---- -description: Pipeline for processing Microsoft DHCPv6 Server logs. -processors: - - csv: - field: event.original - target_fields: - - event.code - - _tmp_.date - - _tmp_.time - - message - - host.ip - - host.domain - - microsoft.dhcp.error_code - - microsoft.dhcp.duid.length - - microsoft.dhcp.duid.hex - - microsoft.dhcp.user.string - - microsoft.dhcp.dhc_id - - microsoft.dhcp.subnet_prefix - ignore_failure: true - - set: - field: _tmp_.timestamp - value: "{{{_tmp_.date}}} {{{_tmp_.time}}}" - - date: - field: _tmp_.timestamp - formats: - - "MM/dd/yy HH:mm:ss" - timezone: "{{{event.timezone}}}" - - script: - description: Set event action, category, outcome, and type for all known event types. - lang: painless - tag: Add ECS categorization fields - params: - "11000": - action: dhcpv6-solicit - category: - - network - type: - - connection - - protocol - "11001": - action: dhcpv6-advertise - category: - - network - type: - - connection - - protocol - "11002": - action: dhcpv6-request - category: - - network - type: - - connection - - protocol - "11003": - action: dhcpv6-confirm - category: - - network - type: - - connection - - protocol - "11004": - action: dhcpv6-renew - category: - - network - type: - - connection - - protocol - "11005": - action: dhcpv6-rebind - category: - - network - type: - - connection - - protocol - "11006": - action: dhcpv6-decline - category: - - network - type: - - connection - - protocol - outcome: failure - "11007": - action: dhcpv6-release - category: - - network - type: - - connection - "11008": - action: dhcpv6-info-request - category: - - network - type: - - connection - "11009": - action: dhcpv6-scope-full - category: - - network - type: - - connection - "11010": - action: log-start - category: - - process - type: - - start - "11011": - action: log-stop - category: - - process - type: - - end - "11012": - action: log-pause - category: - - process - type: - - change - "11013": - action: log-file - category: - - process - type: - - info - "11014": - action: dhcpv6-bad-address - category: - - network - type: - - connection - outcome: failure - "11015": - action: dhcpv6-address-in-use - category: - - network - type: - - connection - "11016": - action: dhcpv6-client-deleted - category: - - network - type: - - connection - "11017": - action: ipv6-dns-record-not-deleted - category: - - network - type: - - connection - "11018": - action: dhcpv6-expired - category: - - network - type: - - connection - "11019": - action: dhcpv6-lease-expired-deleted - category: - - network - type: - - connection - "11020": - action: dhcpv6-cleanup-start - category: - - process - type: - - start - "11021": - action: dhcpv6-cleanup-end - category: - - process - type: - - end - "11022": - action: ipv6-dns-update-request - category: - - network - type: - - connection - - start - "11023": - action: ipv6-dns-update-failed - category: - - network - type: - - connection - - end - outcome: failure - "11024": - action: ipv6-dns-update-successful - category: - - network - type: - - connection - - end - "11028": - action: ipv6-dns-update-request-queue-exceeded - category: - - network - type: - - connection - - end - outcome: failure - "11029": - action: ipv6-dns-update-request-failed - category: - - network - type: - - connection - - end - outcome: failure - "11030": - action: dhcpv6-stateless-clients-pruged - category: - - process - type: - - change - "11031": - action: dhcpv6-stateless-clients-expired - category: - - process - type: - - change - "11032": - action: dhcpv6-stateless-client-info-request - category: - - network - type: - - info - source: |- - if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { - return; - } - def hm = new HashMap(params[ctx.event.code]); - hm.forEach((k, v) -> ctx.event[k] = v); - - set: - field: event.outcome - value: success - if: ctx?.event?.outcome == null -on_failure: - - set: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/agent.yml b/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/agent.yml deleted file mode 100755 index dbed2e68dc..0000000000 --- a/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: input.type - type: keyword -- name: log.offset - type: long diff --git a/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/base-fields.yml b/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 096db185c7..0000000000 --- a/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: microsoft_dhcp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: microsoft_dhcp.log diff --git a/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/ecs.yml b/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/ecs.yml deleted file mode 100755 index 6d56ae30e7..0000000000 --- a/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,103 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). - name: event.timezone - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Name of the domain of which the host is a member. - For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. - name: host.domain - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - Host MAC addresses. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: host.mac - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: |- - MAC addresses of the observer. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: observer.mac - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/fields.yml b/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/fields.yml deleted file mode 100755 index 3d7eebb86c..0000000000 --- a/packages/microsoft_dhcp/1.4.2/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,63 +0,0 @@ -- name: microsoft.dhcp - type: group - fields: - - name: transaction_id - type: keyword - description: | - The DHCP transaction ID. - - name: result - type: keyword - description: | - The DHCP result type, for example "NoQuarantine", "Drop Packet" etc. - - name: probation_time - type: keyword - description: | - The probation time before lease ends on specific IP. - - name: correlation_id - type: keyword - description: | - The NAP correlation ID related to the client/server transaction. - - name: dhc_id - type: keyword - description: | - The related DHCID (DHC DNS record). - - name: vendor.hex - type: keyword - description: | - Hex representation of the vendor. - - name: vendor.string - type: keyword - description: | - String representation of the vendor. - - name: user.hex - type: keyword - description: | - Hex representation of the user. - - name: user.string - type: keyword - description: | - String representation of the user. - - name: relay_agent_info - type: keyword - description: | - Information about DHCP relay agent used for the DHCP request. - - name: dns_error_code - type: keyword - description: | - DNS error code communicated to client. - - name: error_code - type: keyword - description: | - DHCP server error code. - - name: duid.length - type: keyword - description: | - The length of the DUID field. - - name: duid.hex - type: keyword - description: | - The related DHCP Unique Identifier (DUID) for the host (DHCPv6). - - name: subnet_prefix - type: keyword - description: | - The number of bits for the subnet prefix. diff --git a/packages/microsoft_dhcp/1.4.2/data_stream/log/manifest.yml b/packages/microsoft_dhcp/1.4.2/data_stream/log/manifest.yml deleted file mode 100755 index 092f44f2b0..0000000000 --- a/packages/microsoft_dhcp/1.4.2/data_stream/log/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: "Microsoft DHCP Logs" -type: logs -streams: - - input: logfile - template_path: logfile.yml.hbs - title: DHCP Logs - description: Collects Microsoft DHCP logs. - vars: - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. - - name: paths - type: text - title: Paths - multi: true - show_user: true - default: - - 'C:\Windows\System32\DHCP\DhcpSrvLog-*.log' - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - microsoft_dhcp - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/microsoft_dhcp/1.4.2/data_stream/log/sample_event.json b/packages/microsoft_dhcp/1.4.2/data_stream/log/sample_event.json deleted file mode 100755 index fc2dbc6524..0000000000 --- a/packages/microsoft_dhcp/1.4.2/data_stream/log/sample_event.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "agent": { - "name": "docker-fleet-agent", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "type": "filebeat", - "ephemeral_id": "adc79855-a07e-4f88-b14d-79d03400f73d", - "version": "8.2.0" - }, - "log": { - "file": { - "path": "/tmp/service_logs/test-dhcpV6.log" - }, - "offset": 1619 - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "version": "8.2.0", - "snapshot": false - }, - "message": "DHCPV6 Request", - "microsoft": { - "dhcp": { - "duid": { - "length": "18", - "hex": "0004A34473BFC27FC55B25E86AF0E1761DAA" - } - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "microsoft_dhcp" - ], - "observer": { - "hostname": "docker-fleet-agent", - "ip": [ - "172.18.0.7" - ], - "mac": [ - "02-42-AC-12-00-07" - ] - }, - "input": { - "type": "log" - }, - "@timestamp": "2021-12-06T12:43:57.000-05:00", - "ecs": { - "version": "8.3.0" - }, - "data_stream": { - "namespace": "ep", - "type": "logs", - "dataset": "microsoft_dhcp.log" - }, - "host": { - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "domain": "test-host" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-05-09T14:40:22Z", - "original": "11002,12/06/21,12:43:57,DHCPV6 Request,2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,test-host,,18,0004A34473BFC27FC55B25E86AF0E1761DAA,,,,,", - "code": "11002", - "timezone": "America/New_York", - "kind": "event", - "action": "dhcpv6-request", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol" - ], - "dataset": "microsoft_dhcp.log", - "outcome": "success" - } -} \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.4.2/docs/README.md b/packages/microsoft_dhcp/1.4.2/docs/README.md deleted file mode 100755 index 4a669c1370..0000000000 --- a/packages/microsoft_dhcp/1.4.2/docs/README.md +++ /dev/null @@ -1,148 +0,0 @@ -# Microsoft DHCP - -This integration collects logs and metrics from Microsoft DHCP logs. - -## Compatibility - -This integration has been made to support the DHCP log format from Windows Server 2008 and later. - -### Logs - -Ingest logs from Microsoft DHCP Server, by default logged with the filename format: -`%windir%\System32\DHCP\DhcpSrvLog-*.log` - -Logs may also be ingested from Microsoft DHCPv6 Server, by default logged with the filename format: -`%windir%\System32\DHCP\DhcpV6SrvLog-*.log` - -Relevant documentation for Microsoft DHCP can be found on [this]https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd183591(v=ws.10) location. - -An example event for `log` looks as following: - -```json -{ - "agent": { - "name": "docker-fleet-agent", - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "type": "filebeat", - "ephemeral_id": "adc79855-a07e-4f88-b14d-79d03400f73d", - "version": "8.2.0" - }, - "log": { - "file": { - "path": "/tmp/service_logs/test-dhcpV6.log" - }, - "offset": 1619 - }, - "elastic_agent": { - "id": "ca0beb8d-9522-4450-8af7-3cb7f3d8c478", - "version": "8.2.0", - "snapshot": false - }, - "message": "DHCPV6 Request", - "microsoft": { - "dhcp": { - "duid": { - "length": "18", - "hex": "0004A34473BFC27FC55B25E86AF0E1761DAA" - } - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "microsoft_dhcp" - ], - "observer": { - "hostname": "docker-fleet-agent", - "ip": [ - "172.18.0.7" - ], - "mac": [ - "02-42-AC-12-00-07" - ] - }, - "input": { - "type": "log" - }, - "@timestamp": "2021-12-06T12:43:57.000-05:00", - "ecs": { - "version": "8.3.0" - }, - "data_stream": { - "namespace": "ep", - "type": "logs", - "dataset": "microsoft_dhcp.log" - }, - "host": { - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", - "domain": "test-host" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-05-09T14:40:22Z", - "original": "11002,12/06/21,12:43:57,DHCPV6 Request,2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6,test-host,,18,0004A34473BFC27FC55B25E86AF0E1761DAA,,,,,", - "code": "11002", - "timezone": "America/New_York", - "kind": "event", - "action": "dhcpv6-request", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol" - ], - "dataset": "microsoft_dhcp.log", - "outcome": "success" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| input.type | | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| microsoft.dhcp.correlation_id | The NAP correlation ID related to the client/server transaction. | keyword | -| microsoft.dhcp.dhc_id | The related DHCID (DHC DNS record). | keyword | -| microsoft.dhcp.dns_error_code | DNS error code communicated to client. | keyword | -| microsoft.dhcp.duid.hex | The related DHCP Unique Identifier (DUID) for the host (DHCPv6). | keyword | -| microsoft.dhcp.duid.length | The length of the DUID field. | keyword | -| microsoft.dhcp.error_code | DHCP server error code. | keyword | -| microsoft.dhcp.probation_time | The probation time before lease ends on specific IP. | keyword | -| microsoft.dhcp.relay_agent_info | Information about DHCP relay agent used for the DHCP request. | keyword | -| microsoft.dhcp.result | The DHCP result type, for example "NoQuarantine", "Drop Packet" etc. | keyword | -| microsoft.dhcp.subnet_prefix | The number of bits for the subnet prefix. | keyword | -| microsoft.dhcp.transaction_id | The DHCP transaction ID. | keyword | -| microsoft.dhcp.user.hex | Hex representation of the user. | keyword | -| microsoft.dhcp.user.string | String representation of the user. | keyword | -| microsoft.dhcp.vendor.hex | Hex representation of the vendor. | keyword | -| microsoft.dhcp.vendor.string | String representation of the vendor. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/microsoft_dhcp/1.4.2/img/logo.svg b/packages/microsoft_dhcp/1.4.2/img/logo.svg deleted file mode 100755 index 5334aa7ca6..0000000000 --- a/packages/microsoft_dhcp/1.4.2/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/microsoft_dhcp/1.4.2/manifest.yml b/packages/microsoft_dhcp/1.4.2/manifest.yml deleted file mode 100755 index f06c54ee05..0000000000 --- a/packages/microsoft_dhcp/1.4.2/manifest.yml +++ /dev/null @@ -1,27 +0,0 @@ -format_version: 1.0.0 -name: microsoft_dhcp -title: Microsoft DHCP -version: "1.4.2" -license: basic -description: Collect logs from Microsoft DHCP with Elastic Agent. -type: integration -categories: - - network -release: ga -conditions: - kibana.version: ^7.14.0 || ^8.0.0 -icons: - - src: /img/logo.svg - title: Microsoft logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: microsoft_dhcp - title: Microsoft DHCP - description: Collect Microsoft DHCP logs. - inputs: - - type: logfile - title: Logs from file - description: Collect DHCP logs from file. -owner: - github: elastic/security-external-integrations diff --git a/packages/microsoft_sqlserver/1.0.0/changelog.yml b/packages/microsoft_sqlserver/1.0.0/changelog.yml deleted file mode 100755 index 7b5f5da77e..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/changelog.yml +++ /dev/null @@ -1,62 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.5.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.4.5" - changes: - - description: Update Readme. Added links to Microsoft documentation - type: enhancement - link: https://github.com/elastic/integrations/pull/3058 -- version: "0.4.4" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.4.3" - changes: - - description: Fix field conflict for `winlog.record_id` - type: bugfix - link: https://github.com/elastic/integrations/pull/2894 -- version: "0.4.2" - changes: - - description: Fix mapper_parsing_exception when parsing sqlserver.audit.event_time. - type: bugfix - link: https://github.com/elastic/integrations/pull/2813 -- version: "0.4.1" - changes: - - description: Change owner to SEI - type: bugfix - link: https://github.com/elastic/integrations/pull/2650 -- version: "0.4.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2493 -- version: "0.3.0" - changes: - - description: Expose winlog input ignore_older option. - type: enhancement - link: https://github.com/elastic/integrations/pull/2542 - - description: Fix preserve original event option - type: bugfix - link: https://github.com/elastic/integrations/pull/2542 - - description: Make order of options consistent with other winlog based integrations. - type: enhancement - link: https://github.com/elastic/integrations/pull/2542 -- version: "0.2.0" - changes: - - description: Expose winlog input language option. - type: enhancement - link: https://github.com/elastic/integrations/pull/2344 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/2009 diff --git a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/agent/stream/winlog.yml.hbs b/packages/microsoft_sqlserver/1.0.0/data_stream/audit/agent/stream/winlog.yml.hbs deleted file mode 100755 index ed053196d1..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/agent/stream/winlog.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -name: {{channel}} -condition: ${host.platform} == 'windows' -event_id: {{event_id}} -{{#if ignore_older}} -ignore_older: {{ignore_older}} -{{/if}} -{{#if language}} -language: {{language}} -{{/if}} -{{#if tags.length}} -tags: -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if preserve_original_event}} -include_xml: true -{{/if}} -{{#if processors.length}} -processors: -{{processors}} -{{/if}} diff --git a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_sqlserver/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1c21df6a8a..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1280 +0,0 @@ ---- -description: Pipeline for processing SQL Server audit logs -processors: -- set: - field: ecs.version - value: 8.2.0 -- gsub: - description: Strip final dot from param1. - field: winlog.event_data.param1 - pattern: '(?m)^\.$' - replacement: '' - if: ctx?.winlog?.event_id == "33205" -- dissect: - description: Extract statement - pattern: "%{}statement:%{_temp.stmt}\nadditional_information:%{}" - field: winlog.event_data.param1 -- gsub: - field: winlog.event_data.param1 - pattern: 'statement:(.*\s)*(?=additional_information:)' - replacement: '' -- kv: - field: winlog.event_data.param1 - field_split: \n - value_split: ':' - target_field: sqlserver.audit - trim_key: \n - trim_value: \n -- set: - field: sqlserver.audit.statement - copy_from: _temp.stmt -- set: - field: log.level - copy_from: winlog.log.level - ignore_empty_value: true - if: ctx?.winlog?.log?.level != "" -- date: - field: sqlserver.audit.event_time - formats: - - "yyyy-MM-dd HH:mm:ss.SSSSSSS" -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -## -# Event kind, code and action -## -- set: - field: event.kind - value: event -- append: - field: event.category - value: database -- trim: - field: sqlserver.audit.action_id - ignore_missing: true -- trim: - field: sqlserver.audit.class_type - ignore_missing: true -- uppercase: - field: sqlserver.audit.action_id - ignore_missing: true -- uppercase: - field: sqlserver.audit.class_type - ignore_missing: true -- script: - lang: painless - description: The script processor enables setting event type, action and category based on action_id and class_type fields. - params: - classtypes: - "DB": "DATABASE" - "OB": "OBJECT" - "TY": "TYPE" - "SC": "SCHEMA" - "SX": "XML SCHEMA COLLECTION" - "AS": "ASSEMBLY" - "US": "USER" - "RL": "ROLE" - "AR": "APPLICATION ROLE" - "MT": "MESSAGE TYPE" - "CT": "CONTRACT" - "SV": "SERVICE" - "BN": "REMOTE SERVICE BINDING" - "RT": "ROUTE" - "FC": "FULLTEXT CATALOG" - "FL": "FULLTEXT STOPLIST" - "FP": "SEARCH PROPERTY LIST" - "SK": "SYMMETRIC KEY" - "CR": "CERTIFICATE" - "AK": "ASYMMETRIC KEY" - "DC": "DATABASE SCOPED CREDENTIAL" - "EL": "EXTERNAL LIBRARY" - "LA": "EXTERNAL LANGUAGE" - "SR": "SERVER" - "EP": "ENDPOINT" - "SG": "SERVER ROLE" - "AG": "AVAILABILITY GROUP" - "LX": "LOGIN" - "CK": "COLUMN ENCRYPTION KEY" - "CM": "COLUMN MASTER KEY" - "DA": "DATABASE AUDIT SPECIFICATION" - "DU": "AUDIT" - "DS": "DATABASE SCOPED CONFIGURATION" - "DR": "DATABASE SCOPED RESOURCE GOVERNOR" - "DN": "EVENT NOTIFICATION DATABASE" - "DT": "TRIGGER DATABASE" - "MK": "MASTER KEY" - "DK": "DATABASE ENCRYPTION KEY" - "ON": "EVENT NOTIFICATION OBJECT" - "PF": "PARTITION FUNCTION" - "PR": "BROKER PRIORITY" - "PS": "PARTITION SCHEME" - "DE": "DATABASE EVENT SESSION" - "AQ": "ADHOC QUERY" - "AF": "AGGREGATE" - "AP": "Undocumented" - "C": "CHECK CONSTRAINT" - "D": "DEFAULT" - "EC": "EDGE CONSTRAINT" - "EN": "EVENT NOTIFICATION" - "F": "FOREIGN KEY CONSTRAINT" - "FS": "FUNCTION SCALAR ASSEMBLY" - "FT": "FUNCTION TABLE-VALUED ASSEMBLY" - "FN": "FUNCTION SCALAR SQL" - "IX": "INDEX" - "IF": "FUNCTION TABLE-VALUED INLINE SQL" - "IS": "FUNCTION SCALAR INLINE SQL" - "IT": "INTERNAL TABLE" - "PQ": "PREPARED ADHOC QUERY" - "PK": "PRIMARY KEY" - "P": "STORED PROCEDURE" - "PC": "STORED PROCEDURE ASSEMBLY" - "RF": "STORED PROCEDURE REPLICATION FILTER" - "R": "RULE" - "SP": "SECURITY POLICY" - "SO": "SEQUENCE OBJECT" - "ST": "STATISTICS" - "SQ": "QUEUE" - "SN": "SYNONYM" - "S": "TABLE SYSTEM" - "TF": "FUNCTION TABLE-VALUED SQL" - "TA": "TRIGGER ASSEMBLY" - "TR": "TRIGGER" - "UQ": "UNIQUE CONSTRAINT" - "U": "TABLE" - "V": "VIEW" - "X": "STORED PROCEDURE EXTENDED" - "XR": "XREL TREE" - "AU": "ASYMMETRIC KEY USER" - "CU": "CERTIFICATE USER" - "GU": "GROUP USER" - "SU": "SQL USER" - "WU": "WINDOWS USER" - "XU": "EXTERNAL USER" - "PU": "EXTERNAL GROUP USER" - "A": "SERVER AUDIT" - "CD": "CREDENTIAL" - "CP": "CRYPTOGRAPHIC PROVIDER" - "ED": "EXTERNAL DATA SOURCE" - "EF": "EXTERNAL FILE FORMAT" - "RG": "RESOURCE GOVERNOR" - "SA": "SERVER AUDIT SPECIFICATION" - "SD": "EVENT NOTIFICATION SERVER" - "T": "TRIGGER SERVER" - "SE": "EVENT SESSION" - "CO": "SERVER CONFIG" - "AL": "ASYMMETRIC KEY LOGIN" - "CL": "CERTIFICATE LOGIN" - "SL": "SQL LOGIN" - "WG": "WINDOWS GROUP" - "WL": "WINDOWS LOGIN" - "ER": "EXTERNAL RESOURCE POOL" - "EX": "EXTERNAL SCRIPT QUERY" - "PL": "EXTERNAL GROUP LOGIN" - "XL": "EXTERNAL LOGIN" - actions: - "ACDO": - value: "DATABASE_OBJECT_ACCESS_GROUP" - type: - - access - action: database-object-accessed - "ACO": - value: "SCHEMA_OBJECT_ACCESS_GROUP" - type: - - access - action: schema-object-permission-checked - "ADBO": - value: "BULK ADMIN" - type: - - change - action: bulk-admin-operation - "ADDP": - value: "DATABASE_ROLE_MEMBER_CHANGE_GROUP" - type: - - admin - - change - - user - category: - - iam - action: login-changed-from-database-role - "ADFR": - # SQL 2019 feature to tackle dynamic SQL - # and SQL injection threats. By restricting - # ErrorMessages and WaitFor statement. - value: "ADD FEATURE RESTRICTION" - type: - - info - action: add-feature-restriction - "ADSC": - value: "ADD SENSITIVITY CLASSIFICATION" - type: - - change - action: add-sensitivity-classification-to-db-columns - "ADSP": - value: "SERVER_ROLE_MEMBER_CHANGE_GROUP" - type: - - admin - - change - - user - category: - - iam - action: login-changed-from-server-role - "AL": - value: "ALTER" - type: - - change - action: alter-object - "ALCN": - value: "ALTER CONNECTION" - type: - - change - - connection - category: - - network - action: alter-connection - "ALRS": - value: "ALTER RESOURCES" - type: - - change - action: alter-resources - "ALSS": - value: "ALTER SERVER STATE" - type: - - change - action: alter-server-state - "ALST": - value: "ALTER SETTINGS" - type: - - change - category: - - configuration - action: alter-settings - "ALTR": - value: "ALTER TRACE" - type: - - change - action: alter-trace - "APRL": - value: "ADD MEMBER" - type: - - change - action: add-member - "AS": - value: "ACCESS" - type: - - access - action: access-object - "AUSC": - # To troubleshoot what goes on after this event - # configure login auditing - # https://docs.microsoft.com/en-us/sql/ssms/configure-login-auditing-sql-server-management-studio - value: "AUDIT SESSION CHANGED" - type: - - change - action: audit-session-changed - "AUSF": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/create-server-audit-transact-sql - # See ON_FAILURE - value: "AUDIT SHUTDOWN ON FAILURE" - type: - - error - action: audit-write-failed-database-shutdown - "AUTH": - # Changing authentication mode for login - value: "AUTHENTICATE" - type: - - info - action: authenticate - "BA": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/backup-transact-sql - value: "BACKUP" - type: - - info - action: database-backup-executed - "BAL": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/backup-transact-sql - value: "BACKUP LOG" - type: - - info - action: transaction-log-backup-executed - "BCM": - value: "BATCH COMPLETED" - type: - - info - action: transact-sql-batch-completed - "BCMG": - value: "BATCH_COMPLETED_GROUP" - type: - - info - action: batch-text-stored-proc-or-txn-mgmt-op-ended - "BRDB": - value: "BACKUP_RESTORE_GROUP" - type: - - admin - action: backup-or-restore-command-issued - "BST": - value: "BATCH STARTED" - type: - - info - action: transact-sql-batch-started - "BSTG": - value: "BATCH_STARTED_GROUP" - type: - - info - action: batch-text-stored-proc-txn-mgmt-op-started - "C2OF": - # https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/c2-audit-mode-server-configuration-option - value: "TRACE AUDIT C2OFF" - type: - - change - action: c2-audit-mode-server-config-off - "C2ON": - value: "TRACE AUDIT C2ON" - type: - - info - action: c2-audit-mode-server-config-on - "CCLG": - value: "CHANGE LOGIN CREDENTIAL" - type: - - change - action: change-login-credential - "CMLG": - value: "CREDENTIAL MAP TO LOGIN" - type: - - change - action: credential-mapped-to-sql-server-login - "CNAU": - value: "AUDIT_CHANGE_GROUP" - type: - - change - action: audit-or-audit-spec-changed - "CO": - # nodoc or TSQL - value: "CONNECT" - type: - - info - action: connect - "CP": - value: "CHECKPOINT" - type: - - info - action: checkpoint-created - "CR": - value: "CREATE" - type: - - info - action: create - "DABO": - # bulk ops like bulk insert, copy, load - # and so on. - value: "DATABASE BULK ADMIN" - type: - - change - action: database-bulk-admin - "DAGF": - # principal login to contained database failed. - # https://docs.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable - value: "FAILED_DATABASE_AUTHENTICATION_GROUP" - type: - - error - action: principal-login-failed - "DAGL": - value: "DATABASE_LOGOUT_GROUP" - type: - - info - - end - category: - - session - action: contained-database-user-logout - "DAGS": - value: "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP" - type: - - info - - start - category: - - session - action: principal-login-to-contained-database-successful - "DBAF": - # nodoc - value: "DATABASE AUTHENTICATION FAILED" - type: - - error - action: database-authentication-failed - "DBAS": - value: "DATABASE AUTHENTICATION SUCCEEDED" - type: - - access - - info - action: database-authentication-succeeded - "DBCC": - # https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-transact-sql - value: "DBCC" - type: - - change - category: - - configuration - action: principal-issued-dbcc-command - "DBCG": - value: "DBCC_GROUP" - type: - - change - category: - - configuration - action: principal-issued-dbcc-command - "DBL": - # nodoc - value: "DATABASE LOGOUT" - type: - - end - category: - - session - action: database-logout - "D": - # TSQL - value: "DENY" - type: - - info - action: permission-denied-to-principal - "DL": - # nodoc - # TSQL DELETE - value: "DELETE" - type: - - change - action: delete - "DPRL": - # ? https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-droprolemember-transact-sql - value: "DROP MEMBER" - type: - - info - action: drop-security-account-from-role - "DR": - value: "DROP" - type: - - change - action: drop-object - "DRFR": - # SQL 2019 feature to tackle dynamic SQL - # and SQL injection threats. By restricting - # ErrorMessages and WaitFor statement. - value: "DROP FEATURE RESTRICTION" - type: - - change - action: drop-feature-restriction - "DRSC": - value: "DROP SENSITIVITY CLASSIFICATION" - type: - - change - action: drop-sensitivity-classification-from-db-columns - "DWC": - # TSQL - value: "DENY WITH CASCADE" - type: - - change - action: permission-denied-with-cascade - "EX": - value: "EXECUTE" - type: - - info - action: execute-stored-proc-or-function - "FRCG": - # nodoc - # 2019 feature see ADFR and DRFR - value: "FEATURE_RESTRICTION_CHANGE_GROUP" - type: - - change - action: feature-restriction-changed - "FT": - # nodoc - # using FTG - value: "FULLTEXT" - type: - - info - action: fulltext-event-occurred - "FTG": - value: "FULLTEXT_GROUP" - type: - - info - action: fulltext-event-occurred - "G": - # TSQL - value: "GRANT" - type: - - info - action: grant-permission-to-principal - "GRDB": - value: "DATABASE_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission - "GRDO": - value: "DATABASE_OBJECT_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-on-schema-or-assemblies - "GRO": - # schema objects like database tables, views etc. - value: "SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-on-schema-objects - "GRSO": - value: "SERVER_OBJECT_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-on-server-objects - "GRSV": - value: "SERVER_PERMISSION_CHANGE_GROUP" - type: - - change - action: grant-revoke-or-deny-permission-issued-in-server-scope - "GWG": - # TSQL - value: "GRANT WITH GRANT" - type: - - info - action: grant-with-grant-issued-to-principal - "IMDP": - value: "DATABASE_PRINCIPAL_IMPERSONATION_GROUP" - type: - - info - action: database-user-impersonation-occurred - "IMP": - # nodoc - # using IMDP - value: "IMPERSONATE" - type: - - info - action: database-user-impersonation-occurred - "IMSP": - value: "SERVER_PRINCIPAL_IMPERSONATION_GROUP" - type: - - user - action: server-login-impersonation-occurred - "IN": - value: "INSERT" - type: - - info - action: insert - "LGB": - # nodoc - # using LGBG - value: "BROKER LOGIN" - type: - - info - action: service-broker-transport-security-event - "LGBG": - value: "BROKER_LOGIN_GROUP" - type: - - info - action: service-broker-transport-security-event - "LGDA": - # Can be disable trigger or indexes and constraints - value: "DISABLE" - type: - - change - action: disable - "LGDB": - value: "CHANGE DEFAULT DATABASE" - type: - - change - action: change-default-database - "LGEA": - value: "ENABLE" - type: - - info - action: enable - "LGFL": - value: "FAILED_LOGIN_GROUP" - type: - - error - category: - - authentication - action: principal-login-failed - "LGGG": - # nodoc - value: "GLOBAL_TRANSACTIONS_LOGIN_GROUP" - type: - - info - action: global-transactions-login - "LGG": - # nodoc - # https://www.manageengine.com/products/eventlog/sql-auditing/global-transaction-login-in-sql-server-24337.html - value: "GLOBAL TRANSACTIONS LOGIN" - type: - - info - action: global-transactions-login - "LGIF": - value: "LOGIN FAILED" - type: - - error - category: - - authentication - action: login-failed - "LGIS": - value: "LOGIN SUCCEEDED" - type: - - info - - start - category: - - session - action: login-succeeded - "LGLG": - value: "CHANGE DEFAULT LANGUAGE" - type: - - change - action: change-default-language - "LGM": - # using LGMG - value: "DATABASE MIRRORING LOGIN" - type: - - info - action: database-mirroring-transport-security-event - "LGMG": - value: "DATABASE_MIRRORING_LOGIN_GROUP" - type: - - info - action: database-mirroring-transport-security-event - "LGNM": - value: "NAME CHANGE" - type: - - change - action: name-change - "LGO": - value: "LOGOUT" - type: - - end - category: - - session - action: logout - "LGSD": - value: "SUCCESSFUL_LOGIN_GROUP" - type: - - info - - start - category: - - session - action: user-login-succeeded - "LGSG": - # nodoc - value: "STORAGE_LOGIN_GROUP" - type: - - info - action: storage-login - "LGS": - # nodoc - value: "STORAGE LOGIN" - type: - - info - action: storage-login - "LO": - value: "LOGOUT_GROUP" - type: - - info - - end - category: - - session - action: user-logout-succeeded - "MNDB": - value: "DATABASE_CHANGE_GROUP" - type: - - change - action: database-created-altered-or-dropped - "MNDO": - value: "DATABASE_OBJECT_CHANGE_GROUP" - type: - - change - action: database-object-created-altered-or-dropped - "MNDP": - value: "DATABASE_PRINCIPAL_CHANGE_GROUP" - type: - - change - action: principals-created-altered-or-dropped - "MNO": - value: "SCHEMA_OBJECT_CHANGE_GROUP" - type: - - change - action: schema-object-create-alter-or-dropped - "MNSO": - # server objects like databases or endpoints - value: "SERVER_OBJECT_CHANGE_GROUP" - type: - - change - action: server-object-create-alter-or-dropped - "MNSP": - value: "SERVER_PRINCIPAL_CHANGE_GROUP" - type: - - change - action: server-principal-create-alter-or-dropped - "NMLG": - # no credential map to login probably unable to execute - # external operation - # https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/create-a-credential - value: "NO CREDENTIAL MAP TO LOGIN" - type: - - error - action: no-credential-map-to-login - "OPDB": - value: "DATABASE_OPERATION_GROUP" - type: - - info - action: db-checkpoint-or-subscribe-query-notification-executed - "OP": - # open cursor - value: "OPEN" - type: - - access - action: open - "OPSV": - value: "SERVER_OPERATION_GROUP" - type: - - change - action: alter-settings-resources-or-external-access - "PWAR": - value: "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP" - type: - - change - action: password-changed-for-application-role - "PWC": - # nodoc - # using PWAR - value: "CHANGE PASSWORD" - type: - - change - action: password-changed-for-application-role - "PWCG": - value: "LOGIN_CHANGE_PASSWORD_GROUP" - type: - - change - action: login-password-changed-via-alter-or-sp-password - "PWCS": - # nodoc - value: "CHANGE OWN PASSWORD" - type: - - change - action: change-own-password - "PWEX": - # nodoc - value: "PASSWORD EXPIRATION" - type: - - info - action: password-expired - "PWMC": - # nodoc - value: "MUST CHANGE PASSWORD" - type: - - info - action: must-change-password - "PWPL": - # nodoc - value: "PASSWORD POLICY" - type: - - info - action: password-policy - "PWR": - # nodoc - value: "RESET PASSWORD" - type: - - change - action: reset-password - "PWRS": - # nodoc - value: "RESET OWN PASSWORD" - type: - - change - action: reset-own-password - "PWU": - # TSQL ALTER LOGIN UNLOCK - value: "UNLOCK ACCOUNT" - type: - - change - action: unlock-sql-server-login-account - "RCM": - value: "RPC COMPLETED" - type: - - end - category: - - network - action: rpc-completed - "RC": - value: "RECEIVE" - type: - - access - action: retrieve-message-from-queue - "RF": - value: "REFERENCES" - type: - - info - action: references - "R": - value: "REVOKE" - type: - - change - action: remove-granted-or-denied-permission - "RS": - value: "RESTORE" - type: - - change - action: restore-database-backup - "RST": - value: "RPC STARTED" - type: - - start - category: - - network - action: rpc-started - "RWC": - value: "REVOKE WITH CASCADE" - type: - - change - action: revoke-granted-or-denied-permission-with-cascade - "RWG": - value: "REVOKE WITH GRANT" - type: - - change - action: revoke-with-grant - "SCCG": - # sensitivity classification for columns - # https://docs.microsoft.com/en-us/sql/t-sql/statements/add-sensitivity-classification-transact-sql - value: "SENSITIVITY_CLASSIFICATION_CHANGE_GROUP" - type: - - change - action: sensitivity-classification-changed - "SL": - value: "SELECT" - type: - - access - action: select - "SN": - value: "SEND" - type: - - access - action: send-message-to-queue - "SPLN": - # https://docs.microsoft.com/en-us/sql/t-sql/statements/set-showplan-all-transact-sql - value: "SHOW PLAN" - type: - - info - action: show-plan - "STSV": - value: "SERVER_STATE_CHANGE_GROUP" - type: - - info - action: server-service-state-changed - "SUQN": - value: "SUBSCRIBE QUERY NOTIFICATION" - type: - - info - action: subscribe-query-notification - "SVCN": - value: "SERVER CONTINUE" - type: - - change - action: server-service-state-changed-to-continue - "SVPD": - value: "SERVER PAUSED" - type: - - change - action: server-service-state-changed-to-paused - "SVSD": - value: "SERVER SHUTDOWN" - type: - - change - action: server-service-state-changed-to-shutdown - "SVSR": - value: "SERVER STARTED" - type: - - change - action: server-service-state-changed-to-start - "TASA": - # nodoc - value: "TRACE AUDIT START" - type: - - info - action: trace-audit-start - "TASP": - # nodoc - value: "TRACE AUDIT STOP" - type: - - info - action: trace-audit-stop - "TODB": - value: "DATABASE_OWNERSHIP_CHANGE_GROUP" - type: - - change - action: permission-check-performed-to-change-database-owner - "TODO": - value: "DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP" - type: - - change - action: database-object-owner-changed - "TOO": - value: "SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP" - type: - - info - action: permission-check-performed-to-change-schema-object - "TOSO": - value: "SERVER_OBJECT_OWNERSHIP_CHANGE_GROUP" - type: - - change - action: server-scoped-object-owner-changed - "TO": - # nodoc - value: "TAKE OWNERSHIP" - type: - - info - action: take-ownership - "TRBC": - value: "TRANSACTION BEGIN COMPLETED" - type: - - info - action: transaction-begin-completed - "TRBS": - value: "TRANSACTION BEGIN STARTING" - type: - - info - action: transaction-begin-starting - "TRCC": - value: "TRANSACTION COMMIT COMPLETED" - type: - - info - action: transaction-commit-completed - "TRCG": - value: "TRACE_CHANGE_GROUP" - type: - - info - action: permission-checked-for-alter-trace - "TRCS": - value: "TRANSACTION COMMIT STARTING" - type: - - info - action: transaction-commit-starting - "TRGC": - value: "TRANSACTION PROPAGATE COMPLETED" - type: - - info - action: transaction-propogation-completed - "TRGS": - value: "TRANSACTION PROPAGATE STARTING" - type: - - info - action: transaction-propogation-starting - "TRO": - value: "TRANSFER" - type: - - info - action: data-transfer - "TRPC": - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration-data-access-transactions/transaction-promotion - value: "TRANSACTION PROMOTE COMPLETED" - type: - - info - action: local-to-distributed-transaction-promote-completed - "TRPS": - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration-data-access-transactions/transaction-promotion - value: "TRANSACTION PROMOTE STARTING" - type: - - info - action: local-to-distributed-transaction-promote-starting - "TRRC": - value: "TRANSACTION ROLLBACK COMPLETED" - type: - - info - action: transaction-rollback-completed - "TRRS": - value: "TRANSACTION ROLLBACK STARTING" - type: - - info - action: transaction-rollback-starting - "TRSC": - value: "TRANSACTION SAVEPOINT COMPLETED" - type: - - info - action: transaction-savepoint-completed - "TRSS": - value: "TRANSACTION SAVEPOINT STARTING" - type: - - info - action: transaction-savepoint-starting - "TXBG": - value: "TRANSACTION BEGIN" - type: - - info - action: transaction-begin - "TXCG": - value: "TRANSACTION_COMMIT_GROUP" - type: - - info - action: transaction-commit-group-event - "TXCM": - value: "TRANSACTION COMMIT" - type: - - info - action: transaction-commit - "TXGG": - value: "TRANSACTION_BEGIN_GROUP" - type: - - info - action: transaction-begin-group-event - "TXRB": - value: "TRANSACTION ROLLBACK" - type: - - info - action: transaction-rollback - "TXRG": - value: "TRANSACTION_ROLLBACK_GROUP" - type: - - info - action: transaction-rollback-group - "TX": - value: "TRANSACTION_GROUP" - type: - - info - action: transaction-event-occurred - "UCGP": - value: "USER_CHANGE_PASSWORD_GROUP" - type: - - change - action: password-of-contained-database-user-changed - "UDAG": - value: "USER_DEFINED_AUDIT_GROUP" - type: - - info - action: user-defined-audit-event-sp-audit-write - "UDAU": - value: "USER DEFINED AUDIT" - type: - - info - action: user-defined-audit-event-sp-audit-write - "UNDG": - value: "STATEMENT_ROLLBACK_GROUP" - type: - - info - action: statement-rollback-group - "UNDO": - value: "STATEMENT ROLLBACK" - type: - - info - action: statement-rollback - "UP": - value: "UPDATE" - type: - - change - action: update - "USAF": - value: "CHANGE USERS LOGIN AUTO" - type: - - change - action: change-users-login-auto - "USLG": - value: "CHANGE USERS LOGIN" - type: - - change - action: change-users-login - "USTC": - # https://docs.microsoft.com/en-us/troubleshoot/sql/security/transfer-logins-passwords-between-instances - value: "COPY PASSWORD" - type: - - info - action: password-copied - "VDST": - value: "VIEW DATABASE STATE" - type: - - info - action: view-database-state - "VSST": - value: "VIEW SERVER STATE" - type: - - info - action: view-server-state - "VWCT": - value: "VIEW CHANGETRACKING" - type: - - info - action: view-change-tracking - "VW": - value: "VIEW" - type: - - info - action: view - "XA": - # see EXTERNAL_ACCESS - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/assemblies/creating-an-assembly - value: "EXTERNAL ACCESS ASSEMBLY" - type: - - access - category: - - network - - registry - action: external-access-assembly - "XU": - # see UNSAFE - # https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/assemblies/creating-an-assembly - value: "UNSAFE ASSEMBLY" - type: - - access - action: unsafe-assembly - source: |- - def actionIdKey = ctx.sqlserver.audit.action_id; - def actions = params.get('actions'); - def classTypes = params.get('classtypes'); - // handle class type - // overwrite the abbreviated key with its value - def ct = classTypes.get(ctx.sqlserver.audit.class_type); - if (ct != null) { - ctx.sqlserver.audit.class_type = ct; - } - // error case - for unhandled action ids - def actionData = actions.get(actionIdKey); - if (actionData == null) { - ctx.event.action = 'unknown-' + actionIdKey.toLowerCase(); - ctx.event.type = ['info']; - return; - } - // overwrite the action id with its actual value - ctx.sqlserver.audit.action_id = actionData.get('value'); - // event.type - def actionType = actionData.get('type'); - if (actionType != null) { - ctx.event.type = new ArrayList(actionType); - } - // event.category - def actionCategory = actionData.get('category'); - if (actionCategory != null) { - for (def c : actionCategory) { - ctx.event.category.add(c); - } - } - // event.action - def action = actionData.get('action'); - if (action != null) { - ctx.event.action = action; - } -- convert: - field: sqlserver.audit.sequence_number - type: integer - ignore_missing: true -- convert: - field: sqlserver.audit.succeeded - type: boolean - ignore_missing: true -- convert: - field: sqlserver.audit.affected_rows - type: long - ignore_missing: true -- convert: - field: sqlserver.audit.response_rows - type: long - ignore_missing: true -- convert: - field: sqlserver.audit.is_column_permission - type: boolean - ignore_missing: true -- script: - lang: painless - description: Convert ms to ns and set it to event.duration - source: |- - def v = ctx?.sqlserver?.audit?.duration_milliseconds; - if (v != null) { - ctx.event.duration = Long.parseLong(v) * 1000000; - } -- rename: - field: winlog.process - target_field: process - ignore_missing: true -## -# Set user.name, user.domain and user.id values from -# SPN -## -- dissect: - description: Extract user domain and name - pattern: "%{_temp.domain}\\%{_temp.username}" - field: sqlserver.audit.server_principal_name - if: 'ctx?.sqlserver?.audit?.server_principal_name != null && ctx?.sqlserver?.audit?.server_principal_name.contains("\\")' - ignore_missing: true -- set: - description: Set username as is if domain is not present - field: user.name - copy_from: sqlserver.audit.server_principal_name - if: 'ctx?.sqlserver?.audit?.server_principal_name != null && !ctx?.sqlserver?.audit?.server_principal_name.contains("\\")' -- set: - description: Set username if it was extracted from Domain\User format - field: user.name - copy_from: _temp.username - if: "ctx?._temp?.username != null" -- set: - description: Set domain if it was extracted from Domain\User format - field: user.domain - copy_from: _temp.domain - if: "ctx?._temp?.domain != null" -- set: - field: user.id - copy_from: sqlserver.audit.server_principal_sid -- set: - field: user.target.name - copy_from: sqlserver.audit.target_server_principal_name -- set: - field: user.target.id - copy_from: sqlserver.audit.target_server_principal_sid - -- convert: - field: winlog.record_id - type: string - ignore_missing: true -## -# Clean up -## -- remove: - field: - - _temp - - winlog.event_data.param1 - - sqlserver.audit.event_time - - sqlserver.audit.additional_information - - sqlserver.audit.duration_milliseconds - - sqlserver.audit.server_principal_name - - sqlserver.audit.server_principal_sid - - sqlserver.audit.target_server_principal_name - - sqlserver.audit.target_server_principal_sid - ignore_missing: true -- script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/base-fields.yml b/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 7c798f4534..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/ecs.yml b/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/ecs.yml deleted file mode 100755 index 523f9134da..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,205 +0,0 @@ -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: destination.user.domain - type: keyword -- description: Unique identifier of the user. - name: destination.user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: destination.user.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Identification code for this event, if one exists. - Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - name: event.code - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - Source of the event. - Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). - name: event.provider - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: Directory where the file is located. It should include the drive letter, when appropriate. - name: file.directory - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: file.extension - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - Name of the host. - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - name: host.name - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - Array of process arguments, starting with the absolute path to the executable. - May be filtered to protect sensitive information. - name: process.args - type: keyword -- description: |- - Length of the process.args array. - This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. - name: process.args_count - type: long -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: |- - Process title. - The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. - multi_fields: - - name: text - type: match_only_text - name: process.title - type: keyword -- description: Thread ID. - name: process.thread.id - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword diff --git a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/fields.yml b/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/fields.yml deleted file mode 100755 index 7985824ba4..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,139 +0,0 @@ -- name: sqlserver - type: group - description: All fields specific to SQL Server events - fields: - - name: audit - type: group - description: All fields specific to SQL Server audit events. - fields: - - name: audit_schema_version - type: keyword - description: Audit event schema version. - - name: event_time - type: date - description: Date/time when the auditable action is fired. - - name: sequence_number - type: integer - description: > - Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits. - - - name: action_id - type: keyword - description: ID of the action - - name: succeeded - type: boolean - description: > - Indicates whether or not the permission check of the action triggering the audit event succeeded or failed. - - - name: permission_bitmask - type: keyword - description: > - When applicable shows the permissions that were granted, denied or revoked. - - - name: is_column_permission - type: boolean - description: Flag indicating a column level permission - - name: session_id - type: integer - description: ID of the session on which the event occurred. - - name: server_principal_id - type: keyword - description: ID of the login context that the action is performed in. - - name: database_principal_id - type: keyword - description: ID of the database user context that the action is performed in. - - name: object_id - type: keyword - description: > - "The primary ID of the entity on which the audit occurred. This ID can be one of server objects, databases, database objects or schema objects." - - - name: target_server_principal_id - type: keyword - description: Server principal that the auditable action applies to. - - name: target_database_principal_id - type: keyword - description: Database principal that the auditable action applies to. - - name: class_type - type: keyword - description: Type of auditable entity that the audit occurs on. - - name: session_server_principal_name - type: keyword - description: Server principal for the session. - - name: server_principal_name - type: keyword - description: Current login. - - name: server_principal_sid - type: keyword - description: Current login SID. - - name: database_principal_name - type: keyword - description: Current user. - - name: target_server_principal_name - type: keyword - description: Target login of the action. - - name: target_server_principal_sid - type: keyword - description: SID of the target login. - - name: target_database_principal_name - type: keyword - description: Target user of the action. - - name: server_instance_name - type: keyword - description: > - "Name of the server instance where the audit occurred. Uses the standard machine\\instance format." - - - name: database_name - type: keyword - description: The database context in which the action occurred. - - name: schema_name - type: keyword - description: The schema context in which the action occurred. - - name: object_name - type: keyword - description: > - "The name of the entity on which the audit occurred. This can be server objects, databases, database objects, schema objects or TSQL statement (if any)." - - - name: statement - type: text - description: "TSQL statement (if any)" - - name: additional_information - type: text - description: Any additional information about the event stored as XML. - - name: affected_rows - type: long - description: Number of rows affected by the operation. - - name: application_name - type: keyword - description: Name of the application that caused the audit event. - - name: client_ip - type: keyword - description: > - "Name or IP address of the machine running the application that caused the audit event." - - - name: connection_id - type: keyword - description: Connection ID (unique UUID for the connection) - - name: data_sensitivity_information - type: keyword - description: Sensitivity information about the operation. - - name: duration_milliseconds - type: long - description: Duration of the operation in milliseconds. - - name: host_name - type: keyword - description: SQL Server host name. - - name: response_rows - type: long - description: Number of rows returned. - - name: sequence_group_id - type: keyword - description: Sequence group ID (unique UUID). - - name: transaction_id - type: keyword - description: Transaction ID - - name: user_defined_event_id - type: integer - description: User defined event ID. - - name: user_defined_information - type: text - description: User defined information diff --git a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/winlog.yml b/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/winlog.yml deleted file mode 100755 index 075d40345d..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/fields/winlog.yml +++ /dev/null @@ -1,155 +0,0 @@ -- name: winlog - type: group - description: > - All fields specific to the Windows Event Log are defined here. - - fields: - - name: api - required: true - type: keyword - description: > - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. - - The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. - - - name: activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. - - - name: computer_name - type: keyword - required: true - description: > - The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. - - - name: event_data - type: object - object_type: keyword - required: false - description: > - The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. - - - name: event_data - type: group - description: > - This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. - - fields: - - name: param1 - type: keyword - - name: param2 - type: keyword - - name: param3 - type: keyword - - name: param4 - type: keyword - - name: param5 - type: keyword - - name: param6 - type: keyword - - name: param7 - type: keyword - - name: param8 - type: keyword - - name: event_id - type: keyword - required: true - description: > - The event identifier. The value is specific to the source of the event. - - - name: keywords - type: keyword - required: false - description: > - The keywords are used to classify an event. - - - name: channel - type: keyword - required: true - description: > - The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. - - - name: record_id - type: keyword - required: true - description: > - The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. - - - name: related_activity_id - type: keyword - required: false - description: > - A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. - - - name: opcode - type: keyword - required: false - description: > - The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. - - - name: provider_guid - type: keyword - required: false - description: > - A globally unique identifier that identifies the provider that logged the event. - - - name: process.pid - type: long - required: false - description: > - The process_id of the Client Server Runtime Process. - - - name: provider_name - type: keyword - required: true - description: > - The source of the event log record (the application or service that logged the record). - - - name: task - type: keyword - required: false - description: > - The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. - - - name: process.thread.id - type: long - required: false - - name: user_data - type: object - object_type: keyword - required: false - description: > - The event specific data. This field is mutually exclusive with `event_data`. - - - name: user.identifier - type: keyword - required: false - example: S-1-5-21-3541430928-2051711210-1391384369-1001 - description: > - The Windows security identifier (SID) of the account associated with this event. - - If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. - - - name: user.name - type: keyword - description: > - Name of the user associated with this event. - - - name: user.domain - type: keyword - required: false - description: > - The domain that the account associated with this event is a member of. - - - name: user.type - type: keyword - required: false - description: > - The type of account associated with this event. - - - name: version - type: long - required: false - description: The version number of the event's definition. diff --git a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/manifest.yml b/packages/microsoft_sqlserver/1.0.0/data_stream/audit/manifest.yml deleted file mode 100755 index da4c3838e1..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/data_stream/audit/manifest.yml +++ /dev/null @@ -1,62 +0,0 @@ -title: "SQL Server audit events" -type: logs -streams: - - input: winlog - title: SQL Server audit events from Windows event logs - description: Collect SQL Server audit events from the Windows event logs - template_path: winlog.yml.hbs - vars: - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: >- - Preserves a raw copy of the original XML event, added to the field `event.original` - type: bool - multi: false - default: false - - name: event_id - type: text - title: Event ID - multi: false - required: false - show_user: false - description: >- - Defaults to 33205. Change the default only if SQL Server uses another documented event ID for audits. Setting a value other than an SQL Server audit event ID will cause the package to malfunction. A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 33205), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs. - default: 33205 - - name: channel - description: Channel name where audit events are configured to be sent. - type: text - title: Channel - multi: false - required: true - default: Security - show_user: true - - name: ignore_older - type: text - title: Ignore events older than - default: 72h - required: false - show_user: false - description: >- - If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - - name: language - type: text - title: Language ID - description: >- - The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US - required: false - show_user: false - default: 0 - - name: tags - type: text - title: Tags - multi: true - show_user: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" diff --git a/packages/microsoft_sqlserver/1.0.0/docs/README.md b/packages/microsoft_sqlserver/1.0.0/docs/README.md deleted file mode 100755 index ccc8b0d7b4..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/docs/README.md +++ /dev/null @@ -1,156 +0,0 @@ -# Microsoft SQL Server Integration - -The Microsoft SQL Server integration package allows you to search, observe and visualize the SQL Server audit events through Elasticsearch. -Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. -SQL Server audit lets you create server audits, which can contain server audit specifications for server level events, and database audit specifications for database level events. -See: [SQL Server Audit page](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-ver15) for more information on SQL Server auditing. - -## Compatibility - -The package collects audit events from the event log. Other log sources such as file are not supported. - -## Configuration - -There are several levels of auditing for SQL Server, depending on government or standards requirements for your installation. The SQL Server Audit feature enables you to audit server-level and database-level groups of events and individual events. - -See: [SQL Server Audit Action Groups and Actions](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-ver15) for more information on the different audit levels. - -See: [Instructions on how to enable auditing for SQL Server](https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/create-a-server-audit-and-server-audit-specification?view=sql-server-ver15). - ->Note: For the integration package to be able to read and send audit events the event target must be configured to be Windows event log. - -### Audit Events - -Enable to collect SQL Server audit events from the specified windows event log channel. - -## Logs - -### Audit - -The SQL Server audit dataset provides events from the configured Windows event log channel. All SQL Server audit specific fields are available in the `sqlserver.audit` field group. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | -| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | -| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| process.thread.id | Thread ID. | long | -| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | -| process.title.text | Multi-field of `process.title`. | match_only_text | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| sqlserver.audit.action_id | ID of the action | keyword | -| sqlserver.audit.additional_information | Any additional information about the event stored as XML. | text | -| sqlserver.audit.affected_rows | Number of rows affected by the operation. | long | -| sqlserver.audit.application_name | Name of the application that caused the audit event. | keyword | -| sqlserver.audit.audit_schema_version | Audit event schema version. | keyword | -| sqlserver.audit.class_type | Type of auditable entity that the audit occurs on. | keyword | -| sqlserver.audit.client_ip | "Name or IP address of the machine running the application that caused the audit event." | keyword | -| sqlserver.audit.connection_id | Connection ID (unique UUID for the connection) | keyword | -| sqlserver.audit.data_sensitivity_information | Sensitivity information about the operation. | keyword | -| sqlserver.audit.database_name | The database context in which the action occurred. | keyword | -| sqlserver.audit.database_principal_id | ID of the database user context that the action is performed in. | keyword | -| sqlserver.audit.database_principal_name | Current user. | keyword | -| sqlserver.audit.duration_milliseconds | Duration of the operation in milliseconds. | long | -| sqlserver.audit.event_time | Date/time when the auditable action is fired. | date | -| sqlserver.audit.host_name | SQL Server host name. | keyword | -| sqlserver.audit.is_column_permission | Flag indicating a column level permission | boolean | -| sqlserver.audit.object_id | "The primary ID of the entity on which the audit occurred. This ID can be one of server objects, databases, database objects or schema objects." | keyword | -| sqlserver.audit.object_name | "The name of the entity on which the audit occurred. This can be server objects, databases, database objects, schema objects or TSQL statement (if any)." | keyword | -| sqlserver.audit.permission_bitmask | When applicable shows the permissions that were granted, denied or revoked. | keyword | -| sqlserver.audit.response_rows | Number of rows returned. | long | -| sqlserver.audit.schema_name | The schema context in which the action occurred. | keyword | -| sqlserver.audit.sequence_group_id | Sequence group ID (unique UUID). | keyword | -| sqlserver.audit.sequence_number | Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits. | integer | -| sqlserver.audit.server_instance_name | "Name of the server instance where the audit occurred. Uses the standard machine\\instance format." | keyword | -| sqlserver.audit.server_principal_id | ID of the login context that the action is performed in. | keyword | -| sqlserver.audit.server_principal_name | Current login. | keyword | -| sqlserver.audit.server_principal_sid | Current login SID. | keyword | -| sqlserver.audit.session_id | ID of the session on which the event occurred. | integer | -| sqlserver.audit.session_server_principal_name | Server principal for the session. | keyword | -| sqlserver.audit.statement | TSQL statement (if any) | text | -| sqlserver.audit.succeeded | Indicates whether or not the permission check of the action triggering the audit event succeeded or failed. | boolean | -| sqlserver.audit.target_database_principal_id | Database principal that the auditable action applies to. | keyword | -| sqlserver.audit.target_database_principal_name | Target user of the action. | keyword | -| sqlserver.audit.target_server_principal_id | Server principal that the auditable action applies to. | keyword | -| sqlserver.audit.target_server_principal_name | Target login of the action. | keyword | -| sqlserver.audit.target_server_principal_sid | SID of the target login. | keyword | -| sqlserver.audit.transaction_id | Transaction ID | keyword | -| sqlserver.audit.user_defined_event_id | User defined event ID. | integer | -| sqlserver.audit.user_defined_information | User defined information | text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | -| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword | -| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword | -| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword | -| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object | -| winlog.event_data.param1 | | keyword | -| winlog.event_data.param2 | | keyword | -| winlog.event_data.param3 | | keyword | -| winlog.event_data.param4 | | keyword | -| winlog.event_data.param5 | | keyword | -| winlog.event_data.param6 | | keyword | -| winlog.event_data.param7 | | keyword | -| winlog.event_data.param8 | | keyword | -| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword | -| winlog.keywords | The keywords are used to classify an event. | keyword | -| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | -| winlog.process.pid | The process_id of the Client Server Runtime Process. | long | -| winlog.process.thread.id | | long | -| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | -| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword | -| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword | -| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword | -| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword | -| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword | -| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword | -| winlog.user.name | Name of the user associated with this event. | keyword | -| winlog.user.type | The type of account associated with this event. | keyword | -| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object | -| winlog.version | The version number of the event's definition. | long | - diff --git a/packages/microsoft_sqlserver/1.0.0/img/microsoft-sql-server-logo.svg b/packages/microsoft_sqlserver/1.0.0/img/microsoft-sql-server-logo.svg deleted file mode 100755 index 30758ba323..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/img/microsoft-sql-server-logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.0.0/img/sqlserver-dashboard.png b/packages/microsoft_sqlserver/1.0.0/img/sqlserver-dashboard.png deleted file mode 100755 index 8929f7c2a9..0000000000 Binary files a/packages/microsoft_sqlserver/1.0.0/img/sqlserver-dashboard.png and /dev/null differ diff --git a/packages/microsoft_sqlserver/1.0.0/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json b/packages/microsoft_sqlserver/1.0.0/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json deleted file mode 100755 index 3ab14432ae..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json +++ /dev/null @@ -1,167 +0,0 @@ -{ - "attributes": { - "description": "Microsoft SQL Server Audit Events", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b51d3b6d-d5e8-4631-b11c-81dcb81734a8\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b51d3b6d-d5e8-4631-b11c-81dcb81734a8\":{\"columnOrder\":[\"70000b7b-124a-439e-8ef2-6a8dad15c166\",\"a6937f39-2999-4be2-8371-619b5bf2fb67\"],\"columns\":{\"70000b7b-124a-439e-8ef2-6a8dad15c166\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a6937f39-2999-4be2-8371-619b5bf2fb67\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.action\"},\"a6937f39-2999-4be2-8371-619b5bf2fb67\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"70000b7b-124a-439e-8ef2-6a8dad15c166\"],\"layerId\":\"b51d3b6d-d5e8-4631-b11c-81dcb81734a8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a6937f39-2999-4be2-8371-619b5bf2fb67\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false,\"timeRange\":{\"from\":\"now-2d\",\"to\":\"now\"}},\"gridData\":{\"h\":13,\"i\":\"842e1cfc-7341-462d-8949-eef99e130666\",\"w\":18,\"x\":0,\"y\":0},\"panelIndex\":\"842e1cfc-7341-462d-8949-eef99e130666\",\"title\":\"Microsoft SQL Server Event Types\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\":{\"columnOrder\":[\"4652b8d0-971a-4472-bf0a-e19c6834092d\",\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"columns\":{\"4652b8d0-971a-4472-bf0a-e19c6834092d\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5f9fa38a-bd5b-498b-ac78-d698c436773e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Number of events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"layerId\":\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4652b8d0-971a-4472-bf0a-e19c6834092d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"d2bbfd00-6448-4207-9aef-b5bfcb8f978b\",\"w\":17,\"x\":18,\"y\":0},\"panelIndex\":\"d2bbfd00-6448-4207-9aef-b5bfcb8f978b\",\"title\":\"Rate of events\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\":{\"columnOrder\":[\"4652b8d0-971a-4472-bf0a-e19c6834092d\",\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"columns\":{\"4652b8d0-971a-4472-bf0a-e19c6834092d\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5f9fa38a-bd5b-498b-ac78-d698c436773e\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"event.action: \\\"login-failed\\\" \"},\"isBucketed\":false,\"label\":\"Failed Logins\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"5f9fa38a-bd5b-498b-ac78-d698c436773e\"],\"layerId\":\"7af1e8e7-5f23-4195-b8e1-94f90b0a840a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4652b8d0-971a-4472-bf0a-e19c6834092d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e0dde78f-31ea-478a-b2d2-7bde0fd3eedb\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"e0dde78f-31ea-478a-b2d2-7bde0fd3eedb\",\"title\":\"Rate of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"041831df-5315-4457-98a4-2be03a47fc31\",\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\"],\"columns\":{\"041831df-5315-4457-98a4-2be03a47fc31\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"5m\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Principal Changes\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"SQL LOGIN\",\"SQL USER\",\"WINDOWS LOGIN\",\"LOGIN\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SQL LOGIN\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SQL USER\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"WINDOWS LOGIN\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"LOGIN\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"CREATE\",\"DROP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"CREATE\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DROP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"25cc5b1c-7d6b-4ccb-b55f-c3556cb981e3\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"041831df-5315-4457-98a4-2be03a47fc31\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"9df96bf5-959d-470c-afaa-f85cd3921d41\",\"w\":13,\"x\":0,\"y\":13},\"panelIndex\":\"9df96bf5-959d-470c-afaa-f85cd3921d41\",\"title\":\"Database Principal Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"columns\":{\"3216384d-1cdc-43dc-83a0-b0215a64fd12\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Role Member Changes\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"5341d8d4-e599-467c-b891-544b3a47ed4f\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"ROLE\",\"SERVER ROLE\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"ROLE\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SERVER ROLE\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\"SERVER_ROLE_MEMBER_CHANGE_GROUP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DATABASE_ROLE_MEMBER_CHANGE_GROUP\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"SERVER_ROLE_MEMBER_CHANGE_GROUP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"5341d8d4-e599-467c-b891-544b3a47ed4f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c95238d4-553e-424f-9880-7377837f0ba2\",\"w\":13,\"x\":13,\"y\":13},\"panelIndex\":\"c95238d4-553e-424f-9880-7377837f0ba2\",\"title\":\"Role Member Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\":{\"columnOrder\":[\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12\",\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\"],\"columns\":{\"3216384d-1cdc-43dc-83a0-b0215a64fd12\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"count()\",\"operationType\":\"formula\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}},\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\"],\"scale\":\"ratio\"},\"3216384d-1cdc-43dc-83a0-b0215a64fd12X0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Part of count()\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"5341d8d4-e599-467c-b891-544b3a47ed4f\":{\"customLabel\":true,\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"Timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"15m\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sqlserver.audit.class_type\",\"negate\":false,\"params\":[\"DATABASE AUDIT SPECIFICATION\",\"SERVER AUDIT SPECIFICATION\",\"AUDIT\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.class_type\":\"DATABASE AUDIT SPECIFICATION\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"SERVER AUDIT SPECIFICATION\"}},{\"match_phrase\":{\"sqlserver.audit.class_type\":\"AUDIT\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-2\",\"key\":\"sqlserver.audit.action_id\",\"negate\":false,\"params\":[\"ALTER\",\"CREATE\",\"DROP\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"sqlserver.audit.action_id\":\"ALTER\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"CREATE\"}},{\"match_phrase\":{\"sqlserver.audit.action_id\":\"DROP\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":-90,\"yRight\":0},\"layers\":[{\"accessors\":[\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"],\"layerId\":\"43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"5341d8d4-e599-467c-b891-544b3a47ed4f\",\"yConfig\":[{\"axisMode\":\"auto\",\"forAccessor\":\"3216384d-1cdc-43dc-83a0-b0215a64fd12\"}]}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Number of Audit Changes\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c48ea73e-2a8d-41bf-831c-275c516ee481\",\"w\":13,\"x\":26,\"y\":13},\"panelIndex\":\"c48ea73e-2a8d-41bf-831c-275c516ee481\",\"title\":\"Audit Changes\",\"type\":\"lens\",\"version\":\"7.15.1\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-03553b27-f941-4b4b-bcb6-8e1943c154f3\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"03553b27-f941-4b4b-bcb6-8e1943c154f3\":{\"columnOrder\":[\"d4a0fc9f-f361-4113-b529-f55dd6faab93\"],\"columns\":{\"d4a0fc9f-f361-4113-b529-f55dd6faab93\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Failed Logins\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"login-failed\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"login-failed\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"d4a0fc9f-f361-4113-b529-f55dd6faab93\",\"layerId\":\"03553b27-f941-4b4b-bcb6-8e1943c154f3\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"c68c4401-b3a5-486a-8e66-da4bad6b035d\",\"w\":9,\"x\":39,\"y\":13},\"panelIndex\":\"c68c4401-b3a5-486a-8e66-da4bad6b035d\",\"title\":\"Number of Failed Logins\",\"type\":\"lens\",\"version\":\"7.15.1\"}]", - "timeRestore": false, - "title": "[Logs Microsoft SQL Server Audit Events] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.15.1", - "id": "microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb", - "migrationVersion": { - "dashboard": "7.15.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "842e1cfc-7341-462d-8949-eef99e130666:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "842e1cfc-7341-462d-8949-eef99e130666:indexpattern-datasource-layer-b51d3b6d-d5e8-4631-b11c-81dcb81734a8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "842e1cfc-7341-462d-8949-eef99e130666:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:indexpattern-datasource-layer-7af1e8e7-5f23-4195-b8e1-94f90b0a840a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9df96bf5-959d-470c-afaa-f85cd3921d41:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c95238d4-553e-424f-9880-7377837f0ba2:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:indexpattern-datasource-layer-43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c48ea73e-2a8d-41bf-831c-275c516ee481:filter-index-pattern-2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:indexpattern-datasource-layer-03553b27-f941-4b4b-bcb6-8e1943c154f3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c68c4401-b3a5-486a-8e66-da4bad6b035d:filter-index-pattern-1", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/microsoft_sqlserver/1.0.0/manifest.yml b/packages/microsoft_sqlserver/1.0.0/manifest.yml deleted file mode 100755 index 5dc0f404ca..0000000000 --- a/packages/microsoft_sqlserver/1.0.0/manifest.yml +++ /dev/null @@ -1,33 +0,0 @@ -format_version: 1.0.0 -name: microsoft_sqlserver -title: "Microsoft SQL Server" -version: 1.0.0 -license: basic -description: Collect audit events from Microsoft SQL Server with Elastic Agent. -type: integration -categories: - - datastore - - security -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -screenshots: - - src: /img/sqlserver-dashboard.png - title: Microsoft SQL Server Dashboard - size: 600x600 - type: image/png -icons: - - src: /img/microsoft-sql-server-logo.svg - title: Microsof SQL Server - size: 32x32 - type: image/svg+xml -policy_templates: - - name: audit_logs - title: SQL Server audit logs - description: Collect audit logs from Windows event logs - inputs: - - type: winlog - title: Collect audit events from Windows event logs - description: Collecting audit events from Windows event logs -owner: - github: elastic/security-external-integrations diff --git a/packages/modsecurity/1.0.0/changelog.yml b/packages/modsecurity/1.0.0/changelog.yml deleted file mode 100755 index 1873cac579..0000000000 --- a/packages/modsecurity/1.0.0/changelog.yml +++ /dev/null @@ -1,36 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.1.5" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.4" - changes: - - description: Change ownership to correct owner and update versions to support 8.x - type: enhancement - link: https://github.com/elastic/integrations/pull/2846 -- version: "0.1.3" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.1.2" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "0.1.1" - changes: - - description: Fix logic that checks for the 'forwarded' tag - type: bugfix - link: https://github.com/elastic/integrations/pull/1830 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/1603 diff --git a/packages/modsecurity/1.0.0/data_stream/auditlog/agent/stream/stream.yml.hbs b/packages/modsecurity/1.0.0/data_stream/auditlog/agent/stream/stream.yml.hbs deleted file mode 100755 index 334aa4dc32..0000000000 --- a/packages/modsecurity/1.0.0/data_stream/auditlog/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -paths: -{{#each paths}} -- {{this}} -{{/each}} -tags: -{{#if preserve_original_event}} -- preserve_original_event -{{/if}} -{{#each tags as |tag i|}} -- {{tag}} -{{/each}} -fields_under_root: true -fields: - tz_offset: {{tz_offset}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -exclude_files: [".gz$"] -processors: -{{#if processors}} -{{processors}} -{{/if}} -- add_locale: ~ diff --git a/packages/modsecurity/1.0.0/data_stream/auditlog/elasticsearch/ingest_pipeline/default.yml b/packages/modsecurity/1.0.0/data_stream/auditlog/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index fe85cabc28..0000000000 --- a/packages/modsecurity/1.0.0/data_stream/auditlog/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,145 +0,0 @@ ---- -description: Pipeline for modsecurity audit log. - -processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - - set: - field: ecs.version - value: '1.12.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true -# parse date - - set: - field: _temps.date - if: ctx?.tz_offset != null - value: '{{json.transaction.time_stamp}}{{tz_offset}}' - - set: - field: _temps.date - if: ctx?.tz_offset == null - value: '{{json.transaction.time_stamp}}{{event.timezone }}' - - date: - field: _temps.date - formats: - - E MMM d HH:mm:ss yyyyZ - - E MMM d HH:mm:ss yyyyXXX -# rename ecs - - rename: - field: json.transaction.client_ip - target_field: source.ip - ignore_missing: true - - rename: - field: json.transaction.client_port - target_field: source.port - ignore_missing: true - - rename: - field: json.transaction.request.method - target_field: http.request.method - ignore_missing: true - - convert: - field: json.transaction.request.http_version - target_field: http.version - type: string - ignore_missing: true - - set: - field: _temps.url - if: ctx.json.transaction.host_port == 443 - value: "https://{{{json.transaction.request.headers.Host}}}:{{json.transaction.host_port}}{{{json.transaction.request.uri}}}" - - set: - field: _temps.url - if: ctx.json.transaction.host_port == 80 - value: "http://{{{json.transaction.request.headers.Host}}}:{{json.transaction.host_port}}{{{json.transaction.request.uri}}}" - - uri_parts: - field: _temps.url - ignore_failure: true - keep_original: true - remove_if_successful: true - - rename: - field: json.transaction.response.http_code - target_field: http.response.status_code - ignore_missing: true - - rename: - field: json.transaction.response.headers.Content-Type - target_field: http.response.mime_type - ignore_missing: true - - rename: - field: json.transaction.response.Content-Length - target_field: http.response.bytes - ignore_missing: true - - foreach: - field: json.transaction.messages - ignore_missing: true - processor: - rename: - field: _ingest._value.message - target_field: message - - foreach: - field: json.transaction.messages - ignore_missing: true - processor: - rename: - field: _ingest._value.details.match - target_field: modsec.audit.detail - - foreach: - field: json.transaction.messages - ignore_missing: true - processor: - rename: - field: _ingest._value.details.ruleId - target_field: rule.id -# user agent and geoip enrich - - user_agent: - field: json.transaction.request.headers.User-Agent - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - set: - field: event.kind - value: event - - append: - field: event.category - value: web - - append: - field: event.type - value: access - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - json - - _temps - - tz_offset - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/modsecurity/1.0.0/data_stream/auditlog/fields/agent.yml b/packages/modsecurity/1.0.0/data_stream/auditlog/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/modsecurity/1.0.0/data_stream/auditlog/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/modsecurity/1.0.0/data_stream/auditlog/fields/base-fields.yml b/packages/modsecurity/1.0.0/data_stream/auditlog/fields/base-fields.yml deleted file mode 100755 index 041609421b..0000000000 --- a/packages/modsecurity/1.0.0/data_stream/auditlog/fields/base-fields.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: 'message' - type: text - description: human-readable summary of the event -- name: event.module - type: constant_keyword - description: Event module - value: modsecurity -- name: event.dataset - type: constant_keyword - description: Event dataset - value: modsecurity.auditlog diff --git a/packages/modsecurity/1.0.0/data_stream/auditlog/fields/ecs.yml b/packages/modsecurity/1.0.0/data_stream/auditlog/fields/ecs.yml deleted file mode 100755 index b78ed163f8..0000000000 --- a/packages/modsecurity/1.0.0/data_stream/auditlog/fields/ecs.yml +++ /dev/null @@ -1,176 +0,0 @@ -- description: Destination domain. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Host ip addresses. - name: host.ip - type: ip -- description: |- - HTTP request method. - Prior to ECS 1.6.0 the following guidance was provided: - "The field value must be normalized to lowercase for querying." - As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: |- - Mime type of the body of the response. - This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. - name: http.response.mime_type - type: keyword -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. - If the event wasn't read from a log file, do not populate this field. - name: log.file.path - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword diff --git a/packages/modsecurity/1.0.0/data_stream/auditlog/fields/fields.yml b/packages/modsecurity/1.0.0/data_stream/auditlog/fields/fields.yml deleted file mode 100755 index 1ad1b17fe0..0000000000 --- a/packages/modsecurity/1.0.0/data_stream/auditlog/fields/fields.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: modsec.audit - type: group - fields: - - name: detail - type: keyword - description: Details message of the audit event. diff --git a/packages/modsecurity/1.0.0/data_stream/auditlog/manifest.yml b/packages/modsecurity/1.0.0/data_stream/auditlog/manifest.yml deleted file mode 100755 index 9d76d46436..0000000000 --- a/packages/modsecurity/1.0.0/data_stream/auditlog/manifest.yml +++ /dev/null @@ -1,48 +0,0 @@ -title: Modsecurity Audit Log -type: logs -release: experimental -streams: - - input: logfile - template_path: stream.yml.hbs - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/modsec-audit* - - name: tz_offset - type: text - title: Timezone offset (+HH:mm format) - multi: false - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - modsec-audit - - name: preserve_original_event - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - required: true - show_user: true - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - title: Modsecurity Audit Log - description: Collect modsecurity audit logs diff --git a/packages/modsecurity/1.0.0/data_stream/auditlog/sample_event.json b/packages/modsecurity/1.0.0/data_stream/auditlog/sample_event.json deleted file mode 100755 index ae90192f65..0000000000 --- a/packages/modsecurity/1.0.0/data_stream/auditlog/sample_event.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "@timestamp": "2021-05-14T14:38:37.000Z", - "agent": { - "ephemeral_id": "061dfa96-ca94-49ac-91b6-bdf673019894", - "hostname": "docker-fleet-agent", - "id": "825f840d-2cf2-4972-91e6-99c4735ef994", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" - }, - "data_stream": { - "dataset": "modsecurity.auditlog", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "1.12.0" - }, - "elastic_agent": { - "id": "825f840d-2cf2-4972-91e6-99c4735ef994", - "snapshot": true, - "version": "7.16.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "web" - ], - "dataset": "modsecurity.auditlog", - "ingested": "2021-09-17T03:51:35Z", - "kind": "event", - "timezone": "+00:00", - "type": [ - "access" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "id": "7018a7d8148499f0598830dd37987dc4", - "ip": [ - "172.18.0.7" - ], - "mac": [ - "02:42:ac:12:00:07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-34-generic", - "name": "CentOS Linux", - "platform": "centos", - "type": "linux", - "version": "7 (Core)" - } - }, - "http": { - "request": { - "method": "PUT" - }, - "response": { - "mime_type": "application/json; charset=utf-8", - "status_code": 400 - }, - "version": "1.1" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/modsec-audit.log" - }, - "offset": 0 - }, - "source": { - "as": { - "number": 9009, - "organization": { - "name": "M247 Ltd" - } - }, - "geo": { - "city_name": "Montreal", - "continent_name": "North America", - "country_iso_code": "CA", - "country_name": "Canada", - "location": { - "lat": 45.4994, - "lon": -73.5703 - }, - "region_iso_code": "CA-QC", - "region_name": "Quebec" - }, - "ip": "37.120.205.2", - "port": 56047 - }, - "tags": [ - "modsec-audit" - ], - "url": { - "domain": "www.owayride.com", - "original": "https://www.owayride.com:443/orders/2734183/finish", - "path": "/orders/2734183/finish", - "port": 443, - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "okhttp", - "original": "okhttp/2.7.5", - "version": "2.7.5" - } -} \ No newline at end of file diff --git a/packages/modsecurity/1.0.0/docs/README.md b/packages/modsecurity/1.0.0/docs/README.md deleted file mode 100755 index 5aa8fba3a4..0000000000 --- a/packages/modsecurity/1.0.0/docs/README.md +++ /dev/null @@ -1,111 +0,0 @@ -# Modsecuriy Integration - -This integration periodically fetches audit logs from [Modsecurity](https://github.com/SpiderLabs/ModSecurity/) servers. It can parse audit logs created by the HTTP server. - -## Compatibility - -The logs were tested with Modsecurity v3 with nginx connector.Change the default modsecurity logging format to json as per configuration - -``` -SecAuditLogType Serial -SecAuditLog /var/log/modsec_audit.json -SecAuditLogFormat JSON -``` - -### Audit Log - -The `Audit Log` dataset collects Modsecurity Audit logs. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.domain | Destination domain. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | -| http.response.status_code | HTTP response status code. | long | -| http.version | HTTP version. | keyword | -| input.type | Input type | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | -| log.offset | Log offset | long | -| message | human-readable summary of the event | text | -| modsec.audit.detail | Details message of the audit event. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - diff --git a/packages/modsecurity/1.0.0/img/modsec.svg b/packages/modsecurity/1.0.0/img/modsec.svg deleted file mode 100755 index 3001b7e70c..0000000000 --- a/packages/modsecurity/1.0.0/img/modsec.svg +++ /dev/null @@ -1 +0,0 @@ - diff --git a/packages/modsecurity/1.0.0/manifest.yml b/packages/modsecurity/1.0.0/manifest.yml deleted file mode 100755 index efe0c50898..0000000000 --- a/packages/modsecurity/1.0.0/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: modsecurity -title: "ModSecurity Audit" -version: 1.0.0 -license: basic -description: "ModSecurity Audit Log Integration" -type: integration -categories: - - security - - web -release: ga -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/modsec.svg - title: ModSecurity - size: 32x32 - type: image/svg+xml -policy_templates: - - name: modsec - title: ModSecurity audit logs - description: Collect modsecurity audit logs - inputs: - - type: logfile - title: Collect logs from modsecurity instances - description: Collecting modsecurity audit logs -owner: - github: elastic/security-external-integrations diff --git a/packages/netskope/1.0.0/changelog.yml b/packages/netskope/1.0.0/changelog.yml deleted file mode 100755 index ea7a8ffeee..0000000000 --- a/packages/netskope/1.0.0/changelog.yml +++ /dev/null @@ -1,21 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.1.2" - changes: - - description: Fix boolean conversion logic to accept "true", "false", "yes", and "no" as strings. Correct the type of `is_alert` and `is_web_universal_connector` to boolean. - type: bugfix - link: https://github.com/elastic/integrations/pull/3110 -- version: "0.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/2638 diff --git a/packages/netskope/1.0.0/data_stream/alerts/agent/stream/tcp.yml.hbs b/packages/netskope/1.0.0/data_stream/alerts/agent/stream/tcp.yml.hbs deleted file mode 100755 index bc587e50a3..0000000000 --- a/packages/netskope/1.0.0/data_stream/alerts/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/netskope/1.0.0/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/1.0.0/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b9e9af61d8..0000000000 --- a/packages/netskope/1.0.0/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,296 +0,0 @@ ---- -description: Pipeline for Netskope alerts -processors: - - set: - field: ecs.version - value: '8.0.0' - - json: - field: message - add_to_root: true - add_to_root_conflict_strategy: replace - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: netskope.alerts.policy.actions - ignore_failure: true - - append: - field: related.ip - value: "{{{destination.ip}}}" - if: ctx?.destination?.ip != null - ignore_failure: true - - append: - field: related.ip - value: "{{{netskope.alerts.user.ip}}}" - if: ctx?.netskope?.alerts?.user?.ip != null - ignore_failure: true - - append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - ignore_failure: true - - append: - field: related.hosts - value: "{{{destination.domain}}}" - if: ctx?.destination?.domain != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: "{{{destination.domain}}}" - if: ctx?.netskope?.alerts?.domain != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: "{{{host.hostname}}}" - if: ctx?.host?.hostname != null - allow_duplicates: false - ignore_failure: true - - user_agent: - field: user_agent.original - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: netskope.alerts.user.ip - target_field: netskope.alerts.user.geo - ignore_missing: true - - uri_parts: - field: netskope.alerts.url - target_field: netskope.alerts.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.alerts.web.url - target_field: netskope.alerts.web.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - remove: - field: netskope.alerts.page.url - if: ctx?.netskope?.alerts?.page?.url == ' ' - - uri_parts: - field: netskope.alerts.page.url - target_field: netskope.alerts.page.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.alerts.login.url - target_field: netskope.alerts.login.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.alerts.referer - target_field: netskope.alerts.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - set: - field: netskope.alerts.managed.app - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.managed?.app?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.managed.app - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.managed?.app?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_alert - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_alert?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_alert - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_alert?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_malicious - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_malicious?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_malicious - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_malicious?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.aggregated.user - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.aggregated?.user?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.aggregated.user - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.aggregated?.user?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.bypass.traffic - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.bypass?.traffic?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.bypass.traffic - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.bypass?.traffic?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_user_generated - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_user_generated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_user_generated - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_user_generated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.dlp.is_unique_count - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.dlp?.is_unique_count?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.dlp.is_unique_count - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.dlp?.is_unique_count?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_file_passwd_protected - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_file_passwd_protected?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_file_passwd_protected - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_file_passwd_protected?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_web_universal_connector - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.is_web_universal_connector?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.is_web_universal_connector - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.is_web_universal_connector?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.acked - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.acked?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.acked - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.acked?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.obfuscate - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.obfuscate?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.obfuscate - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.obfuscate?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.ml_detection - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.ml_detection?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.ml_detection - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.ml_detection?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.shared.is_shared - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.alerts?.shared?.is_shared?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.alerts.shared.is_shared - value: false - if: "['no', 'false'].contains(ctx?.netskope?.alerts?.shared?.is_shared?.toString()?.toLowerCase())" - ignore_failure: true - - lowercase: - ignore_failure: true - field: network.protocol - - script: - if: ctx?.file?.mime_type != null - lang: painless - source: >- - def parts = ctx.file.mime_type; - if (parts != null && parts.size() > 0) { - List l = new ArrayList(); - for (entry in parts.entrySet()) { - l.add(entry.getValue()); - } - List setList = new ArrayList(new HashSet(l)); - ctx.file.mime_type = setList; - } - - script: - if: ctx?.user?.email != null - lang: painless - source: >- - def parts = ctx.user.email; - if (parts != null && parts.size() > 0) { - List l = new ArrayList(); - for (entry in parts.entrySet()) { - l.add(entry.getValue()); - } - List setList = new ArrayList(new HashSet(l)); - ctx.user.email = setList; - } - - script: - if: ctx?.netskope?.alerts?.quarantine?.app != null - lang: painless - source: >- - def parts = ctx.netskope.alerts.quarantine.app; - if (parts != null && parts.size() > 0) { - List l = new ArrayList(); - for (entry in parts.entrySet()) { - l.add(entry.getValue()); - } - List setList = new ArrayList(new HashSet(l)); - ctx.netskope.alerts.quarantine.app = setList; - } - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "" || object == "null") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/netskope/1.0.0/data_stream/alerts/fields/agent.yml b/packages/netskope/1.0.0/data_stream/alerts/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/netskope/1.0.0/data_stream/alerts/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/netskope/1.0.0/data_stream/alerts/fields/base-fields.yml b/packages/netskope/1.0.0/data_stream/alerts/fields/base-fields.yml deleted file mode 100755 index df7e82b799..0000000000 --- a/packages/netskope/1.0.0/data_stream/alerts/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: netskope -- name: event.dataset - type: constant_keyword - description: Event dataset - value: netskope.alerts diff --git a/packages/netskope/1.0.0/data_stream/alerts/fields/ecs.yml b/packages/netskope/1.0.0/data_stream/alerts/fields/ecs.yml deleted file mode 100755 index e5cddd8524..0000000000 --- a/packages/netskope/1.0.0/data_stream/alerts/fields/ecs.yml +++ /dev/null @@ -1,213 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: Port of the client. - name: client.port - type: long -- description: |- - The cloud account or organization id used to identify different entities in a multi-tenant environment. - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - name: cloud.account.id - type: keyword -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: |- - The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. - Examples: app engine, app service, cloud run, fargate, lambda. - name: cloud.service.name - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - Postal code associated with the location. - Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - name: destination.geo.postal_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: destination.geo.timezone - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: host.os.name - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - Postal code associated with the location. - Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - name: source.geo.postal_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: source.geo.timezone - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/netskope/1.0.0/data_stream/alerts/fields/fields.yml b/packages/netskope/1.0.0/data_stream/alerts/fields/fields.yml deleted file mode 100755 index 33542d9154..0000000000 --- a/packages/netskope/1.0.0/data_stream/alerts/fields/fields.yml +++ /dev/null @@ -1,1856 +0,0 @@ -- name: netskope.alerts - type: group - fields: - - name: access_method - type: keyword - description: | - Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc. - - name: account - type: group - fields: - - name: id - type: keyword - description: | - Account ID (usually is account number as provided by the cloud provider). - - name: name - type: keyword - description: | - Account name - in case of AWS this is the instance name set by user. For others, account name is provided by cloud provider. - - name: acked - type: boolean - description: | - Whether user acknowledged the alert or not. - - name: acting - type: group - fields: - - name: role - type: keyword - description: | - N/A - - name: action - type: keyword - description: | - Action taken on the event for the policy. - - name: activities - type: array - description: | - N/A - - name: activity - type: group - fields: - - name: name - type: keyword - description: | - Description of the user performed activity. - - name: status - type: keyword - description: | - Displayed when the user is denied access while performing some activity. - - name: type - type: keyword - description: | - Displayed when only admins can perform the activity in question. - - name: agg - type: group - fields: - - name: window - type: long - description: | - N/A - - name: aggregated - type: group - fields: - - name: user - type: boolean - description: | - N/A - - name: alert - type: group - fields: - - name: affected.entities - type: keyword - description: | - N/A - - name: category - type: keyword - description: | - N/A - - name: description - type: keyword - description: | - N/A - - name: detection.stage - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - Hash of alert generated from code. - - name: name - type: keyword - description: | - Name of the alert. - - name: notes - type: keyword - description: | - N/A - - name: query - type: keyword - description: | - N/A - - name: score - type: long - description: | - N/A - - name: source - type: keyword - description: | - N/A - - name: status - type: keyword - description: | - N/A - - name: type - type: keyword - description: | - Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. - - name: window - type: long - description: | - N/A - - name: algorithm - type: keyword - description: | - N/A - - name: anomaly - type: group - fields: - - name: efficacy - type: keyword - description: | - Full anomaly details for debugging. - - name: fields - type: keyword - description: | - Name(s) and values(s) of the anomalous fields, usually there's going to be only one in the list. - - name: id - type: keyword - description: | - N/A - - name: magnitude - type: double - description: | - N/A - - name: type - type: keyword - description: | - Type of UBA alert. - - name: app - type: group - fields: - - name: suite - type: keyword - description: | - N/A - - name: app_name - type: keyword - description: | - N/A - - name: name - type: keyword - description: | - Specific cloud application used by the user (e.g. app = Dropbox). - - name: activity - type: keyword - description: | - N/A - - name: category - type: keyword - description: | - N/A - - name: region - type: keyword - description: | - N/A - - name: session.id - type: keyword - description: | - Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. - - name: asn - type: long - description: | - N/A - - name: asset - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: object.id - type: keyword - description: | - N/A - - name: attachment - type: keyword - description: | - File name. - - name: audit - type: group - fields: - - name: category - type: keyword - description: | - The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. - - name: type - type: keyword - description: | - The sub category in audit according to SaaS / IaaS apps. - - name: bin - type: group - fields: - - name: timestamp - type: long - description: | - Applicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type. Bin TimeStamp (is a window used that is used for certain types of anomalies - for breaking into several windows per day/hour). - - name: breach - type: group - fields: - - name: description - type: keyword - description: | - N/A - - name: date - type: double - description: | - Breach date for compromised credentials. - - name: id - type: keyword - description: | - Breach ID for compromised credentials. - - name: media_references - type: keyword - description: | - Media references of breach. - - name: score - type: long - description: | - Breach score for compromised credentials. - - name: target_references - type: keyword - description: | - Breach target references for compromised credentials. - - name: browser - type: group - fields: - - name: session.id - type: keyword - description: | - Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. - - name: bucket - type: keyword - description: | - N/A - - name: bypass - type: group - fields: - - name: traffic - type: boolean - description: | - Tells if traffic is bypassed by Netskope. - - name: category - type: group - fields: - - name: name - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - Matching category ID according to policy. Populated for both cloud and web traffic. - - name: cci - type: keyword - description: | - N/A - - name: ccl - type: keyword - description: | - Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. - - name: channel - type: keyword - description: | - Channel of the user for slack and slack enterprise apps. - - name: cloud - type: group - fields: - - name: provider - type: keyword - description: | - N/A - - name: compliance - type: group - fields: - - name: standards - type: keyword - description: | - N/A - - name: compute - type: group - fields: - - name: instance - type: keyword - description: | - N/A - - name: connection - type: group - fields: - - name: duration - type: long - description: | - Duration of the connection in milliseconds. Useful for querying long-lived sessions. - - name: endtime - type: long - description: | - Connection end time. - - name: id - type: keyword - description: | - Each connection has a unique ID. Shows the ID for the connection event. - - name: starttime - type: long - description: | - Connection start time. - - name: created_at - type: keyword - description: | - N/A - - name: count - type: long - description: | - Number of raw log lines/events sessionized or suppressed during the suppressed interval. - - name: data - type: group - fields: - - name: type - type: keyword - description: | - Content type of upload/download. - - name: version - type: long - description: | - N/A - - name: description - type: keyword - description: | - N/A - - name: destination - type: group - fields: - - name: geoip_src - type: long - description: | - Source from where the location of Destination IP was derived. - - name: detected-file-type - type: keyword - description: | - N/A - - name: detection - type: group - fields: - - name: engine - type: keyword - description: | - Customer exposed detection engine name. - - name: type - type: keyword - description: | - Same as malware type. Duplicate. - - name: device - type: group - fields: - - name: classification - type: keyword - description: | - Designation of device as determined by the Netskope Client as to whether the device is managed or not. - - name: name - type: keyword - description: | - Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. - - name: dlp - type: group - fields: - - name: file - type: keyword - description: | - File/Object name extracted from the file/object. - - name: fingerprint.classification - type: keyword - description: | - Fingerprint classification. - - name: fingerprint.match - type: keyword - description: | - Fingerprint classification match file name. - - name: fingerprint.score - type: long - description: | - Fingerprint classification score. - - name: fv - type: long - description: | - N/A - - name: incident.id - type: keyword - description: | - Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. - - name: is_unique_count - type: boolean - description: | - True or false depending upon if rule is unique counted per rule data. - - name: mail.parent.id - type: keyword - description: | - N/A - - name: parent.id - type: keyword - description: | - Incident ID associated with main container (or non-container) file that was scanned. - - name: profile - type: keyword - description: | - DLP profile name. - - name: rule.count - type: long - description: | - Count of rule hits. - - name: rule.score - type: long - description: | - DLP rule score for weighted dictionaries. - - name: rule.severity - type: keyword - description: | - Severity of rule. - - name: unique_count - type: long - description: | - Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. - - name: rule.name - type: keyword - description: | - DLP rule that triggered. - - name: doc - type: group - fields: - - name: count - type: long - description: | - N/A - - name: domain - type: keyword - description: | - Domain value. This will hold the host header value or SNI or extracted from absolute URI. - - name: domain_shared_with - type: keyword - description: | - N/A - - name: download - type: group - fields: - - name: app - type: keyword - description: | - Applicable to only data exfiltration. Download App (App in the download event). - - name: drive - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: dynamic - type: group - fields: - - name: classification - type: keyword - description: | - URLs were categorized by NSURLC machine or not. - - name: elastic_key - type: keyword - description: | - N/A - - name: email - type: group - fields: - - name: source - type: keyword - description: | - N/A - - name: encrypt - type: group - fields: - - name: failure - type: keyword - description: | - Reason of failure while encrypting. - - name: encryption - type: group - fields: - - name: service.key - type: keyword - description: | - N/A - - name: enterprise - type: group - fields: - - name: id - type: keyword - description: | - EnterpriseID in case of Slack for Enterprise. - - name: name - type: keyword - description: | - Enterprise name in case of Slack for Enterprise. - - name: entity - type: group - fields: - - name: list - type: array - description: | - N/A - - name: type - type: keyword - description: | - N/A - - name: value - type: keyword - description: | - N/A - - name: event_source_channel - type: keyword - description: | - N/A - - name: event - type: group - fields: - - name: detail - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - N/A - - name: type - type: keyword - description: | - Anomaly type. - - name: exposure - type: keyword - description: | - Exposure of a document. - - name: external - type: group - fields: - - name: collaborator.count - type: long - description: | - Count of external collaborators on a file/folder. Supported for some apps. - - name: email - type: long - description: | - N/A - - name: feature - type: group - fields: - - name: description - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - N/A - - name: name - type: keyword - description: | - N/A - - name: file - type: group - fields: - - name: name - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - Unique identifier of the file. - - name: lang - type: keyword - description: | - Language of the file. - - name: password.protected - type: keyword - description: | - N/A - - name: path.orignal - type: keyword - description: | - If the file is moved, then keep original path of the file in this field. - - name: size - type: long - description: | - Size of the file in bytes. - - name: type - type: keyword - description: | - File type. - - name: flow_status - type: keyword - description: | - N/A - - name: from - type: group - fields: - - name: logs - type: keyword - description: | - Shows if the event was generated from the Risk Insights log. - - name: object - type: keyword - description: | - Initial name of an object that has been renamed, copied or moved. - - name: storage - type: keyword - description: | - N/A - - name: user_category - type: keyword - description: | - Type of from_user. - - name: gateway - type: keyword - description: | - N/A - - name: graph - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: http_status - type: keyword - description: | - N/A - - name: http_transaction_count - type: long - description: | - HTTP transaction count. - - name: iaas - type: group - fields: - - name: asset.tags - type: keyword - description: | - List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. - - name: remediated - type: keyword - description: | - N/A - - name: iam - type: group - fields: - - name: session - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - N/A - - name: insertion_epoch_timestamp - type: long - description: | - Insertion timestamp. - - name: instance_name - type: keyword - description: | - Instance associated with an organization application instance. - - name: instance - type: group - fields: - - name: id - type: keyword - description: | - Unique ID associated with an organization application instance. - - name: name - type: keyword - description: | - Instance name associated with an organization application instance. - - name: type - type: keyword - description: | - Instance type. - - name: internal - type: group - fields: - - name: collaborator.count - type: long - description: | - Count of internal collaborators on a file/folder. Supported for some apps. - - name: ip - type: group - fields: - - name: protocol - type: keyword - description: | - N/A - - name: ipblock - type: keyword - description: | - IPblock that caused the alert. - - name: is_alert - type: boolean - description: | - Indicates whether alert is generated or not. Populated as yes for all alerts. - - name: is_file_passwd_protected - type: boolean - description: | - Tells if the file is password protected. - - name: is_malicious - type: boolean - description: | - Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. - - name: is_two_factor_auth - type: keyword - description: | - N/A - - name: is_universal_connector - type: keyword - description: | - N/A - - name: is_user_generated - type: boolean - description: | - Tells whether it is user generated page event. - - name: is_web_universal_connector - type: boolean - description: | - N/A - - name: isp - type: keyword - description: | - N/A - - name: item - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: justification - type: group - fields: - - name: reason - type: keyword - description: | - Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. - - name: type - type: keyword - description: | - Type of justification provided by user when user bypasses the policy block. - - name: last - type: group - fields: - - name: app - type: keyword - description: | - Last application (app in the first/older event). Applies to only proximity anomaly alert. - - name: coordinates - type: keyword - description: | - Last location coordinates(latitude, longitude). Applies to only proximity alert. - - name: country - type: keyword - description: | - Last location (Country). Applies to only proximity anomaly alert. - - name: device - type: keyword - description: | - Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. - - name: location - type: keyword - description: | - Last location (City). Applies to only proximity anomaly alert. - - name: modified_timestamp - type: long - description: | - Timestamp when alert is acknowledged. - - name: region - type: keyword - description: | - Applies to only proximity anomaly alert. - - name: timestamp - type: long - description: | - Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. - - name: latency - type: group - fields: - - name: max - type: long - description: | - Max latency for a connection in milliseconds. - - name: min - type: long - description: | - Min latency for a connection in milliseconds. - - name: total - type: long - description: | - Total latency from proxy to app in milliseconds. - - name: legal_hold - type: group - fields: - - name: custodian_name - type: keyword - description: | - Custodian name of legal hold profile. - - name: destination.app - type: keyword - description: | - Destination appname of legalhold action. - - name: destination.instance - type: keyword - description: | - Destination instance of legal hold action. - - name: file.id - type: keyword - description: | - File ID of legal hold file. - - name: file.name - type: keyword - description: | - File name of legal hold file. - - name: file.name_original - type: keyword - description: | - Original filename of legal hold file. - - name: file.path - type: keyword - description: | - File path of legal hold file. - - name: profile_name - type: keyword - description: | - Legal hold profile name. - - name: shared - type: keyword - description: | - Shared type of legal hold file. - - name: shared_with - type: keyword - description: | - User shared with the legal hold file. - - name: version - type: keyword - description: | - File version of original file. - - name: list - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: local - type: group - fields: - - name: md5 - type: keyword - description: | - md5 hash of file generated by Malware engine. - - name: sha1 - type: keyword - description: | - sha1 hash of file generated by Malware engine. - - name: sha256 - type: keyword - description: | - sha256 hash of file generated by Malware engine. - - name: log - type: group - fields: - - name: file.name - type: keyword - description: | - Log file name for Risk Insights. - - name: login - type: group - fields: - - name: type - type: keyword - description: | - Salesforce login type. - - name: url - type: flattened - description: | - Salesforce login URL. - - name: malsite - type: group - fields: - - name: active - type: long - description: | - Since how many days malsite is Active. - - name: as.number - type: keyword - description: | - Malsite ASN Number. - - name: category - type: keyword - description: | - Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. - - name: city - type: keyword - description: | - Malsite city. - - name: confidence - type: long - description: | - Malsite confidence score. - - name: consecutive - type: long - description: | - How many times that malsite is seen. - - name: country - type: keyword - description: | - Malsite country. - - name: dns.server - type: keyword - description: | - DNS server of the malsite URL/Domain/IP. - - name: first_seen - type: long - description: | - Malsite first seen timestamp. - - name: hostility - type: long - description: | - Malsite hostility score. - - name: id - type: keyword - description: | - Malicious Site ID - Hash of threat match value. - - name: ip_host - type: keyword - description: | - Malsite IP. - - name: isp - type: keyword - description: | - Malsite ISP info. - - name: last.seen - type: long - description: | - Malsite last seen timestamp. - - name: latitude - type: double - description: | - Latitude plot of the Malsite URL/IP/Domain. - - name: longitude - type: double - description: | - Longitude plot of the Malsite URL/IP/Domain. - - name: region - type: keyword - description: | - Region of the malsite URL/IP/Domain. - - name: reputation - type: double - description: | - Reputation score of Malsite IP/Domain/URL. - - name: malware - type: group - fields: - - name: id - type: keyword - description: | - md5 hash of the malware name as provided by the scan engine. - - name: name - type: keyword - description: | - Netskope detection name. - - name: profile - type: keyword - description: | - tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. - - name: severity - type: keyword - description: | - Malware severity. - - name: type - type: keyword - description: | - Malware Type. - - name: managed - type: group - fields: - - name: app - type: boolean - description: | - Whether or not the app in question is managed. - - name: management - type: group - fields: - - name: id - type: keyword - description: | - Management ID. - - name: matched - type: group - fields: - - name: username - type: keyword - description: | - N/A - - name: matrix - type: group - fields: - - name: columns - type: keyword - description: | - N/A - - name: rows - type: keyword - description: | - N/A - - name: md5 - type: keyword - description: | - md5 of the file. - - name: md5_list - type: keyword - description: | - List of md5 hashes specific to the files that are part of custom sequence policy alert. - - name: mime - type: group - fields: - - name: type - type: keyword - description: | - MIME type of the file. - - name: ml_detection - type: boolean - description: | - N/A - - name: modified - type: group - fields: - - name: timestamp - type: long - description: | - Timestamp corresponding to the modification time of the entity (file, etc.). - - name: date - type: long - description: | - N/A - - name: netskope_pop - type: keyword - description: | - N/A - - name: network - type: group - fields: - - name: name - type: keyword - description: | - N/A - - name: security.group - type: array - description: | - N/A - - name: new - type: group - fields: - - name: value - type: keyword - description: | - New value for a given file for salesforce.com. - - name: nonzero - type: group - fields: - - name: entries - type: long - description: | - N/A - - name: percentage - type: double - description: | - N/A - - name: notify - type: group - fields: - - name: template - type: keyword - description: | - N/A - - name: ns_activity - type: keyword - description: | - Maps app activity to Netskope standard activity. - - name: ns_device_uid - type: keyword - description: | - Device identifiers on macOS and Windows. - - name: numbytes - type: long - description: | - Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. - - name: obfuscate - type: boolean - description: | - N/A - - name: object - type: group - fields: - - name: count - type: long - description: | - Displayed when the activity is Delete. Shows the number of objects being deleted. - - name: id - type: keyword - description: | - Unique ID associated with an object. - - name: name - type: keyword - description: | - Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. - - name: type - type: keyword - description: | - Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. - - name: old - type: group - fields: - - name: value - type: keyword - description: | - Old value for a given file for salesforce.com. - - name: org - type: keyword - description: | - Search for events from a specific organization. Organization name is derived from the user ID. - - name: organization - type: group - fields: - - name: unit - type: keyword - description: | - Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. - - name: orig_ty - type: keyword - description: | - Event Type of original event. - - name: original - type: group - fields: - - name: file_path - type: keyword - description: | - If the file is moved, then keep original path of the file in this field. - - name: os_version_hostname - type: keyword - description: | - Host and OS Version that caused the alert. Concatenation of 2 fields (hostname and os). - - name: other - type: group - fields: - - name: categories - type: keyword - description: | - N/A - - name: owner - type: keyword - description: | - Owner of the file. - - name: page - type: group - fields: - - name: url - type: flattened - description: | - The URL of the originating page. - - name: site - type: keyword - description: | - N/A - - name: parameters - type: keyword - description: | - N/A - - name: parent - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: path - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: policy - type: group - fields: - - name: actions - type: keyword - description: | - N/A - - name: id - type: keyword - description: | - The Netskope internal ID for the policy created by an admin. - - name: name - type: keyword - description: | - Predefined or Custom policy name. - - name: pretty - type: group - fields: - - name: sourcetype - type: keyword - description: | - N/A - - name: processing - type: group - fields: - - name: time - type: long - description: | - N/A - - name: profile - type: group - fields: - - name: emails - type: keyword - description: | - List of profile emails per policy. - - name: id - type: keyword - description: | - Anomaly profile ID. - - name: quarantine - type: group - fields: - - name: action.reason - type: keyword - description: | - Reason for the action taken for quarantine. - - name: admin - type: keyword - description: | - Quarantine profile custodian email/name. - - name: app - type: keyword - description: | - Quarantine app name. - - name: failure - type: keyword - description: | - Reason of failure. - - name: file.id - type: keyword - description: | - File ID of the quarantined file. - - name: file.name - type: keyword - description: | - File name of the quarantine file. - - name: instance - type: keyword - description: | - Quarantine instance name. - - name: original.file.name - type: keyword - description: | - Original file name which got quarantined. - - name: original.file.path - type: keyword - description: | - Original file path which got quarantined. - - name: original.shared - type: keyword - description: | - Original file shared user details. - - name: original.version - type: keyword - description: | - Original version of file which got quarantined. - - name: profile - type: group - fields: - - name: name - type: keyword - description: | - Quarantine profile name of policy for quarantine action. - - name: id - type: keyword - description: | - Quarantine profile ID. - - name: shared.with - type: keyword - description: | - N/A - - name: referer - type: keyword - description: | - Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic. - - name: region - type: group - fields: - - name: id - type: keyword - description: | - Region ID (as provided by the cloud provider). - - name: name - type: keyword - description: | - N/A - - name: reladb - type: keyword - description: | - N/A - - name: repo - type: keyword - description: | - N/A - - name: request - type: group - fields: - - name: cnt - type: long - description: | - Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. - - name: id - type: keyword - description: | - Unique request ID for the event. - - name: resource - type: group - fields: - - name: category - type: keyword - description: | - Category of resource as defined in DOM. - - name: group - type: keyword - description: | - N/A - - name: resources - type: keyword - description: | - N/A - - name: response - type: group - fields: - - name: cnt - type: long - description: | - Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. - - name: content.length - type: long - description: | - N/A - - name: content.type - type: keyword - description: | - N/A - - name: retro - type: group - fields: - - name: scan.name - type: keyword - description: | - Retro scan name. - - name: risk_level - type: group - fields: - - name: id - type: keyword - description: | - This field is set by both role-based access (RBA) and MLAD. - - name: tag - type: keyword - description: | - Corresponding field to risk_level_id. Name. - - name: role - type: keyword - description: | - Roles for Box. - - name: rule - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: sa - type: group - fields: - - name: rule.id - type: keyword - description: | - CSA rule ID. - - name: rule.name - type: keyword - description: | - CSA rule name. - - name: profile.id - type: keyword - description: | - CSA profile ID. - - name: profile.name - type: keyword - description: | - CSA profile name. - - name: rule.remediation - type: keyword - description: | - N/A - - name: rule.severity - type: keyword - description: | - Rule severity. - - name: scan - type: group - fields: - - name: time - type: long - description: | - Time when the scan is done. - - name: type - type: keyword - description: | - Generated during retroactive scan or new ongoing activity. - - name: scopes - type: keyword - description: | - List of permissions for google apps. - - name: serial - type: keyword - description: | - N/A - - name: server - type: group - fields: - - name: bytes - type: long - description: | - Total number of downloaded from server to client. - - name: session - type: group - fields: - - name: id - type: keyword - description: | - Populated by Risk Insights. - - name: severity - type: group - fields: - - name: level - type: keyword - description: | - Severity used by watchlist and malware alerts. - - name: id - type: keyword - description: | - Severity ID used by watchlist and malware alerts. - - name: malsite - type: group - fields: - - name: severity.level - type: keyword - description: | - Severity level of the Malsite ( High / Med / Low). - - name: severity - type: group - fields: - - name: level_id - type: long - description: | - If the Severity Level ID is 1, it means that URL / IP /Domain is detected from Internal threat feed and if Severity Level ID is 2, then it means the detection happened based on the Zvelo DB Malsite Category. - - name: sfwder - type: keyword - description: | - N/A - - name: shared_type - type: keyword - description: | - N/A - - name: shared - type: group - fields: - - name: credential.user - type: keyword - description: | - Applicable to only shared credentials. User with whom the credentials are shared with. - - name: domains - type: keyword - description: | - List of domains of users the document is shared with. - - name: is_shared - type: boolean - description: | - If the file is shared or not. - - name: type - type: keyword - description: | - Shared Type. - - name: with - type: keyword - description: | - Array of emails with whom a document is shared with. - - name: site - type: keyword - description: | - For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". - - name: source - type: group - fields: - - name: geoip_src - type: long - description: | - Source from where the location of Source IP was derived. - - name: srcip2 - type: keyword - description: | - N/A - - name: ssl - type: group - fields: - - name: decrypt.policy - type: keyword - description: | - Applicable to only bypass events. There are 2 ways to create rules for bypass: - Bypass due to Exception Configuration - Bypass due to SSL Decrypt Policy - The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. - - name: start_time - type: long - description: | - Start time for alert time period. - - name: statistics - type: long - description: | - This field & summary field go together. This field will either tell count or size of files. File size is in bytes. - - name: storage_service_bucket - type: keyword - description: | - N/A - - name: sub - type: group - fields: - - name: type - type: keyword - description: | - Workplace by Facebook post sub category (files, comments, status etc). - - name: summary - type: keyword - description: | - Tells whether anomaly was measured from count or size of files. - - name: suppression - type: group - fields: - - name: end.time - type: long - description: | - When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. - - name: key - type: keyword - description: | - To limit the number of events. Example: Suppress block event for browse. - - name: start.time - type: long - description: | - When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. - - name: target - type: group - fields: - - name: entity.key - type: keyword - description: | - N/A - - name: entity.type - type: keyword - description: | - N/A - - name: entity.value - type: keyword - description: | - N/A - - name: team - type: keyword - description: | - Slack team name. - - name: telemetry - type: group - fields: - - name: app - type: keyword - description: | - Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field. - - name: temp - type: group - fields: - - name: user - type: keyword - description: | - N/A - - name: tenant - type: group - fields: - - name: id - type: keyword - description: | - Tenant id. - - name: threat - type: group - fields: - - name: match.value - type: keyword - description: | - N/A - - name: match.field - type: keyword - description: | - Threat match field, either from domain or URL or IP. - - name: source.id - type: keyword - description: | - Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. - - name: threshold - type: group - fields: - - name: time - type: long - description: | - Applicable to: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. Threshold Time. - - name: value - type: long - description: | - Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. - - name: title - type: keyword - description: | - Title of the file. - - name: to - type: group - fields: - - name: object - type: keyword - description: | - Changed name of an object that has been renamed, copied, or moved. - - name: storage - type: keyword - description: | - N/A - - name: user - type: keyword - description: | - Used when a file is moved from user A to user B. Shows the email address of user B. - - name: user_category - type: keyword - description: | - Type of user to which move is done. - - name: total - type: group - fields: - - name: collaborator.count - type: long - description: | - Count of collaborators on a file/folder. Supported for some apps. - - name: traffic - type: group - fields: - - name: type - type: keyword - description: | - Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. - - name: transaction - type: group - fields: - - name: id - type: keyword - description: | - Unique ID for a given request/response. - - name: transformation - type: keyword - description: | - N/A - - name: tss - type: group - fields: - - name: mode - type: keyword - description: | - Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. - - name: version - type: long - description: | - N/A - - name: tunnel - type: group - fields: - - name: id - type: keyword - description: | - Shows the Client installation ID. Only available for the Client steering configuration. - - name: type - type: keyword - description: | - Type of the alert. - - name: updated - type: long - description: | - N/A - - name: url - type: flattened - description: | - URL of the application that the user visited as provided by the log or data plane traffic. - - name: Url2Activity - type: keyword - description: | - Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. - - name: user - type: group - fields: - - name: category - type: keyword - description: | - Type of user in an enterprise - external / internal. - - name: group - type: keyword - description: | - N/A - - name: ip - type: keyword - description: | - IP address of User. - - name: geo - type: group - fields: - - name: city_name - type: keyword - description: | - City name. - - name: continent_name - type: keyword - description: | - Name of the continent. - - name: country_iso_code - type: keyword - description: | - Country ISO code. - - name: country_name - type: keyword - description: | - Country name. - - name: location - type: geo_point - description: | - Longitude and latitude. - - name: region_iso_code - type: keyword - description: | - Region ISO code. - - name: region_name - type: keyword - description: | - Region name. - - name: value - type: double - description: | - N/A - - name: violating_user - type: group - fields: - - name: name - type: keyword - description: | - User who caused a violation. Populated for Workplace by Facebook. - - name: type - type: keyword - description: | - Category of the user who caused a violation. Populated for Workplace by Facebook. - - name: web - type: group - fields: - - name: url - type: flattened - description: | - File preview URL. - - name: workspace - type: group - fields: - - name: id - type: keyword - description: | - Workspace ID in case of Slack for Enterprise. - - name: name - type: keyword - description: | - Workspace name in case of Slack for Enterprise. - - name: zip - type: group - fields: - - name: password - type: keyword - description: | - Zip the malicious file and put pwd to it and send it back to caller. - - name: scanner_result - type: keyword - description: | - N/A - - name: slc_latitude - type: keyword - description: | - N/A - - name: slc_longitude - type: keyword - description: | - N/A - - name: source - type: group - fields: - - name: time - type: keyword - description: | - N/A - - name: uba_ap1 - type: keyword - description: | - N/A - - name: uba_ap2 - type: keyword - description: | - N/A - - name: uba_inst1 - type: keyword - description: | - N/A - - name: uba_inst2 - type: keyword - description: |- - N/A -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/netskope/1.0.0/data_stream/alerts/manifest.yml b/packages/netskope/1.0.0/data_stream/alerts/manifest.yml deleted file mode 100755 index 73acd6e99c..0000000000 --- a/packages/netskope/1.0.0/data_stream/alerts/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Alerts -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Netskope Alerts - description: Collect Netskope Alerts using tcp input - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9020 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - netskope-alerts - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/netskope/1.0.0/data_stream/alerts/sample_event.json b/packages/netskope/1.0.0/data_stream/alerts/sample_event.json deleted file mode 100755 index e287ed230b..0000000000 --- a/packages/netskope/1.0.0/data_stream/alerts/sample_event.json +++ /dev/null @@ -1,182 +0,0 @@ -{ - "@timestamp": "2021-12-23T16:27:09.000Z", - "agent": { - "ephemeral_id": "f6ea30bb-70ab-4ae9-b338-b103657dd749", - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.0" - }, - "data_stream": { - "dataset": "netskope.alerts", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "snapshot": true, - "version": "8.3.0" - }, - "event": { - "agent_id_status": "verified", - "id": "f621f259f5fbde850ad5593a", - "ingested": "2022-04-14T11:24:23Z", - "original": "{\"event\":{\"id\":\"f621f259f5fbde850ad5593a\"},\"netskope\":{\"alerts\":{\"insertion_epoch_timestamp\":1640277131,\"access_method\":\"API Connector\",\"acked\":\"false\",\"action\":\"block\",\"activity\":{\"name\":\"Login Successful\"},\"is_alert\":\"yes\",\"alert\":{\"name\":\"policy-alert\",\"type\":\"nspolicy\"},\"app\":{\"name\":\"SomeApp\",\"category\":\"Cloud Storage\"},\"category\":{\"name\":\"Cloud Storage\"},\"cci\":\"81\",\"ccl\":\"high\",\"count\":1,\"device\":{\"name\":\"Other\"},\"destination\":{\"geoip_src\":2},\"exposure\":\"organization_wide_link\",\"file\":{\"lang\":\"ENGLISH\"},\"instance\":{\"name\":\"example.com\",\"id\":\"example.com\"},\"modified\":{\"timestamp\":1613760236},\"object\":{\"name\":\"HjBuUvDLWgpudzQr\",\"id\":\"GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg\",\"type\":\"File\"},\"organization\":{\"unit\":\"example.local\\\\\\\\/example\\\\\\\\/Active Users\"},\"other\":{\"categories\":\"null\"},\"owner\":\"foobar\",\"policy\":{\"name\":\"Some Policy\"},\"request\":{\"id\":\"9262245914980288500\"},\"scan\":{\"type\":\"Ongoing\"},\"shared\":{\"with\":\"none\"},\"site\":\"Example\",\"source\":{\"geoip_src\":2},\"suppression\":{\"key\":\"Tenant Migration across MPs\"},\"traffic\":{\"type\":\"CloudApp\"},\"type\":\"policy\",\"url\":\"http:\\\\\\\\/\\\\\\\\/www.example.com\\\\\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg\"}},\"user_agent\":{\"name\":\"unknown\",\"os\":{\"name\":\"unknown\"}},\"destination\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"file\":{\"path\":\"\\\\\\\\/My Drive\\\\\\\\/Clickhouse\\\\\\\\/Tenant Migration across MPs\",\"size\":196869,\"mime_type\":{\"1\":\"application\\\\\\\\/vnd.apps.document\",\"2\":\"application\\\\\\\\/vnd.apps.document\"},\"hash\":{\"md5\":\"4bb5d9501bf7685ecaed55e3eda9ca01\"}},\"source\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"@timestamp\":\"2021-12-23T16:27:09.000Z\",\"user\":{\"email\":{\"1\":\"test@example.com\",\"2\":\"test@example.com\",\"3\":\"test@example.com\"},\"group\":{\"name\":\"null\"}}}" - }, - "file": { - "hash": { - "md5": "4bb5d9501bf7685ecaed55e3eda9ca01" - }, - "mime_type": [ - "application\\\\/vnd.apps.document" - ], - "path": "\\\\/My Drive\\\\/Clickhouse\\\\/Tenant Migration across MPs", - "size": 196869 - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "192.168.224.1:57542" - } - }, - "netskope": { - "alerts": { - "access_method": "API Connector", - "acked": false, - "action": "block", - "activity": { - "name": "Login Successful" - }, - "alert": { - "name": "policy-alert", - "type": "nspolicy" - }, - "app": { - "category": "Cloud Storage", - "name": "SomeApp" - }, - "category": { - "name": "Cloud Storage" - }, - "cci": "81", - "ccl": "high", - "count": 1, - "destination": { - "geoip_src": 2 - }, - "device": { - "name": "Other" - }, - "exposure": "organization_wide_link", - "file": { - "lang": "ENGLISH" - }, - "insertion_epoch_timestamp": 1640277131, - "instance": { - "id": "example.com", - "name": "example.com" - }, - "is_alert": true, - "modified": { - "timestamp": 1613760236 - }, - "object": { - "id": "GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg", - "name": "HjBuUvDLWgpudzQr", - "type": "File" - }, - "organization": { - "unit": "example.local\\\\/example\\\\/Active Users" - }, - "owner": "foobar", - "policy": { - "name": "Some Policy" - }, - "request": { - "id": "9262245914980288500" - }, - "scan": { - "type": "Ongoing" - }, - "shared": { - "with": "none" - }, - "site": "Example", - "source": { - "geoip_src": 2 - }, - "suppression": { - "key": "Tenant Migration across MPs" - }, - "traffic": { - "type": "CloudApp" - }, - "type": "policy", - "url": { - "extension": "com\\\\/open", - "original": "http:\\\\/\\\\/www.example.com\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg", - "path": "\\\\/\\\\/www.example.com\\\\/open", - "query": "id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg", - "scheme": "http" - } - } - }, - "related": { - "ip": [ - "81.2.69.143", - "81.2.69.143" - ] - }, - "source": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "forwarded", - "netskope-alerts" - ], - "user": { - "email": [ - "test@example.com" - ] - }, - "user_agent": { - "name": "unknown", - "os": { - "name": "unknown" - } - } -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/data_stream/events/agent/stream/tcp.yml.hbs b/packages/netskope/1.0.0/data_stream/events/agent/stream/tcp.yml.hbs deleted file mode 100755 index bc587e50a3..0000000000 --- a/packages/netskope/1.0.0/data_stream/events/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/netskope/1.0.0/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/1.0.0/data_stream/events/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 989c462df9..0000000000 --- a/packages/netskope/1.0.0/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,253 +0,0 @@ ---- -description: Pipeline for Netskope events -processors: - - set: - field: ecs.version - value: '8.0.0' - - json: - field: message - add_to_root: true - add_to_root_conflict_strategy: replace - - rename: - field: message - target_field: event.original - ignore_missing: true - - append: - field: related.ip - value: "{{{destination.ip}}}" - if: ctx?.destination?.ip != null - ignore_failure: true - - append: - field: related.ip - value: "{{{netskope.events.user.ip}}}" - if: ctx?.netskope?.events?.user?.ip != null - ignore_failure: true - - append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - ignore_failure: true - - append: - field: related.hosts - value: "{{{destination.domain}}}" - if: ctx?.destination?.domain != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.hosts - value: "{{{host.hostname}}}" - if: ctx?.host?.hostname != null - allow_duplicates: false - ignore_failure: true - - user_agent: - field: user_agent.original - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - field: netskope.events.user.ip - target_field: netskope.events.user.geo - ignore_missing: true - - uri_parts: - field: netskope.events.url - target_field: netskope.events.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.events.web.url - target_field: netskope.events.web.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.events.login.url - target_field: netskope.events.login.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - uri_parts: - field: netskope.events.url - target_field: netskope.events.url - keep_original: true - remove_if_successful: false - ignore_failure: true - - json: - field: netskope.events.site - ignore_failure: true - - json: - field: netskope.events.app.name - ignore_failure: true - - lowercase: - ignore_failure: true - field: network.protocol - - uri_parts: - field: netskope.events.referer - target_field: netskope.events.referer - keep_original: true - remove_if_successful: false - ignore_failure: true - - set: - field: netskope.events.managed_app - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.managed_app?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.managed_app - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.managed_app?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_bypass_traffic - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.is_bypass_traffic?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_bypass_traffic - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.is_bypass_traffic?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_unique_count - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.is_unique_count?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_unique_count - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.is_unique_count?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.user.is_aggregated - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.user?.is_aggregated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.user.is_aggregated - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.user?.is_aggregated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.alert.is_present - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.alert?.is_present?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.alert.is_present - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.alert?.is_present?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.user.generated - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.user?.generated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.user.generated - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.user?.generated?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.ack - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.ack?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.ack - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.ack?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_malicious - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.is_malicious?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.is_malicious - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.is_malicious?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.obfuscate - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.obfuscate?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.obfuscate - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.obfuscate?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.shared.is_shared - value: true - if: "['yes', 'true'].contains(ctx?.netskope?.events?.shared?.is_shared?.toString()?.toLowerCase())" - ignore_failure: true - - set: - field: netskope.events.shared.is_shared - value: false - if: "['no', 'false'].contains(ctx?.netskope?.events?.shared?.is_shared?.toString()?.toLowerCase())" - ignore_failure: true - - date: - field: netskope.events.modified_at - target_field: netskope.events.modified_at - ignore_failure: true - formats: - - UNIX - - script: - if: ctx?.file?.mime_type != null - lang: painless - source: >- - def parts = ctx.file.mime_type; - if (parts != null && parts.size() > 0) { - List l = new ArrayList(); - for (entry in parts.entrySet()) { - l.add(entry.getValue()); - } - List setList = new ArrayList(new HashSet(l)); - ctx.file.mime_type = setList; - } - - script: - if: ctx?.user?.email != null - lang: painless - source: >- - def parts = ctx.user.email; - if (parts != null && parts.size() > 0) { - List l = new ArrayList(); - for (entry in parts.entrySet()) { - l.add(entry.getValue()); - } - List setList = new ArrayList(new HashSet(l)); - ctx.user.email = setList; - } - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "" || object == "null") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/netskope/1.0.0/data_stream/events/fields/agent.yml b/packages/netskope/1.0.0/data_stream/events/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/netskope/1.0.0/data_stream/events/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/netskope/1.0.0/data_stream/events/fields/base-fields.yml b/packages/netskope/1.0.0/data_stream/events/fields/base-fields.yml deleted file mode 100755 index b6306aceaf..0000000000 --- a/packages/netskope/1.0.0/data_stream/events/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: netskope -- name: event.dataset - type: constant_keyword - description: Event dataset - value: netskope.events diff --git a/packages/netskope/1.0.0/data_stream/events/fields/ecs.yml b/packages/netskope/1.0.0/data_stream/events/fields/ecs.yml deleted file mode 100755 index 674f6f18d6..0000000000 --- a/packages/netskope/1.0.0/data_stream/events/fields/ecs.yml +++ /dev/null @@ -1,257 +0,0 @@ -- description: Packets sent from the client to the server. - name: client.packets - type: long -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - Translated IP of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.ip - type: ip -- description: Packets sent from the client to the server. - name: client.packets - type: long -- description: |- - The cloud account name or alias used to identify different entities in a multi-tenant environment. - Examples: AWS account name, Google Cloud ORG display name. - name: cloud.account.name - type: keyword -- description: Region in which this host, resource, or service is located. - name: cloud.region - type: keyword -- description: |- - The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. - Examples: app engine, app service, cloud run, fargate, lambda. - name: cloud.service.name - type: keyword -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: |- - Postal code associated with the location. - Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - name: destination.geo.postal_code - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: destination.geo.timezone - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: MD5 hash. - name: file.hash.md5 - type: keyword -- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - name: file.mime_type - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: Packets sent from the server to the client. - name: server.packets - type: long -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - Postal code associated with the location. - Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. - name: source.geo.postal_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: The time zone of the location, such as IANA time zone name. - name: source.geo.timezone - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/netskope/1.0.0/data_stream/events/fields/fields.yml b/packages/netskope/1.0.0/data_stream/events/fields/fields.yml deleted file mode 100755 index e5521ff3c5..0000000000 --- a/packages/netskope/1.0.0/data_stream/events/fields/fields.yml +++ /dev/null @@ -1,1240 +0,0 @@ -- name: netskope.events - type: group - fields: - - name: url - type: flattened - description: | - URL of the application that the user visited as provided by the log or data plane traffic - - name: cci - type: keyword - description: | - N/A - - name: access_method - type: keyword - description: | - Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. - For log uploads this shows the actual log type such as PAN, Websense, etc. - - name: ack - type: boolean - description: | - Whether user acknowledged the alert or not. - - name: activity - type: group - fields: - - name: name - type: keyword - description: | - Description of the user performed activity. - - name: status - type: keyword - description: | - Displayed when the user is denied access while performing some activity. - - name: type - type: keyword - description: | - Displayed when only admins can perform the activity in question. - - name: alarm - type: group - fields: - - name: description - type: keyword - description: | - N/A - - name: name - type: keyword - description: | - N/A - - name: alert - type: group - fields: - - name: is_present - type: boolean - description: | - Indicates whether alert is generated or not. - Populated as yes for all alerts. - - name: name - type: keyword - description: | - Name of the alert. - - name: type - type: keyword - description: | - Type of the alert. - - name: app - type: group - fields: - - name: activity - type: keyword - description: | - N/A - - name: category - type: keyword - description: | - N/A - - name: name - type: keyword - description: | - Specific cloud application used by the user (e.g. app = Dropbox). - - name: region - type: keyword - description: | - N/A - - name: session.id - type: keyword - description: | - Unique App/Site Session ID for traffic_type = CloudApp and Web. - An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. - - name: attachment - type: keyword - description: | - File name. - - name: audit - type: group - fields: - - name: category - type: keyword - description: | - The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. - - name: log.event - type: keyword - description: | - N/A - - name: type - type: keyword - description: | - The sub category in audit according to SaaS / IaaS apps. - - name: browser - type: group - fields: - - name: session.id - type: keyword - description: | - Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. - - name: bucket - type: keyword - description: | - N/A - - name: category - type: group - fields: - - name: id - type: keyword - description: | - Matching category ID according to policy. Populated for both cloud and web traffic. - - name: name - type: keyword - description: | - N/A - - name: ccl - type: keyword - description: | - Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. - Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. - - name: channel - type: keyword - description: | - Channel of the user for slack and slack enterprise apps. - - name: client - type: group - fields: - - name: bytes - type: long - description: | - Total number of bytes uploaded from client to server. - - name: packets - type: long - description: | - N/A - - name: connection - type: group - fields: - - name: duration - type: long - description: | - Duration of the connection in milliseconds. Useful for querying long-lived sessions. - - name: end_time - type: long - description: | - Connection end time. - - name: id - type: keyword - description: | - Each connection has a unique ID. Shows the ID for the connection event. - - name: start_time - type: long - description: | - Connection start time. - - name: count - type: long - description: | - Number of raw log lines/events sessionized or suppressed during the suppressed interval. - - name: description - type: keyword - description: | - N/A - - name: destination - type: group - fields: - - name: geoip.source - type: long - description: | - Source from where the location of Destination IP was derived. - - name: detail - type: keyword - description: | - N/A - - name: detection - type: group - fields: - - name: engine - type: keyword - description: | - Customer exposed detection engine name. - - name: type - type: keyword - description: | - Same as malware type. Duplicate. - - name: device - type: group - fields: - - name: classification - type: keyword - description: | - Designation of device as determined by the Netskope Client as to whether the device is managed or not. - - name: name - type: keyword - description: | - N/A - - name: type - type: keyword - description: | - Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. - - name: dlp - type: group - fields: - - name: count - type: long - description: | - Count of rule hits. - - name: file - type: keyword - description: | - File/Object name extracted from the file/object. - - name: fingerprint.classificaiton - type: keyword - description: | - Fingerprint classification. - - name: fingerprint.match - type: keyword - description: | - Fingerprint classification match file name. - - name: fingerprint.score - type: long - description: | - Fingerprint classification score. - - name: fv - type: long - description: | - N/A - - name: incident.id - type: keyword - description: | - Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. - - name: is_unique_count - type: boolean - description: | - True or false depending upon if rule is unique counted per rule data. - - name: mail.parent_id - type: keyword - description: | - N/A - - name: parent.id - type: keyword - description: | - Incident ID associated with main container (or non-container) file that was scanned. - - name: profile - type: keyword - description: | - DLP profile name. - - name: score - type: long - description: | - DLP rule score for weighted dictionaries. - - name: severity - type: keyword - description: | - Severity of rule. - - name: unique_count - type: long - description: | - Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. - - name: domain - type: keyword - description: | - Domain value. This will hold the host header value or SNI or extracted from absolute URI. - - name: domain_shared_with - type: long - description: | - N/A - - name: drive - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: encrypt - type: group - fields: - - name: failure - type: keyword - description: | - Reason of failure while encrypting. - - name: end_time - type: keyword - description: | - N/A - - name: enterprise - type: group - fields: - - name: id - type: keyword - description: | - EnterpriseID in case of Slack for Enterprise. - - name: name - type: keyword - description: | - Enterprise name in case of Slack for Enterprise. - - name: event - type: group - fields: - - name: type - type: keyword - description: | - Anomaly type. - - name: exposure - type: keyword - description: | - Exposure of a document. - - name: external_collaborator_count - type: long - description: | - Count of external collaborators on a file/folder. Supported for some apps. - - name: file - type: group - fields: - - name: id - type: keyword - description: | - Unique identifier of the file. - - name: is_password_protected - type: keyword - description: | - N/A - - name: lang - type: keyword - description: | - Language of the file. - - name: from - type: group - fields: - - name: object - type: keyword - description: | - Initial name of an object that has been renamed, copied or moved. - - name: user_category - type: keyword - description: | - Type of from_user. - - name: storage - type: keyword - description: | - N/A - - name: logs - type: keyword - description: | - Shows if the event was generated from the Risk Insights log. - - name: gateway - type: keyword - description: | - N/A - - name: graph - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: http_status - type: keyword - description: | - N/A - - name: http_transaction_count - type: long - description: | - HTTP transaction count. - - name: iaas_asset_tags - type: keyword - description: | - List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. - - name: id - type: keyword - description: | - N/A - - name: insertion - type: group - fields: - - name: timestamp - type: long - description: | - Insertion timestamp. - - name: instance_name - type: keyword - description: | - Instance associated with an organization application instance. - - name: instance - type: group - fields: - - name: id - type: keyword - description: | - Unique ID associated with an organization application instance. - - name: name - type: keyword - description: | - Instance name associated with an organization application instance. - - name: type - type: keyword - description: | - Instance type. - - name: internal_collaborator_count - type: long - description: | - Count of internal collaborators on a file/folder. Supported for some apps. - - name: ip - type: group - fields: - - name: protocol - type: keyword - description: | - N/A - - name: is_bypass_traffic - type: boolean - description: | - Tells if traffic is bypassed by Netskope. - - name: is_malicious - type: boolean - description: | - Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. - - name: item - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: justification - type: group - fields: - - name: reason - type: keyword - description: | - Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. - - name: type - type: keyword - description: | - Type of justification provided by user when user bypasses the policy block. - - name: last - type: group - fields: - - name: app - type: keyword - description: | - Last application (app in the first/older event). Applies to only proximity anomaly alert. - - name: country - type: keyword - description: | - Last location (Country). Applies to only proximity anomaly alert. - - name: device - type: keyword - description: | - Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. - - name: location - type: keyword - description: | - Last location (City). Applies to only proximity anomaly alert. - - name: region - type: keyword - description: | - Applies to only proximity anomaly alert. - - name: timestamp - type: long - description: | - Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. - - name: latency - type: group - fields: - - name: max - type: long - description: | - Max latency for a connection in milliseconds. - - name: min - type: long - description: | - Min latency for a connection in milliseconds. - - name: total - type: long - description: | - Total latency from proxy to app in milliseconds. - - name: legal_hold_profile_name - type: keyword - description: | - Legal hold profile name. - - name: lh - type: group - fields: - - name: custodian.name - type: keyword - description: | - Custodian name of legal hold profile. - - name: destination.app - type: keyword - description: | - Destination appname of legalhold action. - - name: destination.instance - type: keyword - description: | - Destination instance of legal hold action. - - name: file_id - type: keyword - description: | - File ID of legal hold file. - - name: filename - type: keyword - description: | - File name of legal hold file. - - name: filename_original - type: keyword - description: | - Original filename of legal hold file. - - name: filepath - type: keyword - description: | - File path of legal hold file. - - name: shared - type: keyword - description: | - Shared type of legal hold file. - - name: shared_with - type: keyword - description: | - User shared with the legal hold file. - - name: version - type: keyword - description: | - File version of original file. - - name: list - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: log_file - type: group - fields: - - name: name - type: keyword - description: | - Log file name for Risk Insights. - - name: login - type: group - fields: - - name: type - type: keyword - description: | - Salesforce login type. - - name: url - type: flattened - description: | - Salesforce login URL. - - name: malsite_category - type: keyword - description: | - Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. - - name: malware - type: group - fields: - - name: id - type: keyword - description: | - md5 hash of the malware name as provided by the scan engine. - - name: name - type: keyword - description: | - Netskope detection name. - - name: profile - type: keyword - description: | - tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. - - name: severity - type: keyword - description: | - Malware severity. - - name: type - type: keyword - description: | - Malware Type. - - name: managed_app - type: boolean - description: | - Whether or not the app in question is managed. - - name: management - type: group - fields: - - name: id - type: keyword - description: | - Management ID. - - name: metric_value - type: long - description: | - N/A - - name: modified_at - type: date - description: | - Timestamp corresponding to the modification time of the entity (file, etc.). - - name: netskope_pop - type: keyword - description: | - N/A - - name: network - type: keyword - description: | - N/A - - name: new_value - type: keyword - description: | - New value for a given file for salesforce.com. - - name: notify_template - type: keyword - description: | - N/A - - name: ns - type: group - fields: - - name: activity - type: keyword - description: | - Maps app activity to Netskope standard activity. - - name: device_uid - type: keyword - description: | - Device identifiers on macOS and Windows. - - name: num_sessions - type: long - description: | - N/A - - name: numbytes - type: long - description: | - Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. - - name: obfuscate - type: boolean - description: | - N/A - - name: object - type: group - fields: - - name: count - type: long - description: | - Displayed when the activity is Delete. Shows the number of objects being deleted. - - name: id - type: keyword - description: | - Unique ID associated with an object. - - name: name - type: keyword - description: | - Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. - - name: type - type: keyword - description: | - Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. - - name: old_value - type: keyword - description: | - Old value for a given file for salesforce.com. - - name: org - type: keyword - description: | - Search for events from a specific organization. Organization name is derived from the user ID. - - name: organization_unit - type: keyword - description: | - Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. - - name: orig_ty - type: keyword - description: | - Event Type of original event. - - name: original_file_path - type: keyword - description: | - If the file is moved, then keep original path of the file in this field. - - name: other - type: group - fields: - - name: categories - type: keyword - description: | - N/A - - name: owner - type: keyword - description: | - Owner of the file. - - name: page - type: keyword - description: | - The URL of the originating page. - - name: page_site - type: keyword - description: | - N/A - - name: parent - type: group - fields: - - name: id - type: keyword - description: | - N/A - - name: path_id - type: long - description: | - Path ID of the file in the application. - - name: policy - type: group - fields: - - name: id - type: keyword - description: | - The Netskope internal ID for the policy created by an admin. - - name: name - type: keyword - description: | - Name of the policy configured by an admin. - - name: profile - type: group - fields: - - name: emails - type: keyword - description: | - List of profile emails per policy. - - name: id - type: keyword - description: | - Anomaly profile ID. - - name: publisher_cn - type: keyword - description: | - N/A - - name: quarantine - type: group - fields: - - name: action.reason - type: keyword - description: | - Reason for the action taken for quarantine. - - name: admin - type: keyword - description: | - Quarantine profile custodian email/name. - - name: app - type: keyword - description: | - Quarantine app name. - - name: app_name - type: keyword - description: | - N/A - - name: failure - type: keyword - description: | - Reason of failure. - - name: file.id - type: keyword - description: | - File ID of the quarantined file. - - name: file.name - type: keyword - description: | - File name of the quarantine file. - - name: instance - type: keyword - description: | - Quarantine instance name. - - name: original.file.name - type: keyword - description: | - Original file name which got quarantined. - - name: original.file.path - type: keyword - description: | - Original file path which got quarantined. - - name: original.version - type: keyword - description: | - Original version of file which got quarantined. - - name: shared_with - type: keyword - description: | - N/A - - name: profile.id - type: keyword - description: | - Quarantine profile ID. - - name: profile.name - type: keyword - description: | - Quarantine profile name of policy for quarantine action. - - name: original.shared - type: keyword - description: | - Original file shared user details. - - name: qar - type: keyword - description: | - N/A - - name: referer - type: flattened - description: | - Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic. - - name: region - type: keyword - description: | - N/A - - name: region - type: group - fields: - - name: id - type: keyword - description: | - Region ID (as provided by the cloud provider). - - name: repo - type: keyword - description: | - N/A - - name: request - type: group - fields: - - name: count - type: long - description: | - Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. - - name: id - type: keyword - description: | - Unique request ID for the event. - - name: response - type: group - fields: - - name: content.length - type: long - description: | - N/A - - name: content.type - type: keyword - description: | - N/A - - name: count - type: long - description: | - Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. - - name: retro_scan_name - type: keyword - description: | - Retro scan name. - - name: risk_level - type: keyword - description: | - Corresponding field to risk_level_id. Name. - - name: risk_level_id - type: keyword - description: | - This field is set by both role-based access (RBA) and MLAD. - - name: role - type: keyword - description: | - Roles for Box. - - name: run_id - type: long - description: | - Run ID. - - name: sa - type: group - fields: - - name: profile.id - type: keyword - description: | - CSA profile ID. - - name: profile.name - type: keyword - description: | - CSA profile name. - - name: rule.severity - type: keyword - description: | - Rule severity. - - name: scan - type: group - fields: - - name: time - type: long - description: | - Time when the scan is done. - - name: type - type: keyword - description: | - Generated during retroactive scan or new ongoing activity. - - name: scopes - type: keyword - description: | - List of permissions for google apps. - - name: serial - type: keyword - description: | - N/A - - name: server - type: group - fields: - - name: bytes - type: long - description: | - Total number of downloaded from server to client. - - name: packets - type: long - description: | - N/A - - name: session - type: group - fields: - - name: id - type: keyword - description: | - Session ID for Dropbox application. - - name: packets - type: long - description: | - N/A - - name: duration - type: long - description: | - N/A - - name: severity - type: group - fields: - - name: id - type: keyword - description: | - Severity ID used by watchlist and malware alerts. - - name: level - type: keyword - description: | - Severity used by watchlist and malware alerts. - - name: type - type: keyword - description: | - Severity type used by watchlist and malware alerts - - name: sfwder - type: keyword - description: | - N/A - - name: shared - type: group - fields: - - name: domains - type: keyword - description: | - List of domains of users the document is shared with. - - name: is_shared - type: boolean - description: | - If the file is shared or not. - - name: type - type: keyword - description: | - Shared Type. - - name: with - type: keyword - description: | - Array of emails with whom a document is shared with. - - name: site - type: keyword - description: | - For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". - - name: slc - type: group - fields: - - name: geo.location - type: geo_point - description: | - Longitude and latitude. - - name: source - type: group - fields: - - name: geoip_src - type: long - description: | - Source from where the location of Source IP was derived. - - name: ssl_decrypt_policy - type: keyword - description: | - Applicable to only bypass events. There are 2 ways to create rules for bypass: Bypass due to Exception Configuration, Bypass due to SSL Decrypt Policy.The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. - - name: start_time - type: keyword - description: | - N/A - - name: sub_type - type: keyword - description: | - Workplace by Facebook post sub category (files, comments, status etc). - - name: supporting_data - type: keyword - description: | - N/A - - name: suppression - type: group - fields: - - name: end_time - type: long - description: | - When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. - - name: key - type: keyword - description: | - To limit the number of events. Example: Suppress block event for browse. - - name: start_time - type: long - description: | - When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. - - name: team - type: keyword - description: | - Slack team name. - - name: telemetry_app - type: keyword - description: | - Typically SaaS app web sites use web analytics code within the pages to gather analytic data. - When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the - Telemetry App field. - - name: temp_user - type: keyword - description: | - N/A - - name: tenant - type: group - fields: - - name: id - type: keyword - description: | - Tenant id. - - name: threat - type: group - fields: - - name: match_field - type: keyword - description: | - Threat match field, either from domain or URL or IP. - - name: source.id - type: keyword - description: | - Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. - - name: threshold - type: long - description: | - Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. - - name: tnetwork_session_id - type: keyword - description: | - N/A - - name: to - type: group - fields: - - name: object - type: keyword - description: | - Changed name of an object that has been renamed, copied, or moved. - - name: storage - type: keyword - description: | - N/A - - name: user - type: keyword - description: | - Used when a file is moved from user A to user B. Shows the email address of user B. - - name: user_category - type: keyword - description: | - Type of user to which move is done. - - name: total_packets - type: long - description: | - N/A - - name: total - type: group - fields: - - name: collaborator_count - type: long - description: | - Count of collaborators on a file/folder. Supported for some apps. - - name: traffic - type: group - fields: - - name: type - type: keyword - description: | - Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. - - name: transaction - type: group - fields: - - name: id - type: keyword - description: | - Unique ID for a given request/response. - - name: tss_mode - type: keyword - description: | - Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. - - name: tunnel - type: group - fields: - - name: id - type: keyword - description: | - Shows the Client installation ID. Only available for the Client steering configuration. - - name: type - type: keyword - description: | - N/A - - name: up_time - type: long - description: | - N/A - - name: two_factor_auth - type: keyword - description: | - N/A - - name: type - type: keyword - description: | - Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. - - name: universal_connector - type: keyword - description: | - N/A - - name: url - type: flattened - description: | - URL of the application that the user visited as provided by the log or data plane traffic. - - name: url_to_activity - type: keyword - description: | - Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. - - name: user - type: group - fields: - - name: category - type: keyword - description: | - Type of user in an enterprise - external / internal. - - name: group - type: keyword - description: | - N/A - - name: generated - type: boolean - description: | - Tells whether it is user generated page event. - - name: ip - type: keyword - description: | - IP address of User. - - name: is_aggregated - type: boolean - description: | - N/A - - name: violating - type: group - fields: - - name: user.name - type: keyword - description: | - User who caused a vioaltion. Populated for Workplace by Facebook. - - name: user.type - type: keyword - description: | - Category of the user who caused a violation. Populated for Workplace by Facebook. - - name: web_universal_connector - type: keyword - description: | - N/A - - name: web - type: group - fields: - - name: url - type: flattened - description: | - File preview URL. - - name: workspace - type: group - fields: - - name: id - type: keyword - description: | - Workspace ID in case of Slack for Enterprise. - - name: name - type: keyword - description: | - Workspace name in case of Slack for Enterprise. - - name: event_type - type: keyword - description: | - N/A - - name: zip_password - type: keyword - description: | - Zip the malacious file and put pwd to it and send it back to caller. - - name: user - type: group - fields: - - name: geo.city_name - type: keyword - description: | - N/A - - name: geo.continent_name - type: keyword - description: | - N/A - - name: geo.country_iso_code - type: keyword - description: | - N/A - - name: geo.country_name - type: keyword - description: | - N/A - - name: geo.location - type: geo_point - description: | - Longitude and latitude. - - name: geo.region_iso_code - type: keyword - description: | - N/A - - name: geo.region_name - type: keyword - description: | - N/A -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/netskope/1.0.0/data_stream/events/manifest.yml b/packages/netskope/1.0.0/data_stream/events/manifest.yml deleted file mode 100755 index c5186b4df7..0000000000 --- a/packages/netskope/1.0.0/data_stream/events/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Events -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Netskope Events - description: Collect Netskope Events using tcp input - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9021 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - netskope-events - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/netskope/1.0.0/data_stream/events/sample_event.json b/packages/netskope/1.0.0/data_stream/events/sample_event.json deleted file mode 100755 index 23098b922f..0000000000 --- a/packages/netskope/1.0.0/data_stream/events/sample_event.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "@timestamp": "2021-12-24T00:29:56.000Z", - "agent": { - "ephemeral_id": "3cabd78f-ac92-4719-87ff-e1dd82c3162a", - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.0" - }, - "data_stream": { - "dataset": "netskope.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "snapshot": true, - "version": "8.3.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "netskope.events", - "ingested": "2022-04-14T09:24:43Z", - "original": "{\"@timestamp\":\"2021-12-24T00:29:56.000Z\",\"event.id\":\"613ee55ec9d868fc47654a73\",\"netskope\":{\"events\":{\"event_type\":\"infrastructure\",\"severity\":{\"level\":\"high\"},\"alarm\":{\"name\":\"No_events_from_device\",\"description\":\"Events from device not received in the last 24 hours\"},\"device\":{\"name\":\"device-1\"},\"metric_value\":43831789,\"serial\":\"FFFFFFFFFFFFFFFF\",\"supporting_data\":\"abc\"}}}" - }, - "event.id": "613ee55ec9d868fc47654a73", - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "192.168.224.1:46522" - } - }, - "netskope": { - "events": { - "alarm": { - "description": "Events from device not received in the last 24 hours", - "name": "No_events_from_device" - }, - "device": { - "name": "device-1" - }, - "event_type": "infrastructure", - "metric_value": 43831789, - "serial": "FFFFFFFFFFFFFFFF", - "severity": { - "level": "high" - }, - "supporting_data": "abc" - } - }, - "tags": [ - "forwarded", - "netskope-events" - ] -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/docs/README.md b/packages/netskope/1.0.0/docs/README.md deleted file mode 100755 index 7e045449c3..0000000000 --- a/packages/netskope/1.0.0/docs/README.md +++ /dev/null @@ -1,2920 +0,0 @@ -# Netskope - -This integration is for Netskope. It can be used -to receive logs sent by Netskope Cloud Log Shipper on respective TCP ports. - -The log message is expected to be in JSON format. The data is mapped to -ECS fields where applicable and the remaining fields are written under -`netskope..*`. - -## Setup steps - -1. Configure this integration with the TCP input in Kibana. -2. For all Netskope Cloud Exchange configurations refer to the [_Log Shipper_](https://docs.netskope.com/en/log-shipper.html). -3. In Netskope Cloud Exchange please enable Log Shipper, add your Netskope Tenant. -4. Configure input connectors: - 1. First with all Event types, and - 2. Second with all Alerts type. - For detailed steps refer [_Configure the Netskope Plugin for Log Shipper_](https://docs.netskope.com/en/configure-the-netskope-plugin-for-log-shipper.html). -5. Creating mappings: - 1. Navigate to Settings -> Log Shipper -> Mapping. - 2. Click on Add mapping and paste mappings of Alerts mentioned below in Netskope Elastic Integration's Overview Page. - 3. Click on Add mapping and paste mappings of Events mentioned below in Netskope Elastic Integration's Overview Page. -6. Configure output connectors: - 1. Navigate to Settings -> Plugins. - 2. Adding output connector **Elastic CLS**, select mapping created for Alerts and click **Next**, then paste the Events-validation in the **Valid Extensions** section for Alerts mentioned below in Netskope Elastic Integration's Overview Page. - For detailed steps refer [_Elastic Plugin for Log Shipper_](https://docs.netskope.com/en/elastic-plugin-for-log-shipper.html). -7. Create business rules: - 1. Navigate to Home Page > Log Shipper > Business rules. - 2. Create business rules with Netskope Alerts. - 3. Create business rules with Netskope Events. - For detailed steps refer [_Manage Log Shipper Business Rules_](https://docs.netskope.com/en/manage-log-shipper-business-rules.html). -8. Adding SIEM mappings: - 1. Navigate to Home Page > Log Shipper > SIEM Mappings - 2. Add SIEM mapping for events: - * Add **Rule** put rule created in step 7. - * Add **Source Configuration** put input created for Events in step 4. - * Add **Destination Configuration**, put output created for Events in step 6. - For detailed steps refer [_Configure Log Shipper SIEM Mappings_](https://docs.netskope.com/en/configure-log-shipper-siem-mappings.html). -9. *Please make sure to use the given response formats.* - -## Compatibility - -This package has been tested against `Netskope version 91.1.0.605` and `Netskope Cloud Exchange version 3.1.5`. - -## Documentation and configuration - -### Alerts - -Default port: _9020_ - -Netskope Alert Mapping: -```json -{ - "elastic_map_version": "2.0.0", - "ecs_version": "0", - "taxonomy": { - "alerts": { - "policy": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "netskope.alerts.exposure": { "mapping_field": "exposure" }, - "netskope.alerts.file.lang": { "mapping_field": "file_lang" }, - "file.path": { "mapping_field": "file_path" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.instance.name": { "mapping_field": "instance" }, - "netskope.alerts.instance.id": { "mapping_field": "instance_id" }, - "file.hash.md5": { "mapping_field": "md5" }, - "file.mime_type.2": { "mapping_field": "mime_type" }, - "netskope.alerts.modified.timestamp": { "mapping_field": "modified" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.id": { "mapping_field": "object_id" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.owner": { "mapping_field": "owner" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.request.id": { "mapping_field": "request_id" }, - "netskope.alerts.scan.type": { "mapping_field": "scan_type" }, - "netskope.alerts.shared.with": { "mapping_field": "shared_with" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" }, - "netskope.alerts.connection.id": { "mapping_field": "connection_id" }, - "destination.geo.timezone": { "mapping_field": "dst_timezone" }, - "netskope.alerts.encrypt.failure": { "mapping_field": "encrypt_failure" }, - "netskope.alerts.ip.protocol": { "mapping_field": "ip_protocol" }, - "netskope.alerts.managed.app": { "mapping_field": "managed_app" }, - "netskope.alerts.netskope_pop": { "mapping_field": "netskope_pop" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "network.protocol": { "mapping_field": "protocol" }, - "netskope.alerts.referer": { "mapping_field": "referer" }, - "netskope.alerts.severity.level": { "mapping_field": "severity" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" } - } - }, - "dlp": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "netskope.alerts.dlp.file": { "mapping_field": "dlp_file" }, - "netskope.alerts.dlp.incident.id": { "mapping_field": "dlp_incident_id" }, - "netskope.alerts.dlp.is_unique_count": { "mapping_field": "dlp_is_unique_count" }, - "netskope.alerts.dlp.parent.id": { "mapping_field": "dlp_parent_id" }, - "netskope.alerts.dlp.profile": { "mapping_field": "dlp_profile" }, - "netskope.alerts.dlp.rule.name": { "mapping_field": "dlp_rule" }, - "netskope.alerts.dlp.rule.count": { "mapping_field": "dlp_rule_count" }, - "netskope.alerts.dlp.rule.severity": { "mapping_field": "dlp_rule_severity" }, - "netskope.alerts.dlp.unique_count": { "mapping_field": "dlp_unique_count" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "netskope.alerts.exposure": { "mapping_field": "exposure" }, - "netskope.alerts.file.lang": { "mapping_field": "file_lang" }, - "file.path": { "mapping_field": "file_path" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.instance.name": { "mapping_field": "instance" }, - "netskope.alerts.instance.id": { "mapping_field": "instance_id" }, - "file.hash.md5": { "mapping_field": "md5" }, - "file.mime_type.2": { "mapping_field": "mime_type" }, - "netskope.alerts.modified.timestamp": { "mapping_field": "modified" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.id": { "mapping_field": "object_id" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.owner": { "mapping_field": "owner" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.request.id": { "mapping_field": "request_id" }, - "netskope.alerts.scan.type": { "mapping_field": "scan_type" }, - "netskope.alerts.shared.with": { "mapping_field": "shared_with" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "user.email.3": { "mapping_field": "userkey" } - } - }, - "quarantine": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "netskope.alerts.exposure": { "mapping_field": "exposure" }, - "netskope.alerts.file.lang": { "mapping_field": "file_lang" }, - "file.path": { "mapping_field": "file_path" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.instance.name": { "mapping_field": "instance" }, - "netskope.alerts.instance.id": { "mapping_field": "instance_id" }, - "file.hash.md5": { "mapping_field": "md5" }, - "file.mime_type.2": { "mapping_field": "mime_type" }, - "netskope.alerts.modified.timestamp": { "mapping_field": "modified" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.id": { "mapping_field": "object_id" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.owner": { "mapping_field": "owner" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.quarantine.admin": { "mapping_field": "q_admin" }, - "netskope.alerts.quarantine.app.1": { "mapping_field": "q_app" }, - "netskope.alerts.quarantine.instance": { "mapping_field": "q_instance" }, - "netskope.alerts.quarantine.original.file.name": { "mapping_field": "q_original_filename" }, - "netskope.alerts.quarantine.original.file.path": { "mapping_field": "q_original_filepath" }, - "netskope.alerts.quarantine.original.shared": { "mapping_field": "q_original_shared" }, - "netskope.alerts.quarantine.original.version": { "mapping_field": "q_original_version" }, - "netskope.alerts.quarantine.shared.with": { "mapping_field": "q_shared_with" }, - "netskope.alerts.quarantine.action.reason": { "mapping_field": "quarantine_action_reason" }, - "netskope.alerts.quarantine.app.2": { "mapping_field": "quarantine_app" }, - "netskope.alerts.quarantine.failure": { "mapping_field": "quarantine_failure" }, - "netskope.alerts.quarantine.file.id": { "mapping_field": "quarantine_file_id" }, - "netskope.alerts.quarantine.file.name": { "mapping_field": "quarantine_file_name" }, - "netskope.alerts.quarantine.profile.name": { "mapping_field": "quarantine_profile" }, - "netskope.alerts.quarantine.profile.id": { "mapping_field": "quarantine_profile_id" }, - "netskope.alerts.request.id": { "mapping_field": "request_id" }, - "netskope.alerts.scan.type": { "mapping_field": "scan_type" }, - "netskope.alerts.shared.with": { "mapping_field": "shared_with" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "user.email.3": { "mapping_field": "userkey"} - } - }, - "Security Assessment": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "netskope.alerts.exposure": { "mapping_field": "exposure" }, - "netskope.alerts.file.lang": { "mapping_field": "file_lang" }, - "file.path": { "mapping_field": "file_path" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.instance.name": { "mapping_field": "instance" }, - "netskope.alerts.instance.id": { "mapping_field": "instance_id" }, - "file.hash.md5": { "mapping_field": "md5" }, - "file.mime_type.2": { "mapping_field": "mime_type" }, - "netskope.alerts.modified.timestamp": { "mapping_field": "modified" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.id": { "mapping_field": "object_id" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.owner": { "mapping_field": "owner" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.request.id": { "mapping_field": "request_id" }, - "netskope.alerts.sa.profile.id": { "mapping_field": "sa_profile_id" }, - "netskope.alerts.sa.profile.name": { "mapping_field": "sa_profile_name" }, - "netskope.alerts.sa.rule.id": { "mapping_field": "sa_rule_id" }, - "netskope.alerts.sa.rule.name": { "mapping_field": "sa_rule_name" }, - "netskope.alerts.sa.rule.severity": { "mapping_field": "sa_rule_severity" }, - "netskope.alerts.scan.type": { "mapping_field": "scan_type" }, - "netskope.alerts.shared.with": { "mapping_field": "shared_with" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "netskope.alerts.suppression.key": { "mapping_field": "suppression_key" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.alerts.compliance.standards": { "mapping_field": "compliance_standards" }, - "netskope.alerts.iaas.asset.tags": { "mapping_field": "iaas_asset_tags" }, - "netskope.alerts.iaas.remediated": { "mapping_field": "iaas_remediated" }, - "netskope.alerts.sa.rule.remediation": { "mapping_field": "sa_rule_remediation" }, - "cloud.account.id": { "mapping_field": "account_id" }, - "cloud.account.name": { "mapping_field": "account_name" }, - "netskope.alerts.asset.id": { "mapping_field": "asset_id" }, - "netskope.alerts.asset.object.id": { "mapping_field": "asset_object_id" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.policy.id": { "mapping_field": "policy_id" }, - "netskope.alerts.region.id": { "mapping_field": "region_id" }, - "netskope.alerts.region.name": { "mapping_field": "region_name" }, - "netskope.alerts.resource.category": { "mapping_field": "resource_category" }, - "netskope.alerts.resource.group": { "mapping_field": "resource_group" } - } - }, - "uba": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.id": { "mapping_field": "alert_id" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "netskope.alerts.device.classification": { "mapping_field": "device_classification" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "netskope.alerts.event.type": { "mapping_field": "event_type" }, - "netskope.alerts.event_source_channel": { "mapping_field": "evt_src_chnl" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.from.storage": { "mapping_field": "from_storage" }, - "host.hostname": { "mapping_field": "hostname" }, - "netskope.alerts.managed.app": { "mapping_field": "managed_app" }, - "netskope.alerts.management.id": { "mapping_field": "managementID" }, - "netskope.alerts.ns_device_uid": { "mapping_field": "nsdeviceuid" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "netskope.alerts.orig_ty": { "mapping_field": "orig_ty" }, - "user_agent.os.name": { "mapping_field": "os" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.page.url": { "mapping_field": "page" }, - "netskope.alerts.page.site": { "mapping_field": "page_site" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.policy.actions": { "mapping_field": "policy_actions" }, - "netskope.alerts.profile.id": { "mapping_field": "profile_id" }, - "netskope.alerts.severity.level": { "mapping_field": "severity" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "netskope.alerts.telemetry.app": { "mapping_field": "telemetry_app" }, - "netskope.alerts.threshold.value": { "mapping_field": "threshold" }, - "netskope.alerts.threshold.time": { "mapping_field": "threshold_time" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "netskope.alerts.user.ip": { "mapping_field": "userip" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" }, - "netskope.alerts.browser.session.id": { "mapping_field": "browser_session_id" }, - "destination.geo.timezone": { "mapping_field": "dst_timezone" }, - "netskope.alerts.last.app": { "mapping_field": "last_app" }, - "netskope.alerts.last.country": { "mapping_field": "last_country" }, - "netskope.alerts.last.device": { "mapping_field": "last_device" }, - "netskope.alerts.last.location": { "mapping_field": "last_location" }, - "netskope.alerts.last.region": { "mapping_field": "last_region" }, - "netskope.alerts.last.timestamp": { "mapping_field": "last_timestamp" }, - "netskope.alerts.slc_longitude": { "mapping_field": "slc_longitude" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "netskope.alerts.flow_status": { "mapping_field": "flow_status" }, - "netskope.alerts.uba_ap1": { "mapping_field": "uba_ap1" }, - "netskope.alerts.uba_ap2": { "mapping_field": "uba_ap2" }, - "netskope.alerts.uba_inst1": { "mapping_field": "uba_inst1" }, - "netskope.alerts.uba_inst2": { "mapping_field": "uba_inst2" }, - "netskope.alerts.activity.status": { "mapping_field": "activity_status" }, - "netskope.alerts.connection.id": { "mapping_field": "connection_id" }, - "netskope.alerts.instance.id": { "mapping_field": "instance_id" }, - "file.hash.md5": { "mapping_field": "md5" }, - "netskope.alerts.parent.id": { "mapping_field": "parent_id" }, - "netskope.alerts.referer": { "mapping_field": "referer" }, - "netskope.alerts.slc_latitude": { "mapping_field": "slc_latitude" }, - "netskope.alerts.is_web_universal_connector": { "mapping_field": "web_universal_connector" } - } - }, - "Compromised Credential": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "netskope.alerts.breach.date": { "mapping_field": "breach_date" }, - "netskope.alerts.breach.description": { "mapping_field": "breach_description" }, - "netskope.alerts.breach.id": { "mapping_field": "breach_id" }, - "netskope.alerts.breach.media_references": { "mapping_field": "breach_media_references" }, - "netskope.alerts.breach.score": { "mapping_field": "breach_score" }, - "netskope.alerts.breach.target_references": { "mapping_field": "breach_target_references" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.email.source": { "mapping_field": "email_source" }, - "netskope.alerts.external.email": { "mapping_field": "external_email" }, - "netskope.alerts.matched.username": { "mapping_field": "matched_username" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "user.email.2": { "mapping_field": "user" }, - "netskope.alerts.user.group": { "mapping_field": "usergroup" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "netskope.alerts.flow_status": { "mapping_field": "flow_status" } - } - }, - "Malsite": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "netskope.alerts.app.suite": { "mapping_field": "appsuite" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.alerts.browser.session.id": { "mapping_field": "browser_session_id" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.connection.id": { "mapping_field": "connection_id" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "netskope.alerts.device.classification": { "mapping_field": "device_classification" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.timezone": { "mapping_field": "dst_timezone" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.ip": { "mapping_field": "dstip" }, - "destination.address": { "mapping_field": "dstip" }, - "host.hostname": { "mapping_field": "hostname" }, - "netskope.alerts.is_malicious": { "mapping_field": "malicious" }, - "netskope.alerts.malsite.active": { "mapping_field": "malsite_active" }, - "netskope.alerts.malsite.as.number": { "mapping_field": "malsite_as_number" }, - "netskope.alerts.malsite.category": { "mapping_field": "malsite_category" }, - "netskope.alerts.malsite.city": { "mapping_field": "malsite_city" }, - "netskope.alerts.malsite.confidence": { "mapping_field": "malsite_confidence" }, - "netskope.alerts.malsite.consecutive": { "mapping_field": "malsite_consecutive" }, - "netskope.alerts.malsite.country": { "mapping_field": "malsite_country" }, - "netskope.alerts.malsite.dns.server": { "mapping_field": "malsite_dns_server" }, - "netskope.alerts.malsite.first_seen": { "mapping_field": "malsite_first_seen" }, - "netskope.alerts.malsite.hostility": { "mapping_field": "malsite_hostility" }, - "netskope.alerts.malsite.id": { "mapping_field": "malsite_id" }, - "netskope.alerts.malsite.ip_host": { "mapping_field": "malsite_ip_host" }, - "netskope.alerts.malsite.isp": { "mapping_field": "malsite_isp" }, - "netskope.alerts.malsite.last.seen": { "mapping_field": "malsite_last_seen" }, - "netskope.alerts.malsite.latitude": { "mapping_field": "malsite_latitude" }, - "netskope.alerts.malsite.longitude": { "mapping_field": "malsite_longitude" }, - "netskope.alerts.malsite.region": { "mapping_field": "malsite_region" }, - "netskope.alerts.malsite.reputation": { "mapping_field": "malsite_reputation" }, - "netskope.alerts.managed.app": { "mapping_field": "managed_app" }, - "netskope.alerts.netskope_pop": { "mapping_field": "netskope_pop" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.page.url": { "mapping_field": "page" }, - "netskope.alerts.page.site": { "mapping_field": "page_site" }, - "network.protocol": { "mapping_field": "protocol" }, - "netskope.alerts.severity.level": { "mapping_field": "severity" }, - "netskope.alerts.malsite.severity.level": { "mapping_field": "severity_level" }, - "netskope.alerts.severity.level_id": { "mapping_field": "severity_level_id" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "netskope.alerts.source.time": { "mapping_field": "src_time" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.ip": { "mapping_field": "srcip" }, - "source.address": { "mapping_field": "srcip" }, - "netskope.alerts.telemetry.app": { "mapping_field": "telemetry_app" }, - "netskope.alerts.threat.match.field": { "mapping_field": "threat_match_field" }, - "netskope.alerts.threat.match.value": { "mapping_field": "threat_match_value" }, - "netskope.alerts.threat.source.id": { "mapping_field": "threat_source_id" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "netskope.alerts.url": { "mapping_field": "url" }, - "user.email.2": { "mapping_field": "user" }, - "netskope.alerts.user.group": { "mapping_field": "usergroup" }, - "netskope.alerts.user.ip": { "mapping_field": "userip" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.ip.protocol": { "mapping_field": "ip_protocol" }, - "netskope.alerts.notify.template": { "mapping_field": "notify_template" }, - "netskope.alerts.policy.name": { "mapping_field": "policy" }, - "netskope.alerts.referer": { "mapping_field": "referer" }, - "user_agent.version": { "mapping_field": "browser_version" }, - "netskope.alerts.flow_status": { "mapping_field": "flow_status" } - } - }, - "malware": { - "header": {}, - "extension": { - "event.id": { "mapping_field": "_id" }, - "netskope.alerts.insertion_epoch_timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.alerts.access_method": { "mapping_field": "access_method" }, - "netskope.alerts.acked": { "mapping_field": "acked" }, - "netskope.alerts.action": { "mapping_field": "action" }, - "netskope.alerts.activity.name": { "mapping_field": "activity" }, - "netskope.alerts.is_alert": { "mapping_field": "alert" }, - "netskope.alerts.alert.name": { "mapping_field": "alert_name" }, - "netskope.alerts.type": { "mapping_field": "alert_type" }, - "netskope.alerts.app.name": { "mapping_field": "app" }, - "netskope.alerts.app.app_name": { "mapping_field": "app_name" }, - "netskope.alerts.app.session.id": { "mapping_field": "app_session_id" }, - "netskope.alerts.app.category": { "mapping_field": "appcategory" }, - "netskope.alerts.category.name": { "mapping_field": "category" }, - "netskope.alerts.cci": { "mapping_field": "cci" }, - "netskope.alerts.ccl": { "mapping_field": "ccl" }, - "netskope.alerts.connection.id": { "mapping_field": "connection_id" }, - "netskope.alerts.count": { "mapping_field": "count" }, - "netskope.alerts.created_at": { "mapping_field": "created_date" }, - "netskope.alerts.detection.engine": { "mapping_field": "detection_engine" }, - "netskope.alerts.file.id": { "mapping_field": "file_id" }, - "file.name": { "mapping_field": "file_name" }, - "file.path": { "mapping_field": "file_path" }, - "file.size": { "mapping_field": "file_size" }, - "file.mime_type.1": { "mapping_field": "file_type" }, - "netskope.alerts.instance.name": { "mapping_field": "instance" }, - "threat.indicator.file.hash.md5": { "mapping_field": "local_md5" }, - "threat.indicator.file.hash.sha256": { "mapping_field": "local_sha256" }, - "netskope.alerts.malware.id": { "mapping_field": "malware_id" }, - "netskope.alerts.malware.name": { "mapping_field": "malware_name" }, - "netskope.alerts.malware.profile": { "mapping_field": "malware_profile" }, - "netskope.alerts.malware.severity": { "mapping_field": "malware_severity" }, - "netskope.alerts.malware.type": { "mapping_field": "malware_type" }, - "netskope.alerts.mime.type": { "mapping_field": "mime_type" }, - "netskope.alerts.ml_detection": { "mapping_field": "ml_detection" }, - "netskope.alerts.modified.timestamp": { "mapping_field": "modified" }, - "netskope.alerts.modified.date": { "mapping_field": "modified_date" }, - "netskope.alerts.object.name": { "mapping_field": "object" }, - "netskope.alerts.object.id": { "mapping_field": "object_id" }, - "netskope.alerts.organization.unit": { "mapping_field": "organization_unit" }, - "netskope.alerts.other.categories": { "mapping_field": "other_categories" }, - "netskope.alerts.path.id": { "mapping_field": "path_id" }, - "netskope.alerts.scanner_result": { "mapping_field": "scanner_result" }, - "netskope.alerts.severity.level": { "mapping_field": "severity" }, - "netskope.alerts.severity.id": { "mapping_field": "severity_id" }, - "netskope.alerts.shared.type": { "mapping_field": "shared_type" }, - "netskope.alerts.shared.with": { "mapping_field": "shared_with" }, - "netskope.alerts.site": { "mapping_field": "site" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.alerts.title": { "mapping_field": "title" }, - "netskope.alerts.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.alerts.tss.mode": { "mapping_field": "tss_mode" }, - "netskope.alerts.alert.type": { "mapping_field": "type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "user.email.2": { "mapping_field": "user" }, - "user.email.3": { "mapping_field": "user_id" }, - "netskope.alerts.user.group": { "mapping_field": "usergroup" }, - "user.email.4": { "mapping_field": "userkey" }, - "netskope.alerts.browser.session.id": { "mapping_field": "browser_session_id" }, - "user_agent.name": { "mapping_field": "browser" }, - "user_agent.version": { "mapping_field": "browser_version" }, - "netskope.alerts.device.name": { "mapping_field": "device" }, - "netskope.alerts.device.classification": { "mapping_field": "device_classification" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.alerts.destination.geoip_src": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.timezone": { "mapping_field": "dst_timezone" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.ip": { "mapping_field": "dstip" }, - "destination.address": { "mapping_field": "dstip" }, - "netskope.alerts.flow_status": { "mapping_field": "flow_status" }, - "host.hostname": { "mapping_field": "hostname" }, - "netskope.alerts.ip.protocol": { "mapping_field": "ip_protocol" }, - "netskope.alerts.ns_device_uid": { "mapping_field": "nsdeviceuid" }, - "netskope.alerts.object.type": { "mapping_field": "object_type" }, - "user_agent.os.name": { "mapping_field": "os" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "netskope.alerts.page.url": { "mapping_field": "page" }, - "netskope.alerts.page.site": { "mapping_field": "page_site" }, - "network.protocol": { "mapping_field": "protocol" }, - "netskope.alerts.referer": { "mapping_field": "referer" }, - "netskope.alerts.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "netskope.alerts.source.time": { "mapping_field": "src_time" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.ip": { "mapping_field": "srcip" }, - "source.address": { "mapping_field": "srcip" }, - "netskope.alerts.transaction.id": { "mapping_field": "transaction_id" }, - "netskope.alerts.is_web_universal_connector": { "mapping_field": "web_universal_connector" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.alerts.management.id": { "mapping_field": "managementID" }, - "netskope.alerts.managed.app": { "mapping_field": "managed_app" }, - "netskope.alerts.request.id": { "mapping_field": "request_id" }, - "netskope.alerts.user.ip": { "mapping_field": "userip" } - } - } - } - } -} -``` -Netskope Alert Validation Extensions: -``` -ECS Key Name,Length,Data Type -@timestamp,,DateTime -cloud.account.id,,String -cloud.account.name,,String -cloud.service.name,,String -client.bytes,,Integer -client.packets,,Integer -destination.address,,String -destination.domain,,String -destination.geo.country_iso_code,,String -destination.geo.city_name,,String -destination.geo.location.lat,,Floating Point -destination.geo.location.lon,,Floating Point -destination.geo.postal_code,,String -destination.geo.region_name,,String -destination.geo.timezone,,String -destination.ip,,String -destination.port,,Integer -event.id,,String -file.hash.md5,,String -file.mime_type,,String -file.name,,String -file.path,,String -file.size,,Integer -host.hostname,,String -netskope.alerts.access_method,,String -netskope.alerts.acked,,String -netskope.alerts.acting.role,,String -netskope.alerts.action,,String -netskope.alerts.activities,,String -netskope.alerts.activity.name,,String -netskope.alerts.activity.status,,String -netskope.alerts.activity.type,,String -netskope.alerts.agg.window,,String -netskope.alerts.aggregated.user,,String -netskope.alerts.alert.affected.entities,,String -netskope.alerts.alert.category,,String -netskope.alerts.alert.description,,String -netskope.alerts.alert.detection.stage,,String -netskope.alerts.alert.id,,String -netskope.alerts.alert.name,,String -netskope.alerts.alert.notes,,String -netskope.alerts.alert.query,,String -netskope.alerts.alert.score,,Integer -netskope.alerts.alert.source,,String -netskope.alerts.alert.status,,String -netskope.alerts.alert.type,,String -netskope.alerts.alert.window,,String -netskope.alerts.algorithm,,String -netskope.alerts.anomaly.efficacy,,String -netskope.alerts.anomaly.fields,,String -netskope.alerts.anomaly.id,,String -netskope.alerts.anomaly.magnitude,,Floating Point -netskope.alerts.anomaly.type,,String -netskope.alerts.app.app_name,,String -netskope.alerts.app.activity,,String -netskope.alerts.app.category,,String -netskope.alerts.app.suite,,String -netskope.alerts.app.name,,String -netskope.alerts.app.region,,String -netskope.alerts.app.session.id,,String -netskope.alerts.asn,,Integer -netskope.alerts.asset.id,,String -netskope.alerts.asset.object.id,,String -netskope.alerts.attachment,,String -netskope.alerts.audit.category,,String -netskope.alerts.audit.type,,String -netskope.alerts.bin.timestamp,,Integer -netskope.alerts.breach.date,,Integer -netskope.alerts.breach.id,,String -netskope.alerts.breach.description,,String -netskope.alerts.breach.media_references,,String -netskope.alerts.breach.name,,String -netskope.alerts.breach.score,,Integer -netskope.alerts.breach.target_references,,String -netskope.alerts.browser.session.id,,String -netskope.alerts.bucket,,String -netskope.alerts.bypass.traffic,,String -netskope.alerts.category,,String -netskope.alerts.category.id,,String -netskope.alerts.category.name,,String -netskope.alerts.cci,,String -netskope.alerts.ccl,,String -netskope.alerts.channel,,String -netskope.alerts.cloud.provider,,String -netskope.alerts.compliance.standards,,String -netskope.alerts.compute.instance,,String -netskope.alerts.connection.duration,,Integer -netskope.alerts.connection.endtime,,Floating Point -netskope.alerts.connection.id,,String -netskope.alerts.connection.starttime,,Floating Point -netskope.alerts.count,,Integer -netskope.alerts.created_at,,String -netskope.alerts.data.version,,String -netskope.alerts.description,,String -netskope.alerts.destination.geoip_src,,Integer -netskope.alerts.detected-file-type,,String -netskope.alerts.detection.engine,,String -netskope.alerts.detection.type,,String -netskope.alerts.device.name,,String -netskope.alerts.device.classification,,String -netskope.alerts.dlp.file,,String -netskope.alerts.dlp.fingerprint.classification,,String -netskope.alerts.dlp.fingerprint.match,,String -netskope.alerts.dlp.fingerprint.score,,Integer -netskope.alerts.dlp.fv,,Integer -netskope.alerts.dlp.incident.id,,String -netskope.alerts.dlp.is_unique_count,,String -netskope.alerts.dlp.mail.parent.id,,String -netskope.alerts.dlp.parent.id,,String -netskope.alerts.dlp.profile,,String -netskope.alerts.dlp.rule.count,,Integer -netskope.alerts.dlp.rule.name,,String -netskope.alerts.dlp.rule.score,,Integer -netskope.alerts.dlp.rule.severity,,String -netskope.alerts.dlp.unique_count,,Integer -netskope.alerts.doc.count,,Integer -netskope.alerts.domain,,String -netskope.alerts.domain.shared.with,,String -netskope.alerts.download.app,,String -netskope.alerts.drive.id,,String -netskope.alerts.dynamic.classification,,String -netskope.alerts.elastic_key,,String -netskope.alerts.email.source,,String -netskope.alerts.encrypt.failure,,String -netskope.alerts.encryption.service.key,,String -netskope.alerts.end_time,,Integer -netskope.alerts.enterprise.id,,String -netskope.alerts.enterprise.name,,String -netskope.alerts.entity.list,,String -netskope.alerts.entity.type,,String -netskope.alerts.entity.value,,String -netskope.alerts.event_source_channel,,String -netskope.alerts.event.detail,,String -netskope.alerts.event.id,,String -netskope.alerts.event.type,,String -netskope.alerts.exposure,,String -netskope.alerts.external.collaborator.count,,Integer -netskope.alerts.external.email,,Integer -netskope.alerts.false_positive,,String -netskope.alerts.feature.description,,String -netskope.alerts.feature.id,,String -netskope.alerts.feature.name,,String -netskope.alerts.file.id,,String -netskope.alerts.file.lang,,String -netskope.alerts.file.name,,String -netskope.alerts.file.password.protected,,String -netskope.alerts.file.path,,String -netskope.alerts.file.path.original,,String -netskope.alerts.file.size,,Floating Point -netskope.alerts.file.type,,String -netskope.alerts.forward_to_proxy_profile,,String -netskope.alerts.from.logs,,String -netskope.alerts.from.object,,String -netskope.alerts.from.storage,,String -netskope.alerts.from.user_category,,String -netskope.alerts.gateway,,String -netskope.alerts.graph.id,,String -netskope.alerts.http_status,,String -netskope.alerts.http_transaction_count,,Integer -netskope.alerts.iaas.asset.tags,,String -netskope.alerts.iaas.remediated,,String -netskope.alerts.iam.session,,String -netskope.alerts.id,,String -netskope.alerts.insertion_epoch_timestamp,,Integer -netskope.alerts.instance_name,,String -netskope.alerts.instance.id,,String -netskope.alerts.instance.name,,String -netskope.alerts.instance.type,,String -netskope.alerts.internal.collaborator.count,,Integer -netskope.alerts.ip_protocol,,String -netskope.alerts.ipblock,,String -netskope.alerts.is_alert,,String -netskope.alerts.is_file_passwd_protected,,String -netskope.alerts.is_malicious,,String -netskope.alerts.is_two_factor_auth,,Integer -netskope.alerts.is_universal_connector,,String -netskope.alerts.is_user_generated,,String -netskope.alerts.is_web_universal_connector,,String -netskope.alerts.isp,,String -netskope.alerts.item.id,,String -netskope.alerts.justification.reason,,String -netskope.alerts.justification.type,,String -netskope.alerts.last.app,,String -netskope.alerts.last.coordinates,,Floating Point -netskope.alerts.last.country,,String -netskope.alerts.last.device,,String -netskope.alerts.last.location,,String -netskope.alerts.last.modified_timestamp,,Integer -netskope.alerts.last.region,,String -netskope.alerts.last.timestamp,,Integer -netskope.alerts.latency.max,,Integer -netskope.alerts.latency.min,,Integer -netskope.alerts.latency.total,,Integer -netskope.alerts.legal_hold.custodian_name,,String -netskope.alerts.legal_hold.destination.app,,String -netskope.alerts.legal_hold.destination.instance,,String -netskope.alerts.legal_hold.file.id,,String -netskope.alerts.legal_hold.file.name,,String -netskope.alerts.legal_hold.file.name_original,,String -netskope.alerts.legal_hold.file.path,,String -netskope.alerts.legal_hold.profile_name,,String -netskope.alerts.legal_hold.shared,,String -netskope.alerts.legal_hold.shared_with,,String -netskope.alerts.legal_hold.version,,String -netskope.alerts.list.id,,String -netskope.alerts.log.file.name,,String -netskope.alerts.login.type,,String -netskope.alerts.login.url,,String -netskope.alerts.malsite.active,,Integer -netskope.alerts.malsite.as.number,,String -netskope.alerts.malsite.category,,String -netskope.alerts.malsite.city,,String -netskope.alerts.malsite.confidence,,Integer -netskope.alerts.malsite.consecutive,,Integer -netskope.alerts.malsite.country,,String -netskope.alerts.malsite.dns.server,,String -netskope.alerts.malsite.first_seen,,Integer -netskope.alerts.malsite.hostility,,String -netskope.alerts.malsite.id,,String -netskope.alerts.malsite.ip_host,,String -netskope.alerts.malsite.isp,,String -netskope.alerts.malsite.last.seen,,Integer -netskope.alerts.malsite.latitude,,Floating Point -netskope.alerts.malsite.longitude,,Floating Point -netskope.alerts.malsite.region,,String -netskope.alerts.malsite.reputation,,Floating Point -netskope.alerts.malsite.severity.level,,String -netskope.alerts.malware.id,,String -netskope.alerts.malware.name,,String -netskope.alerts.malware.profile,,String -netskope.alerts.malware.severity,,String -netskope.alerts.malware.type,,String -netskope.alerts.managed.app,,String -netskope.alerts.management.id,,String -netskope.alerts.matched.username,,String -netskope.alerts.matrix.columns,,String -netskope.alerts.matrix.rows,,String -netskope.alerts.md5_list,,String -netskope.alerts.mime.type,,String -netskope.alerts.modified.timestamp,,Integer -netskope.alerts.modified.date,,Integer -netskope.alerts.netskope_pop,,String -netskope.alerts.network.name,,String -netskope.alerts.network.security.group,,String -netskope.alerts.network.session_id,,String -netskope.alerts.new.value,,String -netskope.alerts.nonzero.entries,,Integer -netskope.alerts.nonzero.percentage,,Floating Point -netskope.alerts.notify.template,,String -netskope.alerts.ns_activity,,String -netskope.alerts.ns_device_uid,,String -netskope.alerts.numbytes,,Integer -netskope.alerts.obfuscate,,String -netskope.alerts.object.count,,Integer -netskope.alerts.object.id,,String -netskope.alerts.object.name,,String -netskope.alerts.object.type,,String -netskope.alerts.old.value,,String -netskope.alerts.org,,String -netskope.alerts.organization.unit,,String -netskope.alerts.orig_ty,,String -netskope.alerts.os_version_hostname,,String -netskope.alerts.other.categories,,String -netskope.alerts.owner,,String -netskope.alerts.page,,String -netskope.alerts.page.site,,String -netskope.alerts.parameters,,String -netskope.alerts.parent.id,,String -netskope.alerts.path.id,,String -netskope.alerts.policy.actions,,String -netskope.alerts.policy.id,,String -netskope.alerts.policy.name,,String -netskope.alerts.pretty.sourcetype,,String -netskope.alerts.processing.time,,Integer -netskope.alerts.profile.emails,,String -netskope.alerts.profile.id,,String -netskope.alerts.quarantine.action.reason,,String -netskope.alerts.quarantine.admin,,String -netskope.alerts.quarantine.app,,String -netskope.alerts.quarantine.failure,,String -netskope.alerts.quarantine.file.id,,String -netskope.alerts.quarantine.file.name,,String -netskope.alerts.quarantine.instance,,String -netskope.alerts.quarantine.original.file.name,,String -netskope.alerts.quarantine.original.file.path,,String -netskope.alerts.quarantine.original.shared,,String -netskope.alerts.quarantine.original.version,,String -netskope.alerts.quarantine.profile.name,,String -netskope.alerts.quarantine.profile.id,,String -netskope.alerts.quarantine.shared.with,,String -netskope.alerts.referer,,String -http.request.referrer,,String -netskope.alerts.region.id,,String -netskope.alerts.region.name,,String -netskope.alerts.reladb,,String -netskope.alerts.repo,,String -netskope.alerts.request.cnt,,String -netskope.alerts.request.id,,String -netskope.alerts.resource.group,,String -netskope.alerts.resources,,String -netskope.alerts.response.cnt,,Integer -netskope.alerts.response.content.length,,Integer -netskope.alerts.response.content.type,,String -netskope.alerts.retro.scan.name,,String -netskope.alerts.risk_level.id,,String -netskope.alerts.risk_level.tag,,String -netskope.alerts.role,,String -netskope.alerts.rule.id,,String -netskope.alerts.sa.profile.id,,String -netskope.alerts.sa.profile.name,,String -netskope.alerts.sa.rule.remediation,,String -netskope.alerts.sa.rule.severity,,String -netskope.alerts.scan.time,,String -netskope.alerts.scan.type,,String -netskope.alerts.scanner_result,,String -netskope.alerts.scopes,,String -netskope.alerts.serial,,String -netskope.alerts.session.duration,,Integer -netskope.alerts.session.id,,String -netskope.alerts.severity,,String -netskope.alerts.severity.id,,String -netskope.alerts.severity.level,,String -netskope.alerts.severity.level_id,,Integer -netskope.alerts.sfwder,,String -netskope.alerts.shared_type,,String -netskope.alerts.shared.credential.user,,String -netskope.alerts.shared.domains,,String -netskope.alerts.shared.is_shared,,String -netskope.alerts.shared.type,,String -netskope.alerts.shared.with,,String -netskope.alerts.site,,String -netskope.alerts.source.geoip_src,,Integer -netskope.alerts.source.time,,String -netskope.alerts.srcip2,,String -netskope.alerts.ssl.decrypt.policy,,String -netskope.alerts.start_time,,Integer -netskope.alerts.start_time,,String -netskope.alerts.statistics,,String -netskope.alerts.storage_service_bucket,,String -netskope.alerts.sub.type,,String -netskope.alerts.summary,,String -netskope.alerts.suppression.end.time,,String -netskope.alerts.suppression.key,,String -netskope.alerts.suppression.start.time,,String -netskope.alerts.target.entity.key,,String -netskope.alerts.target.entity.type,,String -netskope.alerts.target.entity.value,,String -netskope.alerts.team,,String -netskope.alerts.telemetry.app,,String -netskope.alerts.temp.user,,String -netskope.alerts.tenant.id,,String -netskope.alerts.tenant.id,,String -netskope.alerts.threat.match.field,,String -netskope.alerts.threat.match.value,,String -netskope.alerts.threat.source.id,,String -netskope.alerts.threshold.time,,Integer -netskope.alerts.threshold.value,,Integer -netskope.alerts.timestamp,,Integer -netskope.alerts.to.object,,String -netskope.alerts.to.storage,,String -netskope.alerts.to.user,,String -netskope.alerts.to.user_category,,String -netskope.alerts.total.collaborator.count,,String -netskope.alerts.total.packets,,Integer -netskope.alerts.traffic.type,,String -netskope.alerts.transaction.id,,String -netskope.alerts.transformation,,String -netskope.alerts.tss.mode,,String -netskope.alerts.tss.version,,String -netskope.alerts.tunnel.id,,String -netskope.alerts.tunnel.type,,String -netskope.alerts.tunnel.up_time,,String -netskope.alerts.type,,String -netskope.alerts.updated,,String -netskope.alerts.url,,String -netskope.alerts.Url2Activity,,String -netskope.alerts.user.category,,String -netskope.alerts.user.ip,,String -netskope.alerts.value,,String -netskope.alerts.violating_user.name,,Floating Point -netskope.alerts.violating_user.type,,String -netskope.alerts.web.url,,String -netskope.alerts.workspace.id,,String -netskope.alerts.workspace.name,,String -netskope.alerts.zip.password,,String -network.protocol,,String -server.bytes,,Integer -server.packets,,Integer -source.address,,String -source.geo.city_name,,String -source.geo.country_iso_code,,String -source.geo.location.lat,,Floating Point -source.geo.location.lon,,Floating Point -source.geo.postal_code,,String -source.geo.region_name,,String -source.geo.timezone,,String -source.ip,,String -source.port,,Integer -threat.indicator.file.hash.md5,,String -threat.indicator.file.hash.sha1,,String -threat.indicator.file.hash.sha256,,String -user_agent.name,,String -user_agent.original,,String -user_agent.os.name,,String -user_agent.os.version,,String -user_agent.version,,String -user.email,,String -user.group.name,,String -user.id,,String -user.name,,String -user.roles,,String -netskope.alerts.user.group,,String -netskope.alerts.page.url,,String -netskope.alerts.page_site,,String -netskope.alerts.sa.rule.name,,String -netskope.alerts.sa.rule.id,,String -netskope.alerts.resource.category,,String -netskope.alerts.ip.protocol,,String -netskope.alerts.slc_longitude,,String -netskope.alerts.flow_status,,String -netskope.alerts.uba_inst2,,String -netskope.alerts.uba_inst1,,String -netskope.alerts.uba_ap2,,String -netskope.alerts.uba_ap1,,String -netskope.alerts.slc_latitude,,String -netskope.alerts.ml_detection,,String -netskope.alerts.title,,String -file.mime_type.1,,String -file.mime_type.2,,String -user.email.1,,String -user.email.2,,String -user.email.3,,String -user.email.4,,String -netskope.alerts.quarantine.app.1,,String -netskope.alerts.quarantine.app.2,,String -``` - -### Events - -Default port: _9021_ - -Netskope Event Mapping: -```json -{ - "elastic_map_version": "2.0.0", - "ecs_version": "0", - "taxonomy": { - "events": { - "application": { - "header": {}, - "extension": { - "netskope.events.event_type": { "default_value": "application" }, - "event.id": { "mapping_field": "_id" }, - "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.events.access_method": { "mapping_field": "access_method" }, - "netskope.events.ack": { "mapping_field": "ack" }, - "user.email.1": { "mapping_field": "act_user" }, - "netskope.events.activity.name": { "mapping_field": "activity" }, - "netskope.events.alert.is_present": { "mapping_field": "alert" }, - "netskope.events.app.name": { "mapping_field": "app" }, - "netskope.events.app.activity": { "mapping_field": "app_activity" }, - "netskope.events.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.events.category.name": { "mapping_field": "category" }, - "netskope.events.cci": { "mapping_field": "cci" }, - "netskope.events.ccl": { "mapping_field": "ccl" }, - "netskope.events.count": { "mapping_field": "count" }, - "netskope.events.device.type": { "mapping_field": "device" }, - "netskope.events.instance.id": { "mapping_field": "instance_id" }, - "netskope.events.object.name": { "mapping_field": "object" }, - "netskope.events.object.id": { "mapping_field": "object_id" }, - "netskope.events.object.type": { "mapping_field": "object_type" }, - "netskope.events.organization_unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "netskope.events.other.categories": { "mapping_field": "other_categories" }, - "netskope.events.request.id": { "mapping_field": "request_id" }, - "netskope.events.site": { "mapping_field": "site" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.events.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.events.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.events.type": { "mapping_field": "type" }, - "user.email.2": { "mapping_field": "ur_normalized" }, - "user.email.3": { "mapping_field": "user" }, - "netskope.events.user.category": { "mapping_field": "user_category" }, - "user.email.4": { "mapping_field": "user_id" }, - "user.name": { "mapping_field": "user_name" }, - "user.roles": { "mapping_field": "user_role" }, - "user.group.name": { "mapping_field": "usergroup" }, - "netskope.events.user.ip": { "mapping_field": "userip" }, - "user.email.5": { "mapping_field": "userkey" }, - "cloud.account.name": { "mapping_field": "ack"}, - "event.action": { "mapping_field": "action"}, - "netskope.events.alert.name": { "mapping_field": "alert_name"}, - "netskope.events.alert.type": { "mapping_field": "alert_type"}, - "destination.geo.country_iso_code": { "mapping_field": "dst_country"}, - "netskope.events.destination.geoip.source": { "mapping_field": "dst_geoip_src"}, - "destination.geo.location.lat": { "mapping_field": "dst_latitude"}, - "destination.geo.city_name": { "mapping_field": "dst_location"}, - "destination.geo.location.lon": { "mapping_field": "dst_longitude"}, - "destination.geo.region_name": { "mapping_field": "dst_region"}, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode"}, - "destination.address": { "mapping_field": "dstip"}, - "destination.ip": { "mapping_field": "dstip"}, - "netskope.events.exposure": { "mapping_field": "exposure"}, - "netskope.events.file.lang": { "mapping_field": "file_lang"}, - "file.path": { "mapping_field": "file_path"}, - "file.size": { "mapping_field": "file_size"}, - "file.mime_type.1": { "mapping_field": "file_type"}, - "netskope.events.instance_name": { "mapping_field": "instance"}, - "file.hash.md5": { "mapping_field": "md5"}, - "file.mime_type.2": { "mapping_field": "mime_type"}, - "netskope.events.modified_at": { "mapping_field": "modified"}, - "netskope.events.owner": { "mapping_field": "owner"}, - "netskope.events.policy.name": { "mapping_field": "policy"}, - "netskope.events.quarantine.admin": { "mapping_field": "q_admin"}, - "netskope.events.quarantine.app": { "mapping_field": "q_app"}, - "netskope.events.quarantine.instance": { "mapping_field": "q_instance"}, - "netskope.events.quarantine.original.file.name": { "mapping_field": "q_original_filename"}, - "netskope.events.quarantine.original.file.path": { "mapping_field": "q_original_filepath"}, - "netskope.events.quarantine.original.shared": { "mapping_field": "q_original_shared"}, - "netskope.events.quarantine.original.version": { "mapping_field": "q_original_version"}, - "netskope.events.quarantine.shared_with": { "mapping_field": "q_shared_with"}, - "netskope.events.qar": { "mapping_field": "qar"}, - "netskope.events.quarantine.app_name": { "mapping_field": "quarantine_app"}, - "netskope.events.quarantine.action.reason": { "mapping_field": "quarantine_action_reason"}, - "netskope.events.quarantine.failure": { "mapping_field": "quarantine_failure"}, - "netskope.events.quarantine.file.id": { "mapping_field": "quarantine_file_id"}, - "netskope.events.quarantine.file.name": { "mapping_field": "quarantine_file_name"}, - "netskope.events.quarantine.profile.name": { "mapping_field": "quarantine_profile"}, - "netskope.events.quarantine.profile.id": { "mapping_field": "quarantine_profile_id"}, - "netskope.events.scan.type": { "mapping_field": "scan_type"}, - "netskope.events.shared.with": { "mapping_field": "shared_with"}, - "netskope.events.suppression.key": { "mapping_field": "suppression_key"}, - "netskope.events.url": { "mapping_field": "url"}, - "netskope.events.device.classification": { "mapping_field": "device_classification"}, - "netskope.events.from.storage": { "mapping_field": "from_storage"}, - "netskope.events.managed_app": { "mapping_field": "managed_app"}, - "netskope.events.management.id": { "mapping_field": "managementID"}, - "netskope.events.page": { "mapping_field": "page"}, - "netskope.events.page_site": { "mapping_field": "page_site"}, - "netskope.events.telemetry_app": { "mapping_field": "telemetry_app"}, - "netskope.events.transaction.id": { "mapping_field": "transaction_id"}, - "user_agent.os.version": { "mapping_field": "os_version"}, - "netskope.events.legal_hold_profile_name": { "mapping_field": "legal_hold_profile_name"}, - "user.email.6": { "mapping_field": "lh_custodian_email"}, - "netskope.events.lh.custodian.name": { "mapping_field": "lh_custodian_name"}, - "netskope.events.lh.destination.app": { "mapping_field": "lh_dest_app"}, - "netskope.events.lh.destination.instance": { "mapping_field": "lh_dest_instance"}, - "netskope.events.lh.file_id": { "mapping_field": "lh_fileid"}, - "netskope.events.lh.filename": { "mapping_field": "lh_filename"}, - "netskope.events.lh.filepath": { "mapping_field": "lh_filepath"}, - "netskope.events.lh.filename_original": { "mapping_field": "lh_original_filename"}, - "netskope.events.lh.shared": { "mapping_field": "lh_shared"}, - "netskope.events.lh.shared_with": { "mapping_field": "lh_shared_with"}, - "netskope.events.lh.version": { "mapping_field": "lh_version"}, - "host.hostname": { "mapping_field": "hostname"}, - "netskope.events.ns.device_uid": { "mapping_field": "nsdeviceuid"}, - "netskope.events.severity.level": { "mapping_field": "severity"} - } - }, - "audit": { - "header": {}, - "extension": { - "netskope.events.event_type": { "default_value": "audit" }, - "event.id": { "mapping_field": "_id" }, - "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.events.app.category": { "mapping_field": "appcategory" }, - "netskope.events.audit.log.event": { "mapping_field": "audit_log_event" }, - "netskope.events.category.name": { "mapping_field": "category" }, - "netskope.events.ccl": { "mapping_field": "ccl" }, - "netskope.events.count": { "mapping_field": "count" }, - "netskope.events.organization_unit": { "mapping_field": "organization_unit" }, - "netskope.events.severity.level": { "mapping_field": "severity_level" }, - "netskope.events.supporting_data": { "mapping_field": "supporting_data" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.events.type": { "mapping_field": "type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "user.email.2": { "mapping_field": "user" } - } - }, - "infrastructure": { - "header": {}, - "extension": { - "netskope.events.event_type": { "default_value": "infrastructure" }, - "@timestamp": { "mapping_field": "timestamp" }, - "event.id": { "mapping_field": "_id" }, - "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.events.alarm.name": { "mapping_field": "alarm_name" }, - "netskope.events.alarm.description": { "mapping_field": "alarm_description" }, - "netskope.events.device.name": { "mapping_field": "device_name" }, - "netskope.events.metric_value": { "mapping_field": "metric_value" }, - "netskope.events.serial": { "mapping_field": "serial" }, - "netskope.events.severity.level": { "mapping_field": "severity" }, - "netskope.events.supporting_data": { "mapping_field": "supporting_data" } - } - }, - "network": { - "header": {}, - "extension": { - "netskope.events.event_type": { "default_value": "network" }, - "event.id": { "mapping_field": "_id" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.events.destination.geoip.source": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.events.access_method": { "mapping_field": "access_method" }, - "event.action": { "mapping_field": "action" }, - "netskope.events.app.name": { "mapping_field": "app" }, - "netskope.events.app.category": { "mapping_field": "appcategory" }, - "netskope.events.category.name": { "mapping_field": "category" }, - "netskope.events.ccl": { "mapping_field": "ccl" }, - "client.bytes": { "mapping_field": "client_bytes" }, - "client.packets": { "mapping_field": "client_packets" }, - "netskope.events.count": { "mapping_field": "count" }, - "netskope.events.device.type": { "mapping_field": "device" }, - "destination.domain": { "mapping_field": "dsthost" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "destination.port": { "mapping_field": "dstport" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "netskope.events.end_time": { "mapping_field": "end_time" }, - "netskope.events.ip.protocol": { "mapping_field": "ip_protocol" }, - "netskope.events.netskope_pop": { "mapping_field": "netskope_pop" }, - "netskope.events.num_sessions": { "mapping_field": "num_sessions" }, - "netskope.events.numbytes": { "mapping_field": "numbytes" }, - "netskope.events.organization_unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "netskope.events.policy.name": { "mapping_field": "policy" }, - "netskope.events.publisher_cn": { "mapping_field": "publisher_cn" }, - "netskope.events.session.packets": { "mapping_field": "session_duration" }, - "netskope.events.site": { "mapping_field": "site" }, - "network.protocol": { "mapping_field": "protocol" }, - "server.bytes": { "mapping_field": "server_bytes" }, - "server.packets": { "mapping_field": "server_packets" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "source.port": { "mapping_field": "srcport" }, - "netskope.events.start_time": { "mapping_field": "start_time" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.events.tnetwork_session_id": { "mapping_field": "tnetwork_session_id" }, - "netskope.events.total_packets": { "mapping_field": "total_packets" }, - "netskope.events.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.events.tunnel.id": { "mapping_field": "tunnel_id" }, - "netskope.events.tunnel.type": { "mapping_field": "tunnel_type" }, - "netskope.events.tunnel.up_time": { "mapping_field": "tunnel_up_time" }, - "netskope.events.type": { "mapping_field": "type" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.events.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "user.email.2": { "mapping_field": "user" }, - "user.group.name": { "mapping_field": "usergroup" }, - "netskope.events.user.ip": { "mapping_field": "userip" }, - "user.email.3": { "mapping_field": "userkey" } - } - }, - "page": { - "header": {}, - "extension": { - "netskope.events.event_type": { "default_value": "page" }, - "event.id": { "mapping_field": "_id" }, - "netskope.events.insertion.timestamp": { "mapping_field": "_insertion_epoch_timestamp" }, - "netskope.events.access_method": { "mapping_field": "access_method" }, - "netskope.events.app.name": { "mapping_field": "app" }, - "netskope.events.app.session.id": { "mapping_field": "app_session_id" }, - "netskope.events.app.category": { "mapping_field": "appcategory" }, - "user_agent.name": { "mapping_field": "browser" }, - "netskope.events.browser.session.id": { "mapping_field": "browser_session_id" }, - "user_agent.version": { "mapping_field": "browser_version" }, - "netskope.events.category.name": { "mapping_field": "category" }, - "netskope.events.cci": { "mapping_field": "cci" }, - "netskope.events.ccl": { "mapping_field": "ccl" }, - "client.bytes": { "mapping_field": "client_bytes" }, - "netskope.events.connection.duration": { "mapping_field": "conn_duration" }, - "netskope.events.connection.end_time": { "mapping_field": "conn_endtime" }, - "netskope.events.connection.start_time": { "mapping_field": "conn_starttime" }, - "netskope.events.connection.id": { "mapping_field": "connection_id" }, - "netskope.events.count": { "mapping_field": "count" }, - "netskope.events.device.type": { "mapping_field": "device" }, - "netskope.events.domain": { "mapping_field": "domain" }, - "destination.geo.country_iso_code": { "mapping_field": "dst_country" }, - "netskope.events.destination.geoip.source": { "mapping_field": "dst_geoip_src" }, - "destination.geo.location.lat": { "mapping_field": "dst_latitude" }, - "destination.geo.city_name": { "mapping_field": "dst_location" }, - "destination.geo.location.lon": { "mapping_field": "dst_longitude" }, - "destination.geo.region_name": { "mapping_field": "dst_region" }, - "destination.geo.timezone": { "mapping_field": "dst_timezone" }, - "destination.geo.postal_code": { "mapping_field": "dst_zipcode" }, - "destination.address": { "mapping_field": "dstip" }, - "destination.ip": { "mapping_field": "dstip" }, - "destination.port": { "mapping_field": "dstport" }, - "netskope.events.numbytes": { "mapping_field": "numbytes" }, - "netskope.events.organization_unit": { "mapping_field": "organization_unit" }, - "user_agent.os.name": { "mapping_field": "os" }, - "user_agent.os.version": { "mapping_field": "os_version" }, - "netskope.events.page": { "mapping_field": "page" }, - "netskope.events.request.count": { "mapping_field": "req_cnt" }, - "netskope.events.response.count": { "mapping_field": "resp_cnt" }, - "server.bytes": { "mapping_field": "server_bytes" }, - "netskope.events.severity.level": { "mapping_field": "severity" }, - "netskope.events.site": { "mapping_field": "site" }, - "netskope.events.slc.geo.location.lat": { "mapping_field": "slc_latitude" }, - "netskope.events.slc.geo.location.lon": { "mapping_field": "slc_longitude" }, - "source.geo.country_iso_code": { "mapping_field": "src_country" }, - "netskope.events.source.geoip_src": { "mapping_field": "src_geoip_src" }, - "source.geo.location.lat": { "mapping_field": "src_latitude" }, - "source.geo.city_name": { "mapping_field": "src_location" }, - "source.geo.location.lon": { "mapping_field": "src_longitude" }, - "source.geo.region_name": { "mapping_field": "src_region" }, - "source.geo.timezone": { "mapping_field": "src_timezone" }, - "source.geo.postal_code": { "mapping_field": "src_zipcode" }, - "source.address": { "mapping_field": "srcip" }, - "source.ip": { "mapping_field": "srcip" }, - "@timestamp": { "mapping_field": "timestamp" }, - "netskope.events.traffic.type": { "mapping_field": "traffic_type" }, - "netskope.events.type": { "mapping_field": "type" }, - "user.email.1": { "mapping_field": "ur_normalized" }, - "user.email.2": { "mapping_field": "user" }, - "netskope.events.user.generated": { "mapping_field": "user_generated" }, - "user_agent.original": { "mapping_field": "useragent" }, - "user.group.name": { "mapping_field": "usergroup" }, - "netskope.events.user.ip": { "mapping_field": "userip" }, - "user.email.3": { "mapping_field": "userkey" }, - "netskope.events.url": { "mapping_field" : "url" }, - "netskope.events.is_bypass_traffic": { "mapping_field" : "bypass_traffic" }, - "host.hostname": { "mapping_field" : "hostname" }, - "netskope.events.http_transaction_count": { "mapping_field" : "http_transaction_count" }, - "netskope.events.response.content.length": { "mapping_field" : "resp_content_len" }, - "netskope.events.response.content.type": { "mapping_field" : "resp_content_type" }, - "netskope.events.suppression.end_time": { "mapping_field" : "suppression_end_time" }, - "netskope.events.suppression.start_time": { "mapping_field" : "suppression_start_time" }, - "netskope.events.transaction.id": { "mapping_field" : "transaction_id" } - } - } - } - } -} -``` - -Netskope Event Validation Extensions: -``` -ECS Key Name,Length,Data Type -@timestamp,,DateTime -client.bytes,,Integer -client.packets,,Integer -cloud.account.id,,String -cloud.account.name,,String -cloud.region,,String -cloud.service.name,,String -destination.address,,String -destination.domain,,String -destination.geo.city_name,,String -destination.geo.country_iso_code,,String -destination.geo.location.lat,,Floating Point -destination.geo.location.lon,,Floating Point -destination.geo.postal_code,,String -destination.geo.region_name,,String -destination.geo.timezone,,String -destination.ip,,String -destination.port,,Integer -event.action,,String -event.id,,String -file.hash.md5,,String -file.mime_type,,String -file.name,,String -file.path,,String -file.size,,Integer -host.hostname,,String -netskope.events.access_method,,String -netskope.events.ack,,String -netskope.events.acked,,String -netskope.events.activity.name,,String -netskope.events.activity.status,,String -netskope.events.activity.type,,String -netskope.events.alarm.description,,String -netskope.events.alarm.name,,String -netskope.events.alert.is_present,,String -netskope.events.alert.name,,String -netskope.events.alert.type,,String -netskope.events.app.activity,,String -netskope.events.app.category,,String -netskope.events.app.name,,String -netskope.events.app.region,,String -netskope.events.app.session.id,,String -netskope.events.attachment,,String -netskope.events.audit.category,,String -netskope.events.audit.log.event,,String -netskope.events.audit.type,,String -netskope.events.breach_name,,String -netskope.events.browser.session.id,,String -netskope.events.bucket,,String -netskope.events.category.id,,String -netskope.events.category.name,,String -netskope.events.cci,,String -netskope.events.ccl,,String -netskope.events.channel,,String -netskope.events.connection.duration,,Integer -netskope.events.connection.end_time,,Floating Point -netskope.events.connection.id,,String -netskope.events.connection.start_time,,Floating Point -netskope.events.count,,Integer -netskope.events.description,,String -netskope.events.destination.geoip.source,,Integer -netskope.events.detail,,String -netskope.events.detection.engine,,String -netskope.events.detection.type,,String -netskope.events.device.classification,,String -netskope.events.device.name,,String -netskope.events.device.type,,String -netskope.events.dlp.count,,Integer -netskope.events.dlp.file,,String -netskope.events.dlp.fingerprint.classification,,String -netskope.events.dlp.fingerprint.match,,String -netskope.events.dlp.fingerprint.score,,Integer -netskope.events.dlp.fv,,Integer -netskope.events.dlp.incident.id,,String -netskope.events.dlp.is_unique_count,,String -netskope.events.dlp.mail.parent_id,,String -netskope.events.dlp.parent.id,,String -netskope.events.dlp.profile,,String -netskope.events.dlp.score,,Integer -netskope.events.dlp.severity,,String -netskope.events.dlp.unique_count,,Integer -netskope.events.domain,,String -netskope.events.domain_shared_with,,String -netskope.events.drive.id,,String -netskope.events.encrypt.failure,,String -netskope.events.end_time,,Integer -netskope.events.enterprise.id,,String -netskope.events.enterprise.name,,String -netskope.events.event_type,,String -netskope.events.event.type,,String -netskope.events.exposure,,String -netskope.events.external_collaborator_count,,Integer -netskope.events.false_positive,,String -netskope.events.file.id,,String -netskope.events.file.is_password_protected,,String -netskope.events.file.lang,,String -netskope.events.forward_to_proxy_profile,,String -netskope.events.from.logs,,String -netskope.events.from.object,,String -netskope.events.from.storage,,String -netskope.events.from.user_category,,String -netskope.events.gateway,,String -netskope.events.graph.id,,Integer -netskope.events.http_status,,String -netskope.events.http_transaction_count,,Integer -netskope.events.iaas_asset_tags,,String -netskope.events.id,,String -netskope.events.insertion.timestamp,,Integer -netskope.events.instance_name,,String -netskope.events.instance.id,,String -netskope.events.instance.name,,String -netskope.events.instance.type,,String -netskope.events.internal_collaborator_count,,Integer -netskope.events.ip.protocol,,String -netskope.events.is_bypass_traffic,,String -netskope.events.is_malicious,,String -netskope.events.item.id,,String -netskope.events.justification.type,,String -netskope.events.last.app,,String -netskope.events.last.country,,String -netskope.events.last.device,,String -netskope.events.last.location,,String -netskope.events.last.region,,String -netskope.events.last.timestamp,,Integer -netskope.events.latency.max,,Integer -netskope.events.latency.min,,Integer -netskope.events.latency.total,,Integer -netskope.events.legal_hold_profile_name,,String -netskope.events.lh.custodian.name,,String -netskope.events.lh.destination.app,,String -netskope.events.lh.destination.instance,,String -netskope.events.lh.file_id,,String -netskope.events.lh.filename,,String -netskope.events.lh.filename_original,,String -netskope.events.lh.filepath,,String -netskope.events.lh.shared,,String -netskope.events.lh.shared_with,,String -netskope.events.lh.version,,String -netskope.events.list.id,,String -netskope.events.log_file.name,,String -netskope.events.login.type,,String -netskope.events.login.url,,String -netskope.events.malsite_category,,String -netskope.events.malware.id,,String -netskope.events.malware.name,,String -netskope.events.malware.profile,,String -netskope.events.malware.severity,,String -netskope.events.malware.type,,String -netskope.events.managed_app,,String -netskope.events.management.id,,String -netskope.events.metric_value,,Integer -netskope.events.modified_at,,Integer -netskope.events.quarantine.original.shared,,String -netskope.events.network.name,,String -netskope.events.network.session_id,,String -netskope.events.new_value,,String -netskope.events.notify_template,,String -netskope.events.ns.activity,,String -netskope.events.ns.device_uid,,String -netskope.events.numbytes,,Integer -netskope.events.obfuscate,,String -netskope.events.object.count,,String -netskope.events.object.id,,String -netskope.events.object.name,,String -netskope.events.object.type,,String -netskope.events.old_value,,String -netskope.events.org,,String -netskope.events.organization_unit,,String -netskope.events.orig_ty,,String -netskope.events.original_file_path,,String -netskope.events.other.categories,,String -netskope.events.owner,,String -netskope.events.page,,String -netskope.events.page_site,,String -netskope.events.parent.id,,String -netskope.events.path_id,,String -netskope.events.policy.id,,String -netskope.events.policy.name,,String -netskope.events.profile.emails,,String -netskope.events.profile.id,,String -netskope.events.protocol,,String -netskope.events.publisher_cn,,String -netskope.events.qar,,String -netskope.events.quarantine.action.reason,,String -netskope.events.quarantine.admin,,String -netskope.events.quarantine.app,,String -netskope.events.quarantine.app_name,,String -netskope.events.quarantine.failure,,String -netskope.events.quarantine.file.id,,String -netskope.events.quarantine.file.name,,String -netskope.events.quarantine.instance,,String -netskope.events.quarantine.original.file.name,,String -netskope.events.quarantine.original.file.path,,String -netskope.events.quarantine.original.shared,,String -netskope.events.quarantine.original.version,,String -netskope.events.quarantine.profile.id,,String -netskope.events.quarantine.profile.name,,String -netskope.events.quarantine.shared_with,,String -netskope.events.referer,,String -netskope.events.region,,String -netskope.events.region.id,,String -netskope.events.repo,,String -netskope.events.request.count,,Integer -netskope.events.request.id,,String -netskope.events.response.content.length,,Integer -netskope.events.response.content.type,,String -netskope.events.response.count,,Integer -netskope.events.retro_scan_name,,String -netskope.events.risk_level,,String -netskope.events.risk_level_id,,String -netskope.events.role,,String -netskope.events.run_id,,String -netskope.events.sa.profile.id,,String -netskope.events.sa.profile.name,,String -netskope.events.sa.rule.severity,,String -netskope.events.scan.time,,String -netskope.events.scan.type,,String -netskope.events.scopes,,String -netskope.events.serial,,String -netskope.events.session.duration,,Integer -netskope.events.session.id,,String -netskope.events.session.packets,,Integer -netskope.events.severity.id,,String -netskope.events.severity.level,,String -netskope.events.severity.type,,String -netskope.events.sfwder,,String -netskope.events.shared.domains,,String -netskope.events.shared.is_shared,,String -netskope.events.shared.type,,String -netskope.events.shared.with,,String -netskope.events.site,,String -netskope.events.slc.geo.location.lat,,Floating Point -netskope.events.slc.geo.location.lon,,Floating Point -netskope.events.source.geoip_src,,Integer -netskope.events.ssl_decrypt_policy,,String -netskope.events.start_time,,Integer -netskope.events.sub_type,,String -netskope.events.supporting_data,,String -netskope.events.suppression.end_time,,Integer -netskope.events.suppression.key,,String -netskope.events.suppression.start_time,,Integer -netskope.events.team,,String -netskope.events.telemetry_app,,String -netskope.events.temp_user,,String -netskope.events.tenant.id,,String -netskope.events.threat.match.field,,String -netskope.events.threat.match.value,,String -netskope.events.threat.source.id,,String -netskope.events.threshold,,Integer -netskope.events.to.object,,String -netskope.events.to.storage,,String -netskope.events.to.user,,String -netskope.events.to.user_category,,String -netskope.events.total_packets,,Integer -netskope.events.total.collaborator_count,,String -netskope.events.traffic.type,,String -netskope.events.transaction.id,,String -netskope.events.tss_mode,,Integer -netskope.events.tunnel.id,,String -netskope.events.tunnel.type,,String -netskope.events.tunnel.up_time,,Integer -netskope.events.two_factor_auth,,Integer -netskope.events.type,,String -netskope.events.universal_connector,,String -netskope.events.url,,String -netskope.events.url_to_activity,,String -netskope.events.user.category,,String -netskope.events.user.generated,,String -netskope.events.user.group,,String -netskope.events.user.ip,,String -netskope.events.user.is_aggregated,,String -netskope.events.violating.user.name,,String -netskope.events.violating.user.type,,String -netskope.events.web_universal_connector,,String -netskope.events.web.url,,String -netskope.events.workspace.id,,String -netskope.events.workspace.name,,String -netskope.events.zip_password,,String -network.protocol,,String -rule.id,,String -rule.name,,String -server.bytes,,Integer -server.packets,,Integer -source.address,,String -source.geo.city_name,,String -source.geo.country_iso_code,,String -source.geo.location.lat,,Floating Point -source.geo.location.lon,,Floating Point -source.geo.postal_code,,String -source.geo.region_name,,String -source.geo.timezone,,String -source.ip,,String -source.port,,Integer -threat.indicator.file.hash.md5,,String -threat.indicator.file.hash.sha1,,String -threat.indicator.file.hash.sha256,,String -user_agent.name,,String -user_agent.original,,String -user_agent.os.name,,String -user_agent.os.version,,String -user_agent.version,,String -user.email,,String -user.group.name,,String -user.name,,String -user.roles,,String -file.mime_type.1,,String -file.mime_type.2,,String -user.email.1,,String -user.email.2,,String -user.email.3,,String -user.email.4,,String -user.email.5,,String -user.email.6,,String -``` - -## Fields and Sample event - -### Alerts - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module | constant_keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| netskope.alerts.Url2Activity | Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. | keyword | -| netskope.alerts.access_method | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc. | keyword | -| netskope.alerts.account.id | Account ID (usually is account number as provided by the cloud provider). | keyword | -| netskope.alerts.account.name | Account name - in case of AWS this is the instance name set by user. For others, account name is provided by cloud provider. | keyword | -| netskope.alerts.acked | Whether user acknowledged the alert or not. | boolean | -| netskope.alerts.acting.role | N/A | keyword | -| netskope.alerts.action | Action taken on the event for the policy. | keyword | -| netskope.alerts.activities | N/A | array | -| netskope.alerts.activity.name | Description of the user performed activity. | keyword | -| netskope.alerts.activity.status | Displayed when the user is denied access while performing some activity. | keyword | -| netskope.alerts.activity.type | Displayed when only admins can perform the activity in question. | keyword | -| netskope.alerts.agg.window | N/A | long | -| netskope.alerts.aggregated.user | N/A | boolean | -| netskope.alerts.alert.affected.entities | N/A | keyword | -| netskope.alerts.alert.category | N/A | keyword | -| netskope.alerts.alert.description | N/A | keyword | -| netskope.alerts.alert.detection.stage | N/A | keyword | -| netskope.alerts.alert.id | Hash of alert generated from code. | keyword | -| netskope.alerts.alert.name | Name of the alert. | keyword | -| netskope.alerts.alert.notes | N/A | keyword | -| netskope.alerts.alert.query | N/A | keyword | -| netskope.alerts.alert.score | N/A | long | -| netskope.alerts.alert.source | N/A | keyword | -| netskope.alerts.alert.status | N/A | keyword | -| netskope.alerts.alert.type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | keyword | -| netskope.alerts.alert.window | N/A | long | -| netskope.alerts.algorithm | N/A | keyword | -| netskope.alerts.anomaly.efficacy | Full anomaly details for debugging. | keyword | -| netskope.alerts.anomaly.fields | Name(s) and values(s) of the anomalous fields, usually there's going to be only one in the list. | keyword | -| netskope.alerts.anomaly.id | N/A | keyword | -| netskope.alerts.anomaly.magnitude | N/A | double | -| netskope.alerts.anomaly.type | Type of UBA alert. | keyword | -| netskope.alerts.app.activity | N/A | keyword | -| netskope.alerts.app.app_name | N/A | keyword | -| netskope.alerts.app.category | N/A | keyword | -| netskope.alerts.app.name | Specific cloud application used by the user (e.g. app = Dropbox). | keyword | -| netskope.alerts.app.region | N/A | keyword | -| netskope.alerts.app.session.id | Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. | keyword | -| netskope.alerts.app.suite | N/A | keyword | -| netskope.alerts.asn | N/A | long | -| netskope.alerts.asset.id | N/A | keyword | -| netskope.alerts.asset.object.id | N/A | keyword | -| netskope.alerts.attachment | File name. | keyword | -| netskope.alerts.audit.category | The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. | keyword | -| netskope.alerts.audit.type | The sub category in audit according to SaaS / IaaS apps. | keyword | -| netskope.alerts.bin.timestamp | Applicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type. Bin TimeStamp (is a window used that is used for certain types of anomalies - for breaking into several windows per day/hour). | long | -| netskope.alerts.breach.date | Breach date for compromised credentials. | double | -| netskope.alerts.breach.description | N/A | keyword | -| netskope.alerts.breach.id | Breach ID for compromised credentials. | keyword | -| netskope.alerts.breach.media_references | Media references of breach. | keyword | -| netskope.alerts.breach.score | Breach score for compromised credentials. | long | -| netskope.alerts.breach.target_references | Breach target references for compromised credentials. | keyword | -| netskope.alerts.browser.session.id | Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. | keyword | -| netskope.alerts.bucket | N/A | keyword | -| netskope.alerts.bypass.traffic | Tells if traffic is bypassed by Netskope. | boolean | -| netskope.alerts.category.id | Matching category ID according to policy. Populated for both cloud and web traffic. | keyword | -| netskope.alerts.category.name | N/A | keyword | -| netskope.alerts.cci | N/A | keyword | -| netskope.alerts.ccl | Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. | keyword | -| netskope.alerts.channel | Channel of the user for slack and slack enterprise apps. | keyword | -| netskope.alerts.cloud.provider | N/A | keyword | -| netskope.alerts.compliance.standards | N/A | keyword | -| netskope.alerts.compute.instance | N/A | keyword | -| netskope.alerts.connection.duration | Duration of the connection in milliseconds. Useful for querying long-lived sessions. | long | -| netskope.alerts.connection.endtime | Connection end time. | long | -| netskope.alerts.connection.id | Each connection has a unique ID. Shows the ID for the connection event. | keyword | -| netskope.alerts.connection.starttime | Connection start time. | long | -| netskope.alerts.count | Number of raw log lines/events sessionized or suppressed during the suppressed interval. | long | -| netskope.alerts.created_at | N/A | keyword | -| netskope.alerts.data.type | Content type of upload/download. | keyword | -| netskope.alerts.data.version | N/A | long | -| netskope.alerts.description | N/A | keyword | -| netskope.alerts.destination.geoip_src | Source from where the location of Destination IP was derived. | long | -| netskope.alerts.detected-file-type | N/A | keyword | -| netskope.alerts.detection.engine | Customer exposed detection engine name. | keyword | -| netskope.alerts.detection.type | Same as malware type. Duplicate. | keyword | -| netskope.alerts.device.classification | Designation of device as determined by the Netskope Client as to whether the device is managed or not. | keyword | -| netskope.alerts.device.name | Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. | keyword | -| netskope.alerts.dlp.file | File/Object name extracted from the file/object. | keyword | -| netskope.alerts.dlp.fingerprint.classification | Fingerprint classification. | keyword | -| netskope.alerts.dlp.fingerprint.match | Fingerprint classification match file name. | keyword | -| netskope.alerts.dlp.fingerprint.score | Fingerprint classification score. | long | -| netskope.alerts.dlp.fv | N/A | long | -| netskope.alerts.dlp.incident.id | Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. | keyword | -| netskope.alerts.dlp.is_unique_count | True or false depending upon if rule is unique counted per rule data. | boolean | -| netskope.alerts.dlp.mail.parent.id | N/A | keyword | -| netskope.alerts.dlp.parent.id | Incident ID associated with main container (or non-container) file that was scanned. | keyword | -| netskope.alerts.dlp.profile | DLP profile name. | keyword | -| netskope.alerts.dlp.rule.count | Count of rule hits. | long | -| netskope.alerts.dlp.rule.name | DLP rule that triggered. | keyword | -| netskope.alerts.dlp.rule.score | DLP rule score for weighted dictionaries. | long | -| netskope.alerts.dlp.rule.severity | Severity of rule. | keyword | -| netskope.alerts.dlp.unique_count | Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. | long | -| netskope.alerts.doc.count | N/A | long | -| netskope.alerts.domain | Domain value. This will hold the host header value or SNI or extracted from absolute URI. | keyword | -| netskope.alerts.domain_shared_with | N/A | keyword | -| netskope.alerts.download.app | Applicable to only data exfiltration. Download App (App in the download event). | keyword | -| netskope.alerts.drive.id | N/A | keyword | -| netskope.alerts.dynamic.classification | URLs were categorized by NSURLC machine or not. | keyword | -| netskope.alerts.elastic_key | N/A | keyword | -| netskope.alerts.email.source | N/A | keyword | -| netskope.alerts.encrypt.failure | Reason of failure while encrypting. | keyword | -| netskope.alerts.encryption.service.key | N/A | keyword | -| netskope.alerts.enterprise.id | EnterpriseID in case of Slack for Enterprise. | keyword | -| netskope.alerts.enterprise.name | Enterprise name in case of Slack for Enterprise. | keyword | -| netskope.alerts.entity.list | N/A | array | -| netskope.alerts.entity.type | N/A | keyword | -| netskope.alerts.entity.value | N/A | keyword | -| netskope.alerts.event.detail | N/A | keyword | -| netskope.alerts.event.id | N/A | keyword | -| netskope.alerts.event.type | Anomaly type. | keyword | -| netskope.alerts.event_source_channel | N/A | keyword | -| netskope.alerts.exposure | Exposure of a document. | keyword | -| netskope.alerts.external.collaborator.count | Count of external collaborators on a file/folder. Supported for some apps. | long | -| netskope.alerts.external.email | N/A | long | -| netskope.alerts.feature.description | N/A | keyword | -| netskope.alerts.feature.id | N/A | keyword | -| netskope.alerts.feature.name | N/A | keyword | -| netskope.alerts.file.id | Unique identifier of the file. | keyword | -| netskope.alerts.file.lang | Language of the file. | keyword | -| netskope.alerts.file.name | N/A | keyword | -| netskope.alerts.file.password.protected | N/A | keyword | -| netskope.alerts.file.path.orignal | If the file is moved, then keep original path of the file in this field. | keyword | -| netskope.alerts.file.size | Size of the file in bytes. | long | -| netskope.alerts.file.type | File type. | keyword | -| netskope.alerts.flow_status | N/A | keyword | -| netskope.alerts.from.logs | Shows if the event was generated from the Risk Insights log. | keyword | -| netskope.alerts.from.object | Initial name of an object that has been renamed, copied or moved. | keyword | -| netskope.alerts.from.storage | N/A | keyword | -| netskope.alerts.from.user_category | Type of from_user. | keyword | -| netskope.alerts.gateway | N/A | keyword | -| netskope.alerts.graph.id | N/A | keyword | -| netskope.alerts.http_status | N/A | keyword | -| netskope.alerts.http_transaction_count | HTTP transaction count. | long | -| netskope.alerts.iaas.asset.tags | List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. | keyword | -| netskope.alerts.iaas.remediated | N/A | keyword | -| netskope.alerts.iam.session | N/A | keyword | -| netskope.alerts.id | N/A | keyword | -| netskope.alerts.insertion_epoch_timestamp | Insertion timestamp. | long | -| netskope.alerts.instance.id | Unique ID associated with an organization application instance. | keyword | -| netskope.alerts.instance.name | Instance name associated with an organization application instance. | keyword | -| netskope.alerts.instance.type | Instance type. | keyword | -| netskope.alerts.instance_name | Instance associated with an organization application instance. | keyword | -| netskope.alerts.internal.collaborator.count | Count of internal collaborators on a file/folder. Supported for some apps. | long | -| netskope.alerts.ip.protocol | N/A | keyword | -| netskope.alerts.ipblock | IPblock that caused the alert. | keyword | -| netskope.alerts.is_alert | Indicates whether alert is generated or not. Populated as yes for all alerts. | boolean | -| netskope.alerts.is_file_passwd_protected | Tells if the file is password protected. | boolean | -| netskope.alerts.is_malicious | Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. | boolean | -| netskope.alerts.is_two_factor_auth | N/A | keyword | -| netskope.alerts.is_universal_connector | N/A | keyword | -| netskope.alerts.is_user_generated | Tells whether it is user generated page event. | boolean | -| netskope.alerts.is_web_universal_connector | N/A | boolean | -| netskope.alerts.isp | N/A | keyword | -| netskope.alerts.item.id | N/A | keyword | -| netskope.alerts.justification.reason | Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. | keyword | -| netskope.alerts.justification.type | Type of justification provided by user when user bypasses the policy block. | keyword | -| netskope.alerts.last.app | Last application (app in the first/older event). Applies to only proximity anomaly alert. | keyword | -| netskope.alerts.last.coordinates | Last location coordinates(latitude, longitude). Applies to only proximity alert. | keyword | -| netskope.alerts.last.country | Last location (Country). Applies to only proximity anomaly alert. | keyword | -| netskope.alerts.last.device | Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. | keyword | -| netskope.alerts.last.location | Last location (City). Applies to only proximity anomaly alert. | keyword | -| netskope.alerts.last.modified_timestamp | Timestamp when alert is acknowledged. | long | -| netskope.alerts.last.region | Applies to only proximity anomaly alert. | keyword | -| netskope.alerts.last.timestamp | Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. | long | -| netskope.alerts.latency.max | Max latency for a connection in milliseconds. | long | -| netskope.alerts.latency.min | Min latency for a connection in milliseconds. | long | -| netskope.alerts.latency.total | Total latency from proxy to app in milliseconds. | long | -| netskope.alerts.legal_hold.custodian_name | Custodian name of legal hold profile. | keyword | -| netskope.alerts.legal_hold.destination.app | Destination appname of legalhold action. | keyword | -| netskope.alerts.legal_hold.destination.instance | Destination instance of legal hold action. | keyword | -| netskope.alerts.legal_hold.file.id | File ID of legal hold file. | keyword | -| netskope.alerts.legal_hold.file.name | File name of legal hold file. | keyword | -| netskope.alerts.legal_hold.file.name_original | Original filename of legal hold file. | keyword | -| netskope.alerts.legal_hold.file.path | File path of legal hold file. | keyword | -| netskope.alerts.legal_hold.profile_name | Legal hold profile name. | keyword | -| netskope.alerts.legal_hold.shared | Shared type of legal hold file. | keyword | -| netskope.alerts.legal_hold.shared_with | User shared with the legal hold file. | keyword | -| netskope.alerts.legal_hold.version | File version of original file. | keyword | -| netskope.alerts.list.id | N/A | keyword | -| netskope.alerts.local.md5 | md5 hash of file generated by Malware engine. | keyword | -| netskope.alerts.local.sha1 | sha1 hash of file generated by Malware engine. | keyword | -| netskope.alerts.local.sha256 | sha256 hash of file generated by Malware engine. | keyword | -| netskope.alerts.log.file.name | Log file name for Risk Insights. | keyword | -| netskope.alerts.login.type | Salesforce login type. | keyword | -| netskope.alerts.login.url | Salesforce login URL. | flattened | -| netskope.alerts.malsite.active | Since how many days malsite is Active. | long | -| netskope.alerts.malsite.as.number | Malsite ASN Number. | keyword | -| netskope.alerts.malsite.category | Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. | keyword | -| netskope.alerts.malsite.city | Malsite city. | keyword | -| netskope.alerts.malsite.confidence | Malsite confidence score. | long | -| netskope.alerts.malsite.consecutive | How many times that malsite is seen. | long | -| netskope.alerts.malsite.country | Malsite country. | keyword | -| netskope.alerts.malsite.dns.server | DNS server of the malsite URL/Domain/IP. | keyword | -| netskope.alerts.malsite.first_seen | Malsite first seen timestamp. | long | -| netskope.alerts.malsite.hostility | Malsite hostility score. | long | -| netskope.alerts.malsite.id | Malicious Site ID - Hash of threat match value. | keyword | -| netskope.alerts.malsite.ip_host | Malsite IP. | keyword | -| netskope.alerts.malsite.isp | Malsite ISP info. | keyword | -| netskope.alerts.malsite.last.seen | Malsite last seen timestamp. | long | -| netskope.alerts.malsite.latitude | Latitude plot of the Malsite URL/IP/Domain. | double | -| netskope.alerts.malsite.longitude | Longitude plot of the Malsite URL/IP/Domain. | double | -| netskope.alerts.malsite.region | Region of the malsite URL/IP/Domain. | keyword | -| netskope.alerts.malsite.reputation | Reputation score of Malsite IP/Domain/URL. | double | -| netskope.alerts.malsite.severity.level | Severity level of the Malsite ( High / Med / Low). | keyword | -| netskope.alerts.malware.id | md5 hash of the malware name as provided by the scan engine. | keyword | -| netskope.alerts.malware.name | Netskope detection name. | keyword | -| netskope.alerts.malware.profile | tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. | keyword | -| netskope.alerts.malware.severity | Malware severity. | keyword | -| netskope.alerts.malware.type | Malware Type. | keyword | -| netskope.alerts.managed.app | Whether or not the app in question is managed. | boolean | -| netskope.alerts.management.id | Management ID. | keyword | -| netskope.alerts.matched.username | N/A | keyword | -| netskope.alerts.matrix.columns | N/A | keyword | -| netskope.alerts.matrix.rows | N/A | keyword | -| netskope.alerts.md5 | md5 of the file. | keyword | -| netskope.alerts.md5_list | List of md5 hashes specific to the files that are part of custom sequence policy alert. | keyword | -| netskope.alerts.mime.type | MIME type of the file. | keyword | -| netskope.alerts.ml_detection | N/A | boolean | -| netskope.alerts.modified.date | N/A | long | -| netskope.alerts.modified.timestamp | Timestamp corresponding to the modification time of the entity (file, etc.). | long | -| netskope.alerts.netskope_pop | N/A | keyword | -| netskope.alerts.network.name | N/A | keyword | -| netskope.alerts.network.security.group | N/A | array | -| netskope.alerts.new.value | New value for a given file for salesforce.com. | keyword | -| netskope.alerts.nonzero.entries | N/A | long | -| netskope.alerts.nonzero.percentage | N/A | double | -| netskope.alerts.notify.template | N/A | keyword | -| netskope.alerts.ns_activity | Maps app activity to Netskope standard activity. | keyword | -| netskope.alerts.ns_device_uid | Device identifiers on macOS and Windows. | keyword | -| netskope.alerts.numbytes | Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. | long | -| netskope.alerts.obfuscate | N/A | boolean | -| netskope.alerts.object.count | Displayed when the activity is Delete. Shows the number of objects being deleted. | long | -| netskope.alerts.object.id | Unique ID associated with an object. | keyword | -| netskope.alerts.object.name | Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. | keyword | -| netskope.alerts.object.type | Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. | keyword | -| netskope.alerts.old.value | Old value for a given file for salesforce.com. | keyword | -| netskope.alerts.org | Search for events from a specific organization. Organization name is derived from the user ID. | keyword | -| netskope.alerts.organization.unit | Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. | keyword | -| netskope.alerts.orig_ty | Event Type of original event. | keyword | -| netskope.alerts.original.file_path | If the file is moved, then keep original path of the file in this field. | keyword | -| netskope.alerts.os_version_hostname | Host and OS Version that caused the alert. Concatenation of 2 fields (hostname and os). | keyword | -| netskope.alerts.other.categories | N/A | keyword | -| netskope.alerts.owner | Owner of the file. | keyword | -| netskope.alerts.page.site | N/A | keyword | -| netskope.alerts.page.url | The URL of the originating page. | flattened | -| netskope.alerts.parameters | N/A | keyword | -| netskope.alerts.parent.id | N/A | keyword | -| netskope.alerts.path.id | N/A | keyword | -| netskope.alerts.policy.actions | N/A | keyword | -| netskope.alerts.policy.id | The Netskope internal ID for the policy created by an admin. | keyword | -| netskope.alerts.policy.name | Predefined or Custom policy name. | keyword | -| netskope.alerts.pretty.sourcetype | N/A | keyword | -| netskope.alerts.processing.time | N/A | long | -| netskope.alerts.profile.emails | List of profile emails per policy. | keyword | -| netskope.alerts.profile.id | Anomaly profile ID. | keyword | -| netskope.alerts.quarantine.action.reason | Reason for the action taken for quarantine. | keyword | -| netskope.alerts.quarantine.admin | Quarantine profile custodian email/name. | keyword | -| netskope.alerts.quarantine.app | Quarantine app name. | keyword | -| netskope.alerts.quarantine.failure | Reason of failure. | keyword | -| netskope.alerts.quarantine.file.id | File ID of the quarantined file. | keyword | -| netskope.alerts.quarantine.file.name | File name of the quarantine file. | keyword | -| netskope.alerts.quarantine.instance | Quarantine instance name. | keyword | -| netskope.alerts.quarantine.original.file.name | Original file name which got quarantined. | keyword | -| netskope.alerts.quarantine.original.file.path | Original file path which got quarantined. | keyword | -| netskope.alerts.quarantine.original.shared | Original file shared user details. | keyword | -| netskope.alerts.quarantine.original.version | Original version of file which got quarantined. | keyword | -| netskope.alerts.quarantine.profile.id | Quarantine profile ID. | keyword | -| netskope.alerts.quarantine.profile.name | Quarantine profile name of policy for quarantine action. | keyword | -| netskope.alerts.quarantine.shared.with | N/A | keyword | -| netskope.alerts.referer | Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic. | keyword | -| netskope.alerts.region.id | Region ID (as provided by the cloud provider). | keyword | -| netskope.alerts.region.name | N/A | keyword | -| netskope.alerts.reladb | N/A | keyword | -| netskope.alerts.repo | N/A | keyword | -| netskope.alerts.request.cnt | Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. | long | -| netskope.alerts.request.id | Unique request ID for the event. | keyword | -| netskope.alerts.resource.category | Category of resource as defined in DOM. | keyword | -| netskope.alerts.resource.group | N/A | keyword | -| netskope.alerts.resources | N/A | keyword | -| netskope.alerts.response.cnt | Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. | long | -| netskope.alerts.response.content.length | N/A | long | -| netskope.alerts.response.content.type | N/A | keyword | -| netskope.alerts.retro.scan.name | Retro scan name. | keyword | -| netskope.alerts.risk_level.id | This field is set by both role-based access (RBA) and MLAD. | keyword | -| netskope.alerts.risk_level.tag | Corresponding field to risk_level_id. Name. | keyword | -| netskope.alerts.role | Roles for Box. | keyword | -| netskope.alerts.rule.id | N/A | keyword | -| netskope.alerts.sa.profile.id | CSA profile ID. | keyword | -| netskope.alerts.sa.profile.name | CSA profile name. | keyword | -| netskope.alerts.sa.rule.id | CSA rule ID. | keyword | -| netskope.alerts.sa.rule.name | CSA rule name. | keyword | -| netskope.alerts.sa.rule.remediation | N/A | keyword | -| netskope.alerts.sa.rule.severity | Rule severity. | keyword | -| netskope.alerts.scan.time | Time when the scan is done. | long | -| netskope.alerts.scan.type | Generated during retroactive scan or new ongoing activity. | keyword | -| netskope.alerts.scanner_result | N/A | keyword | -| netskope.alerts.scopes | List of permissions for google apps. | keyword | -| netskope.alerts.serial | N/A | keyword | -| netskope.alerts.server.bytes | Total number of downloaded from server to client. | long | -| netskope.alerts.session.id | Populated by Risk Insights. | keyword | -| netskope.alerts.severity.id | Severity ID used by watchlist and malware alerts. | keyword | -| netskope.alerts.severity.level | Severity used by watchlist and malware alerts. | keyword | -| netskope.alerts.severity.level_id | If the Severity Level ID is 1, it means that URL / IP /Domain is detected from Internal threat feed and if Severity Level ID is 2, then it means the detection happened based on the Zvelo DB Malsite Category. | long | -| netskope.alerts.sfwder | N/A | keyword | -| netskope.alerts.shared.credential.user | Applicable to only shared credentials. User with whom the credentials are shared with. | keyword | -| netskope.alerts.shared.domains | List of domains of users the document is shared with. | keyword | -| netskope.alerts.shared.is_shared | If the file is shared or not. | boolean | -| netskope.alerts.shared.type | Shared Type. | keyword | -| netskope.alerts.shared.with | Array of emails with whom a document is shared with. | keyword | -| netskope.alerts.shared_type | N/A | keyword | -| netskope.alerts.site | For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". | keyword | -| netskope.alerts.slc_latitude | N/A | keyword | -| netskope.alerts.slc_longitude | N/A | keyword | -| netskope.alerts.source.geoip_src | Source from where the location of Source IP was derived. | long | -| netskope.alerts.source.time | N/A | keyword | -| netskope.alerts.srcip2 | N/A | keyword | -| netskope.alerts.ssl.decrypt.policy | Applicable to only bypass events. There are 2 ways to create rules for bypass: Bypass due to Exception Configuration Bypass due to SSL Decrypt Policy The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. | keyword | -| netskope.alerts.start_time | Start time for alert time period. | long | -| netskope.alerts.statistics | This field & summary field go together. This field will either tell count or size of files. File size is in bytes. | long | -| netskope.alerts.storage_service_bucket | N/A | keyword | -| netskope.alerts.sub.type | Workplace by Facebook post sub category (files, comments, status etc). | keyword | -| netskope.alerts.summary | Tells whether anomaly was measured from count or size of files. | keyword | -| netskope.alerts.suppression.end.time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long | -| netskope.alerts.suppression.key | To limit the number of events. Example: Suppress block event for browse. | keyword | -| netskope.alerts.suppression.start.time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long | -| netskope.alerts.target.entity.key | N/A | keyword | -| netskope.alerts.target.entity.type | N/A | keyword | -| netskope.alerts.target.entity.value | N/A | keyword | -| netskope.alerts.team | Slack team name. | keyword | -| netskope.alerts.telemetry.app | Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field. | keyword | -| netskope.alerts.temp.user | N/A | keyword | -| netskope.alerts.tenant.id | Tenant id. | keyword | -| netskope.alerts.threat.match.field | Threat match field, either from domain or URL or IP. | keyword | -| netskope.alerts.threat.match.value | N/A | keyword | -| netskope.alerts.threat.source.id | Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. | keyword | -| netskope.alerts.threshold.time | Applicable to: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. Threshold Time. | long | -| netskope.alerts.threshold.value | Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. | long | -| netskope.alerts.title | Title of the file. | keyword | -| netskope.alerts.to.object | Changed name of an object that has been renamed, copied, or moved. | keyword | -| netskope.alerts.to.storage | N/A | keyword | -| netskope.alerts.to.user | Used when a file is moved from user A to user B. Shows the email address of user B. | keyword | -| netskope.alerts.to.user_category | Type of user to which move is done. | keyword | -| netskope.alerts.total.collaborator.count | Count of collaborators on a file/folder. Supported for some apps. | long | -| netskope.alerts.traffic.type | Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. | keyword | -| netskope.alerts.transaction.id | Unique ID for a given request/response. | keyword | -| netskope.alerts.transformation | N/A | keyword | -| netskope.alerts.tss.mode | Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. | keyword | -| netskope.alerts.tss.version | N/A | long | -| netskope.alerts.tunnel.id | Shows the Client installation ID. Only available for the Client steering configuration. | keyword | -| netskope.alerts.type | Type of the alert. | keyword | -| netskope.alerts.uba_ap1 | N/A | keyword | -| netskope.alerts.uba_ap2 | N/A | keyword | -| netskope.alerts.uba_inst1 | N/A | keyword | -| netskope.alerts.uba_inst2 | N/A | keyword | -| netskope.alerts.updated | N/A | long | -| netskope.alerts.url | URL of the application that the user visited as provided by the log or data plane traffic. | flattened | -| netskope.alerts.user.category | Type of user in an enterprise - external / internal. | keyword | -| netskope.alerts.user.geo.city_name | City name. | keyword | -| netskope.alerts.user.geo.continent_name | Name of the continent. | keyword | -| netskope.alerts.user.geo.country_iso_code | Country ISO code. | keyword | -| netskope.alerts.user.geo.country_name | Country name. | keyword | -| netskope.alerts.user.geo.location | Longitude and latitude. | geo_point | -| netskope.alerts.user.geo.region_iso_code | Region ISO code. | keyword | -| netskope.alerts.user.geo.region_name | Region name. | keyword | -| netskope.alerts.user.group | N/A | keyword | -| netskope.alerts.user.ip | IP address of User. | keyword | -| netskope.alerts.value | N/A | double | -| netskope.alerts.violating_user.name | User who caused a violation. Populated for Workplace by Facebook. | keyword | -| netskope.alerts.violating_user.type | Category of the user who caused a violation. Populated for Workplace by Facebook. | keyword | -| netskope.alerts.web.url | File preview URL. | flattened | -| netskope.alerts.workspace.id | Workspace ID in case of Slack for Enterprise. | keyword | -| netskope.alerts.workspace.name | Workspace name in case of Slack for Enterprise. | keyword | -| netskope.alerts.zip.password | Zip the malicious file and put pwd to it and send it back to caller. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| user.email | User email address. | keyword | -| user.group.name | Name of the group. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `alerts` looks as following: - -```json -{ - "@timestamp": "2021-12-23T16:27:09.000Z", - "agent": { - "ephemeral_id": "f6ea30bb-70ab-4ae9-b338-b103657dd749", - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.0" - }, - "data_stream": { - "dataset": "netskope.alerts", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "snapshot": true, - "version": "8.3.0" - }, - "event": { - "agent_id_status": "verified", - "id": "f621f259f5fbde850ad5593a", - "ingested": "2022-04-14T11:24:23Z", - "original": "{\"event\":{\"id\":\"f621f259f5fbde850ad5593a\"},\"netskope\":{\"alerts\":{\"insertion_epoch_timestamp\":1640277131,\"access_method\":\"API Connector\",\"acked\":\"false\",\"action\":\"block\",\"activity\":{\"name\":\"Login Successful\"},\"is_alert\":\"yes\",\"alert\":{\"name\":\"policy-alert\",\"type\":\"nspolicy\"},\"app\":{\"name\":\"SomeApp\",\"category\":\"Cloud Storage\"},\"category\":{\"name\":\"Cloud Storage\"},\"cci\":\"81\",\"ccl\":\"high\",\"count\":1,\"device\":{\"name\":\"Other\"},\"destination\":{\"geoip_src\":2},\"exposure\":\"organization_wide_link\",\"file\":{\"lang\":\"ENGLISH\"},\"instance\":{\"name\":\"example.com\",\"id\":\"example.com\"},\"modified\":{\"timestamp\":1613760236},\"object\":{\"name\":\"HjBuUvDLWgpudzQr\",\"id\":\"GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg\",\"type\":\"File\"},\"organization\":{\"unit\":\"example.local\\\\\\\\/example\\\\\\\\/Active Users\"},\"other\":{\"categories\":\"null\"},\"owner\":\"foobar\",\"policy\":{\"name\":\"Some Policy\"},\"request\":{\"id\":\"9262245914980288500\"},\"scan\":{\"type\":\"Ongoing\"},\"shared\":{\"with\":\"none\"},\"site\":\"Example\",\"source\":{\"geoip_src\":2},\"suppression\":{\"key\":\"Tenant Migration across MPs\"},\"traffic\":{\"type\":\"CloudApp\"},\"type\":\"policy\",\"url\":\"http:\\\\\\\\/\\\\\\\\/www.example.com\\\\\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg\"}},\"user_agent\":{\"name\":\"unknown\",\"os\":{\"name\":\"unknown\"}},\"destination\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"file\":{\"path\":\"\\\\\\\\/My Drive\\\\\\\\/Clickhouse\\\\\\\\/Tenant Migration across MPs\",\"size\":196869,\"mime_type\":{\"1\":\"application\\\\\\\\/vnd.apps.document\",\"2\":\"application\\\\\\\\/vnd.apps.document\"},\"hash\":{\"md5\":\"4bb5d9501bf7685ecaed55e3eda9ca01\"}},\"source\":{\"geo\":{\"country_iso_code\":\"NL\",\"location\":{\"lat\":52.3759,\"lon\":4.8975},\"city_name\":\"Amsterdam\",\"region_name\":\"North Holland\",\"postal_code\":\"1012\"},\"address\":\"81.2.69.143\",\"ip\":\"81.2.69.143\"},\"@timestamp\":\"2021-12-23T16:27:09.000Z\",\"user\":{\"email\":{\"1\":\"test@example.com\",\"2\":\"test@example.com\",\"3\":\"test@example.com\"},\"group\":{\"name\":\"null\"}}}" - }, - "file": { - "hash": { - "md5": "4bb5d9501bf7685ecaed55e3eda9ca01" - }, - "mime_type": [ - "application\\\\/vnd.apps.document" - ], - "path": "\\\\/My Drive\\\\/Clickhouse\\\\/Tenant Migration across MPs", - "size": 196869 - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "192.168.224.1:57542" - } - }, - "netskope": { - "alerts": { - "access_method": "API Connector", - "acked": false, - "action": "block", - "activity": { - "name": "Login Successful" - }, - "alert": { - "name": "policy-alert", - "type": "nspolicy" - }, - "app": { - "category": "Cloud Storage", - "name": "SomeApp" - }, - "category": { - "name": "Cloud Storage" - }, - "cci": "81", - "ccl": "high", - "count": 1, - "destination": { - "geoip_src": 2 - }, - "device": { - "name": "Other" - }, - "exposure": "organization_wide_link", - "file": { - "lang": "ENGLISH" - }, - "insertion_epoch_timestamp": 1640277131, - "instance": { - "id": "example.com", - "name": "example.com" - }, - "is_alert": true, - "modified": { - "timestamp": 1613760236 - }, - "object": { - "id": "GxyjNjJxKg14W3Mb57aLY9_klcxToPEyqIoNAcF82rGg", - "name": "HjBuUvDLWgpudzQr", - "type": "File" - }, - "organization": { - "unit": "example.local\\\\/example\\\\/Active Users" - }, - "owner": "foobar", - "policy": { - "name": "Some Policy" - }, - "request": { - "id": "9262245914980288500" - }, - "scan": { - "type": "Ongoing" - }, - "shared": { - "with": "none" - }, - "site": "Example", - "source": { - "geoip_src": 2 - }, - "suppression": { - "key": "Tenant Migration across MPs" - }, - "traffic": { - "type": "CloudApp" - }, - "type": "policy", - "url": { - "extension": "com\\\\/open", - "original": "http:\\\\/\\\\/www.example.com\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg", - "path": "\\\\/\\\\/www.example.com\\\\/open", - "query": "id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg", - "scheme": "http" - } - } - }, - "related": { - "ip": [ - "81.2.69.143", - "81.2.69.143" - ] - }, - "source": { - "address": "81.2.69.143", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.143" - }, - "tags": [ - "forwarded", - "netskope-alerts" - ], - "user": { - "email": [ - "test@example.com" - ] - }, - "user_agent": { - "name": "unknown", - "os": { - "name": "unknown" - } - } -} -``` - -### Events - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| client.packets | Packets sent from the client to the server. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| netskope.events.access_method | Cloud app traffic can be steered to the Netskope cloud using different deployment methods such as Client (Netskope Client), Secure Forwarder etc. Administrators can also upload firewall and/or proxy logs for log analytics. This field shows the actual access method that triggered the event. For log uploads this shows the actual log type such as PAN, Websense, etc. | keyword | -| netskope.events.ack | Whether user acknowledged the alert or not. | boolean | -| netskope.events.activity.name | Description of the user performed activity. | keyword | -| netskope.events.activity.status | Displayed when the user is denied access while performing some activity. | keyword | -| netskope.events.activity.type | Displayed when only admins can perform the activity in question. | keyword | -| netskope.events.alarm.description | N/A | keyword | -| netskope.events.alarm.name | N/A | keyword | -| netskope.events.alert.is_present | Indicates whether alert is generated or not. Populated as yes for all alerts. | boolean | -| netskope.events.alert.name | Name of the alert. | keyword | -| netskope.events.alert.type | Type of the alert. | keyword | -| netskope.events.app.activity | N/A | keyword | -| netskope.events.app.category | N/A | keyword | -| netskope.events.app.name | Specific cloud application used by the user (e.g. app = Dropbox). | keyword | -| netskope.events.app.region | N/A | keyword | -| netskope.events.app.session.id | Unique App/Site Session ID for traffic_type = CloudApp and Web. An app session starts when a user starts using a cloud app/site on and ends once they have been inactive for a certain period of time(15 mins). Use app_session_id to check all the user activities in a single app session. app_session_id is unique for a user, device, browser and domain. | keyword | -| netskope.events.attachment | File name. | keyword | -| netskope.events.audit.category | The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. | keyword | -| netskope.events.audit.log.event | N/A | keyword | -| netskope.events.audit.type | The sub category in audit according to SaaS / IaaS apps. | keyword | -| netskope.events.browser.session.id | Browser session ID. If there is an idle timeout of 15 minutes, it will timeout the session. | keyword | -| netskope.events.bucket | N/A | keyword | -| netskope.events.category.id | Matching category ID according to policy. Populated for both cloud and web traffic. | keyword | -| netskope.events.category.name | N/A | keyword | -| netskope.events.cci | N/A | keyword | -| netskope.events.ccl | Cloud Confidence Level. CCL measures the enterprise readiness of the cloud apps taking into consideration those apps security, auditability and business continuity. Each app is assigned one of five cloud confidence levels: excellent, high, medium, low, or poor. Useful for querying if users are accessing a cloud app with a lower CCL. | keyword | -| netskope.events.channel | Channel of the user for slack and slack enterprise apps. | keyword | -| netskope.events.client.bytes | Total number of bytes uploaded from client to server. | long | -| netskope.events.client.packets | N/A | long | -| netskope.events.connection.duration | Duration of the connection in milliseconds. Useful for querying long-lived sessions. | long | -| netskope.events.connection.end_time | Connection end time. | long | -| netskope.events.connection.id | Each connection has a unique ID. Shows the ID for the connection event. | keyword | -| netskope.events.connection.start_time | Connection start time. | long | -| netskope.events.count | Number of raw log lines/events sessionized or suppressed during the suppressed interval. | long | -| netskope.events.description | N/A | keyword | -| netskope.events.destination.geoip.source | Source from where the location of Destination IP was derived. | long | -| netskope.events.detail | N/A | keyword | -| netskope.events.detection.engine | Customer exposed detection engine name. | keyword | -| netskope.events.detection.type | Same as malware type. Duplicate. | keyword | -| netskope.events.device.classification | Designation of device as determined by the Netskope Client as to whether the device is managed or not. | keyword | -| netskope.events.device.name | N/A | keyword | -| netskope.events.device.type | Device type from where the user accessed the cloud app. It could be Macintosh Windows device, iPad etc. | keyword | -| netskope.events.dlp.count | Count of rule hits. | long | -| netskope.events.dlp.file | File/Object name extracted from the file/object. | keyword | -| netskope.events.dlp.fingerprint.classificaiton | Fingerprint classification. | keyword | -| netskope.events.dlp.fingerprint.match | Fingerprint classification match file name. | keyword | -| netskope.events.dlp.fingerprint.score | Fingerprint classification score. | long | -| netskope.events.dlp.fv | N/A | long | -| netskope.events.dlp.incident.id | Incident ID associated with sub-file. In the case of main file, this is same as the parent incident ID. | keyword | -| netskope.events.dlp.is_unique_count | True or false depending upon if rule is unique counted per rule data. | boolean | -| netskope.events.dlp.mail.parent_id | N/A | keyword | -| netskope.events.dlp.parent.id | Incident ID associated with main container (or non-container) file that was scanned. | keyword | -| netskope.events.dlp.profile | DLP profile name. | keyword | -| netskope.events.dlp.score | DLP rule score for weighted dictionaries. | long | -| netskope.events.dlp.severity | Severity of rule. | keyword | -| netskope.events.dlp.unique_count | Integer value of number of unique matches seen per rule data. Only present if rule is uniquely counted. | long | -| netskope.events.domain | Domain value. This will hold the host header value or SNI or extracted from absolute URI. | keyword | -| netskope.events.domain_shared_with | N/A | long | -| netskope.events.drive.id | N/A | keyword | -| netskope.events.encrypt.failure | Reason of failure while encrypting. | keyword | -| netskope.events.end_time | N/A | keyword | -| netskope.events.enterprise.id | EnterpriseID in case of Slack for Enterprise. | keyword | -| netskope.events.enterprise.name | Enterprise name in case of Slack for Enterprise. | keyword | -| netskope.events.event.type | Anomaly type. | keyword | -| netskope.events.event_type | N/A | keyword | -| netskope.events.exposure | Exposure of a document. | keyword | -| netskope.events.external_collaborator_count | Count of external collaborators on a file/folder. Supported for some apps. | long | -| netskope.events.file.id | Unique identifier of the file. | keyword | -| netskope.events.file.is_password_protected | N/A | keyword | -| netskope.events.file.lang | Language of the file. | keyword | -| netskope.events.from.logs | Shows if the event was generated from the Risk Insights log. | keyword | -| netskope.events.from.object | Initial name of an object that has been renamed, copied or moved. | keyword | -| netskope.events.from.storage | N/A | keyword | -| netskope.events.from.user_category | Type of from_user. | keyword | -| netskope.events.gateway | N/A | keyword | -| netskope.events.graph.id | N/A | keyword | -| netskope.events.http_status | N/A | keyword | -| netskope.events.http_transaction_count | HTTP transaction count. | long | -| netskope.events.iaas_asset_tags | List of tags associated with the asset for which alert is raised. Each tag is a key/value pair. | keyword | -| netskope.events.id | N/A | keyword | -| netskope.events.insertion.timestamp | Insertion timestamp. | long | -| netskope.events.instance.id | Unique ID associated with an organization application instance. | keyword | -| netskope.events.instance.name | Instance name associated with an organization application instance. | keyword | -| netskope.events.instance.type | Instance type. | keyword | -| netskope.events.instance_name | Instance associated with an organization application instance. | keyword | -| netskope.events.internal_collaborator_count | Count of internal collaborators on a file/folder. Supported for some apps. | long | -| netskope.events.ip.protocol | N/A | keyword | -| netskope.events.is_bypass_traffic | Tells if traffic is bypassed by Netskope. | boolean | -| netskope.events.is_malicious | Only exists if some HTTP transaction belonging to the page event resulted in a malsite alert. | boolean | -| netskope.events.item.id | N/A | keyword | -| netskope.events.justification.reason | Justification reason provided by user. For following policies, justification events are raised. User is displayed a notification popup, user enters justification and can select to proceed or block: useralert policy, dlp block policy, block policy with custom template which contains justification text box. | keyword | -| netskope.events.justification.type | Type of justification provided by user when user bypasses the policy block. | keyword | -| netskope.events.last.app | Last application (app in the first/older event). Applies to only proximity anomaly alert. | keyword | -| netskope.events.last.country | Last location (Country). Applies to only proximity anomaly alert. | keyword | -| netskope.events.last.device | Last device name (Device Name in the first/older event). Applies to only proximity anomaly alert. | keyword | -| netskope.events.last.location | Last location (City). Applies to only proximity anomaly alert. | keyword | -| netskope.events.last.region | Applies to only proximity anomaly alert. | keyword | -| netskope.events.last.timestamp | Last timestamp (timestamp in the first/older event). Applies to only proximity anomaly alert. | long | -| netskope.events.latency.max | Max latency for a connection in milliseconds. | long | -| netskope.events.latency.min | Min latency for a connection in milliseconds. | long | -| netskope.events.latency.total | Total latency from proxy to app in milliseconds. | long | -| netskope.events.legal_hold_profile_name | Legal hold profile name. | keyword | -| netskope.events.lh.custodian.name | Custodian name of legal hold profile. | keyword | -| netskope.events.lh.destination.app | Destination appname of legalhold action. | keyword | -| netskope.events.lh.destination.instance | Destination instance of legal hold action. | keyword | -| netskope.events.lh.file_id | File ID of legal hold file. | keyword | -| netskope.events.lh.filename | File name of legal hold file. | keyword | -| netskope.events.lh.filename_original | Original filename of legal hold file. | keyword | -| netskope.events.lh.filepath | File path of legal hold file. | keyword | -| netskope.events.lh.shared | Shared type of legal hold file. | keyword | -| netskope.events.lh.shared_with | User shared with the legal hold file. | keyword | -| netskope.events.lh.version | File version of original file. | keyword | -| netskope.events.list.id | N/A | keyword | -| netskope.events.log_file.name | Log file name for Risk Insights. | keyword | -| netskope.events.login.type | Salesforce login type. | keyword | -| netskope.events.login.url | Salesforce login URL. | flattened | -| netskope.events.malsite_category | Category of malsite [ Phishing / Botnet / Malicous URL, etc. ]. | keyword | -| netskope.events.malware.id | md5 hash of the malware name as provided by the scan engine. | keyword | -| netskope.events.malware.name | Netskope detection name. | keyword | -| netskope.events.malware.profile | tss_profile: profile which user has selected. Data comes from WebUI. Its a json structure. | keyword | -| netskope.events.malware.severity | Malware severity. | keyword | -| netskope.events.malware.type | Malware Type. | keyword | -| netskope.events.managed_app | Whether or not the app in question is managed. | boolean | -| netskope.events.management.id | Management ID. | keyword | -| netskope.events.metric_value | N/A | long | -| netskope.events.modified_at | Timestamp corresponding to the modification time of the entity (file, etc.). | date | -| netskope.events.netskope_pop | N/A | keyword | -| netskope.events.network | N/A | keyword | -| netskope.events.new_value | New value for a given file for salesforce.com. | keyword | -| netskope.events.notify_template | N/A | keyword | -| netskope.events.ns.activity | Maps app activity to Netskope standard activity. | keyword | -| netskope.events.ns.device_uid | Device identifiers on macOS and Windows. | keyword | -| netskope.events.num_sessions | N/A | long | -| netskope.events.numbytes | Total number of bytes that were transmitted for the connection - numbytes = client_bytes + server_bytes. | long | -| netskope.events.obfuscate | N/A | boolean | -| netskope.events.object.count | Displayed when the activity is Delete. Shows the number of objects being deleted. | long | -| netskope.events.object.id | Unique ID associated with an object. | keyword | -| netskope.events.object.name | Name of the object which is being acted on. It could be a filename, folder name, report name, document name, etc. | keyword | -| netskope.events.object.type | Type of the object which is being acted on. Object type could be a file, folder, report, document, message, etc. | keyword | -| netskope.events.old_value | Old value for a given file for salesforce.com. | keyword | -| netskope.events.org | Search for events from a specific organization. Organization name is derived from the user ID. | keyword | -| netskope.events.organization_unit | Org Units for which the event correlates to. This ties to user information extracted from Active Directory using the Directory Importer/AD Connector application. | keyword | -| netskope.events.orig_ty | Event Type of original event. | keyword | -| netskope.events.original_file_path | If the file is moved, then keep original path of the file in this field. | keyword | -| netskope.events.other.categories | N/A | keyword | -| netskope.events.owner | Owner of the file. | keyword | -| netskope.events.page | The URL of the originating page. | keyword | -| netskope.events.page_site | N/A | keyword | -| netskope.events.parent.id | N/A | keyword | -| netskope.events.path_id | Path ID of the file in the application. | long | -| netskope.events.policy.id | The Netskope internal ID for the policy created by an admin. | keyword | -| netskope.events.policy.name | Name of the policy configured by an admin. | keyword | -| netskope.events.profile.emails | List of profile emails per policy. | keyword | -| netskope.events.profile.id | Anomaly profile ID. | keyword | -| netskope.events.publisher_cn | N/A | keyword | -| netskope.events.qar | N/A | keyword | -| netskope.events.quarantine.action.reason | Reason for the action taken for quarantine. | keyword | -| netskope.events.quarantine.admin | Quarantine profile custodian email/name. | keyword | -| netskope.events.quarantine.app | Quarantine app name. | keyword | -| netskope.events.quarantine.app_name | N/A | keyword | -| netskope.events.quarantine.failure | Reason of failure. | keyword | -| netskope.events.quarantine.file.id | File ID of the quarantined file. | keyword | -| netskope.events.quarantine.file.name | File name of the quarantine file. | keyword | -| netskope.events.quarantine.instance | Quarantine instance name. | keyword | -| netskope.events.quarantine.original.file.name | Original file name which got quarantined. | keyword | -| netskope.events.quarantine.original.file.path | Original file path which got quarantined. | keyword | -| netskope.events.quarantine.original.shared | Original file shared user details. | keyword | -| netskope.events.quarantine.original.version | Original version of file which got quarantined. | keyword | -| netskope.events.quarantine.profile.id | Quarantine profile ID. | keyword | -| netskope.events.quarantine.profile.name | Quarantine profile name of policy for quarantine action. | keyword | -| netskope.events.quarantine.shared_with | N/A | keyword | -| netskope.events.referer | Referer URL of the application(with http) that the user visited as provided by the log or data plane traffic. | flattened | -| netskope.events.region | N/A | keyword | -| netskope.events.region.id | Region ID (as provided by the cloud provider). | keyword | -| netskope.events.repo | N/A | keyword | -| netskope.events.request.count | Total number of HTTP requests (equal to number of transaction events for this page event) sent from client to server over one underlying TCP connection. | long | -| netskope.events.request.id | Unique request ID for the event. | keyword | -| netskope.events.response.content.length | N/A | long | -| netskope.events.response.content.type | N/A | keyword | -| netskope.events.response.count | Total number of HTTP responses (equal to number of transaction events for this page event) from server to client. | long | -| netskope.events.retro_scan_name | Retro scan name. | keyword | -| netskope.events.risk_level | Corresponding field to risk_level_id. Name. | keyword | -| netskope.events.risk_level_id | This field is set by both role-based access (RBA) and MLAD. | keyword | -| netskope.events.role | Roles for Box. | keyword | -| netskope.events.run_id | Run ID. | long | -| netskope.events.sa.profile.id | CSA profile ID. | keyword | -| netskope.events.sa.profile.name | CSA profile name. | keyword | -| netskope.events.sa.rule.severity | Rule severity. | keyword | -| netskope.events.scan.time | Time when the scan is done. | long | -| netskope.events.scan.type | Generated during retroactive scan or new ongoing activity. | keyword | -| netskope.events.scopes | List of permissions for google apps. | keyword | -| netskope.events.serial | N/A | keyword | -| netskope.events.server.bytes | Total number of downloaded from server to client. | long | -| netskope.events.server.packets | N/A | long | -| netskope.events.session.duration | N/A | long | -| netskope.events.session.id | Session ID for Dropbox application. | keyword | -| netskope.events.session.packets | N/A | long | -| netskope.events.severity.id | Severity ID used by watchlist and malware alerts. | keyword | -| netskope.events.severity.level | Severity used by watchlist and malware alerts. | keyword | -| netskope.events.severity.type | Severity type used by watchlist and malware alerts | keyword | -| netskope.events.sfwder | N/A | keyword | -| netskope.events.shared.domains | List of domains of users the document is shared with. | keyword | -| netskope.events.shared.is_shared | If the file is shared or not. | boolean | -| netskope.events.shared.type | Shared Type. | keyword | -| netskope.events.shared.with | Array of emails with whom a document is shared with. | keyword | -| netskope.events.site | For traffic_type = CloudApp, site = app and for traffic_type = Web, it will be the second level domain name + top-level domain name. For example, in "www.cnn.com", it is "cnn.com". | keyword | -| netskope.events.slc.geo.location | Longitude and latitude. | geo_point | -| netskope.events.source.geoip_src | Source from where the location of Source IP was derived. | long | -| netskope.events.ssl_decrypt_policy | Applicable to only bypass events. There are 2 ways to create rules for bypass: Bypass due to Exception Configuration, Bypass due to SSL Decrypt Policy.The existing flag bypass_traffic only gives information that a flow has been bypassed, but does not tell exactly which policy was responsible for it. ssl_decrypt_policy field will provide this extra information. In addition, policy field will be also set for every Bypass event. | keyword | -| netskope.events.start_time | N/A | keyword | -| netskope.events.sub_type | Workplace by Facebook post sub category (files, comments, status etc). | keyword | -| netskope.events.supporting_data | N/A | keyword | -| netskope.events.suppression.end_time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long | -| netskope.events.suppression.key | To limit the number of events. Example: Suppress block event for browse. | keyword | -| netskope.events.suppression.start_time | When events are suppressed (like collaboration apps), then the suppression end time will be set and only one event will be send with suppression start time and end time and count of occurrence. | long | -| netskope.events.team | Slack team name. | keyword | -| netskope.events.telemetry_app | Typically SaaS app web sites use web analytics code within the pages to gather analytic data. When a SaaS app action or page is shown, there is subsequent traffic generated to tracking apps such as doubleclick.net, Optimizely, etc. These tracking apps are listed if applicable in the Telemetry App field. | keyword | -| netskope.events.temp_user | N/A | keyword | -| netskope.events.tenant.id | Tenant id. | keyword | -| netskope.events.threat.match_field | Threat match field, either from domain or URL or IP. | keyword | -| netskope.events.threat.source.id | Threat source id: 1 - NetskopeThreatIntel, 2 - Zvelodb. | keyword | -| netskope.events.threshold | Threshold (Count at which the anomaly should trigger). Applicable to Bulk Anomaly types( Bulk Upload/ Download/ Delete) and Failed Login Anomaly type. | long | -| netskope.events.tnetwork_session_id | N/A | keyword | -| netskope.events.to.object | Changed name of an object that has been renamed, copied, or moved. | keyword | -| netskope.events.to.storage | N/A | keyword | -| netskope.events.to.user | Used when a file is moved from user A to user B. Shows the email address of user B. | keyword | -| netskope.events.to.user_category | Type of user to which move is done. | keyword | -| netskope.events.total.collaborator_count | Count of collaborators on a file/folder. Supported for some apps. | long | -| netskope.events.total_packets | N/A | long | -| netskope.events.traffic.type | Type of the traffic: CloudApp or Web. CloudApp indicates CASB and web indicates HTTP traffic. Web traffic is only captured for inline access method. It is currently not captured for Risk Insights. | keyword | -| netskope.events.transaction.id | Unique ID for a given request/response. | keyword | -| netskope.events.tss_mode | Malware scanning mode, specifies whether it's Real-time Protection or API Data Protection. | keyword | -| netskope.events.tunnel.id | Shows the Client installation ID. Only available for the Client steering configuration. | keyword | -| netskope.events.tunnel.type | N/A | keyword | -| netskope.events.tunnel.up_time | N/A | long | -| netskope.events.two_factor_auth | N/A | keyword | -| netskope.events.type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | keyword | -| netskope.events.universal_connector | N/A | keyword | -| netskope.events.url | URL of the application that the user visited as provided by the log or data plane traffic | flattened | -| netskope.events.url_to_activity | Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. | keyword | -| netskope.events.user.category | Type of user in an enterprise - external / internal. | keyword | -| netskope.events.user.generated | Tells whether it is user generated page event. | boolean | -| netskope.events.user.geo.city_name | N/A | keyword | -| netskope.events.user.geo.continent_name | N/A | keyword | -| netskope.events.user.geo.country_iso_code | N/A | keyword | -| netskope.events.user.geo.country_name | N/A | keyword | -| netskope.events.user.geo.location | Longitude and latitude. | geo_point | -| netskope.events.user.geo.region_iso_code | N/A | keyword | -| netskope.events.user.geo.region_name | N/A | keyword | -| netskope.events.user.group | N/A | keyword | -| netskope.events.user.ip | IP address of User. | keyword | -| netskope.events.user.is_aggregated | N/A | boolean | -| netskope.events.violating.user.name | User who caused a vioaltion. Populated for Workplace by Facebook. | keyword | -| netskope.events.violating.user.type | Category of the user who caused a violation. Populated for Workplace by Facebook. | keyword | -| netskope.events.web.url | File preview URL. | flattened | -| netskope.events.web_universal_connector | N/A | keyword | -| netskope.events.workspace.id | Workspace ID in case of Slack for Enterprise. | keyword | -| netskope.events.workspace.name | Workspace name in case of Slack for Enterprise. | keyword | -| netskope.events.zip_password | Zip the malacious file and put pwd to it and send it back to caller. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.packets | Packets sent from the server to the client. | long | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| user.email | User email address. | keyword | -| user.group.name | Name of the group. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.roles | Array of user roles at the time of the event. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -An example event for `events` looks as following: - -```json -{ - "@timestamp": "2021-12-24T00:29:56.000Z", - "agent": { - "ephemeral_id": "3cabd78f-ac92-4719-87ff-e1dd82c3162a", - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.3.0" - }, - "data_stream": { - "dataset": "netskope.events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0.0" - }, - "elastic_agent": { - "id": "52d90929-98ee-4480-9b14-fe07637d0bbe", - "snapshot": true, - "version": "8.3.0" - }, - "event": { - "agent_id_status": "verified", - "dataset": "netskope.events", - "ingested": "2022-04-14T09:24:43Z", - "original": "{\"@timestamp\":\"2021-12-24T00:29:56.000Z\",\"event.id\":\"613ee55ec9d868fc47654a73\",\"netskope\":{\"events\":{\"event_type\":\"infrastructure\",\"severity\":{\"level\":\"high\"},\"alarm\":{\"name\":\"No_events_from_device\",\"description\":\"Events from device not received in the last 24 hours\"},\"device\":{\"name\":\"device-1\"},\"metric_value\":43831789,\"serial\":\"FFFFFFFFFFFFFFFF\",\"supporting_data\":\"abc\"}}}" - }, - "event.id": "613ee55ec9d868fc47654a73", - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "192.168.224.1:46522" - } - }, - "netskope": { - "events": { - "alarm": { - "description": "Events from device not received in the last 24 hours", - "name": "No_events_from_device" - }, - "device": { - "name": "device-1" - }, - "event_type": "infrastructure", - "metric_value": 43831789, - "serial": "FFFFFFFFFFFFFFFF", - "severity": { - "level": "high" - }, - "supporting_data": "abc" - } - }, - "tags": [ - "forwarded", - "netskope-events" - ] -} -``` diff --git a/packages/netskope/1.0.0/img/netskope-alerts-screenshot.png b/packages/netskope/1.0.0/img/netskope-alerts-screenshot.png deleted file mode 100755 index 3478a97c30..0000000000 Binary files a/packages/netskope/1.0.0/img/netskope-alerts-screenshot.png and /dev/null differ diff --git a/packages/netskope/1.0.0/img/netskope-events-screenshot.png b/packages/netskope/1.0.0/img/netskope-events-screenshot.png deleted file mode 100755 index a429b80386..0000000000 Binary files a/packages/netskope/1.0.0/img/netskope-events-screenshot.png and /dev/null differ diff --git a/packages/netskope/1.0.0/img/netskope-logo.svg b/packages/netskope/1.0.0/img/netskope-logo.svg deleted file mode 100755 index cf1c8bcb3d..0000000000 --- a/packages/netskope/1.0.0/img/netskope-logo.svg +++ /dev/null @@ -1,26 +0,0 @@ - - - - - - - - - - - - - diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 23c328b567..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6fa82f60-f04f-444f-ba2f-00773e1e6108\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"6fa82f60-f04f-444f-ba2f-00773e1e6108\",\"panelRefName\":\"panel_6fa82f60-f04f-444f-ba2f-00773e1e6108\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"4652af1f-2400-4b6c-bc5e-571191e2a14f\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4652af1f-2400-4b6c-bc5e-571191e2a14f\",\"panelRefName\":\"panel_4652af1f-2400-4b6c-bc5e-571191e2a14f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"45c067c5-0e47-4988-90f8-fc788f006afd\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"45c067c5-0e47-4988-90f8-fc788f006afd\",\"panelRefName\":\"panel_45c067c5-0e47-4988-90f8-fc788f006afd\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a9793bf2-d220-4b8c-a5b5-ce31043445f9\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"a9793bf2-d220-4b8c-a5b5-ce31043445f9\",\"panelRefName\":\"panel_a9793bf2-d220-4b8c-a5b5-ce31043445f9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"feaa25d0-fc21-4688-ad80-aac792a6f5a7\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"feaa25d0-fc21-4688-ad80-aac792a6f5a7\",\"panelRefName\":\"panel_feaa25d0-fc21-4688-ad80-aac792a6f5a7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"366ab0ac-ca2e-42af-a6c3-ed7af9892b33\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"366ab0ac-ca2e-42af-a6c3-ed7af9892b33\",\"panelRefName\":\"panel_366ab0ac-ca2e-42af-a6c3-ed7af9892b33\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"afe687dc-fbb2-4277-b415-2d63dc660034\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"afe687dc-fbb2-4277-b415-2d63dc660034\",\"panelRefName\":\"panel_afe687dc-fbb2-4277-b415-2d63dc660034\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"84973327-83fa-4d3e-a605-942aa2f8d165\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"84973327-83fa-4d3e-a605-942aa2f8d165\",\"panelRefName\":\"panel_84973327-83fa-4d3e-a605-942aa2f8d165\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b4492c2d-8d65-4ba1-88ff-477837e47ba7\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"b4492c2d-8d65-4ba1-88ff-477837e47ba7\",\"panelRefName\":\"panel_b4492c2d-8d65-4ba1-88ff-477837e47ba7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1ff971d6-add3-4c2e-b392-13c5487ac4ee\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"1ff971d6-add3-4c2e-b392-13c5487ac4ee\",\"panelRefName\":\"panel_1ff971d6-add3-4c2e-b392-13c5487ac4ee\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1f30c1e5-042e-48ce-99e5-5f1fc9e12d12\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"1f30c1e5-042e-48ce-99e5-5f1fc9e12d12\",\"panelRefName\":\"panel_1f30c1e5-042e-48ce-99e5-5f1fc9e12d12\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e9392a59-5f4d-405d-8779-6b1400c25493\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"e9392a59-5f4d-405d-8779-6b1400c25493\",\"panelRefName\":\"panel_e9392a59-5f4d-405d-8779-6b1400c25493\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f722efca-df82-46e8-bb4d-8217b1fac3e3\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"f722efca-df82-46e8-bb4d-8217b1fac3e3\",\"panelRefName\":\"panel_f722efca-df82-46e8-bb4d-8217b1fac3e3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8c4361bf-c0be-44e9-a898-0f2de9b10187\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"8c4361bf-c0be-44e9-a898-0f2de9b10187\",\"panelRefName\":\"panel_8c4361bf-c0be-44e9-a898-0f2de9b10187\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"a65412a1-13cd-40ed-900e-4fc49f388ee7\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"a65412a1-13cd-40ed-900e-4fc49f388ee7\",\"panelRefName\":\"panel_a65412a1-13cd-40ed-900e-4fc49f388ee7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"eb9e1079-4966-4ae9-abbf-e0df000f17d6\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"eb9e1079-4966-4ae9-abbf-e0df000f17d6\",\"panelRefName\":\"panel_eb9e1079-4966-4ae9-abbf-e0df000f17d6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d726178a-8c9a-465c-ac2d-974f77abb85f\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"d726178a-8c9a-465c-ac2d-974f77abb85f\",\"panelRefName\":\"panel_d726178a-8c9a-465c-ac2d-974f77abb85f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5d065d8d-9b03-4707-9c50-4b655a013932\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"5d065d8d-9b03-4707-9c50-4b655a013932\",\"panelRefName\":\"panel_5d065d8d-9b03-4707-9c50-4b655a013932\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5da4dcb5-1642-48d8-8b08-cc24ad43f53d\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5da4dcb5-1642-48d8-8b08-cc24ad43f53d\",\"panelRefName\":\"panel_5da4dcb5-1642-48d8-8b08-cc24ad43f53d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"65a1d845-2c17-4bd6-8cd8-d8c651d89bd5\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"65a1d845-2c17-4bd6-8cd8-d8c651d89bd5\",\"panelRefName\":\"panel_65a1d845-2c17-4bd6-8cd8-d8c651d89bd5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b2f14091-11cf-492c-bd71-06a8096e4cc2\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"b2f14091-11cf-492c-bd71-06a8096e4cc2\",\"panelRefName\":\"panel_b2f14091-11cf-492c-bd71-06a8096e4cc2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e0331a0a-3091-48e8-8591-31ed4cb1e001\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"e0331a0a-3091-48e8-8591-31ed4cb1e001\",\"panelRefName\":\"panel_e0331a0a-3091-48e8-8591-31ed4cb1e001\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"99617f89-4bf3-4426-9d51-d486cde5c8a6\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"99617f89-4bf3-4426-9d51-d486cde5c8a6\",\"panelRefName\":\"panel_99617f89-4bf3-4426-9d51-d486cde5c8a6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44f4cc45-f34e-4034-aa95-aab9bae9be7b\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"44f4cc45-f34e-4034-aa95-aab9bae9be7b\",\"panelRefName\":\"panel_44f4cc45-f34e-4034-aa95-aab9bae9be7b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f01b8e09-267d-433e-965b-20d3483143a6\",\"w\":24,\"x\":0,\"y\":180},\"panelIndex\":\"f01b8e09-267d-433e-965b-20d3483143a6\",\"panelRefName\":\"panel_f01b8e09-267d-433e-965b-20d3483143a6\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Alerts] Quarantine", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-0f68b070-71f8-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02", - "name": "6fa82f60-f04f-444f-ba2f-00773e1e6108:panel_6fa82f60-f04f-444f-ba2f-00773e1e6108", - "type": "visualization" - }, - { - "id": "netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02", - "name": "4652af1f-2400-4b6c-bc5e-571191e2a14f:panel_4652af1f-2400-4b6c-bc5e-571191e2a14f", - "type": "visualization" - }, - { - "id": "netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02", - "name": "45c067c5-0e47-4988-90f8-fc788f006afd:panel_45c067c5-0e47-4988-90f8-fc788f006afd", - "type": "visualization" - }, - { - "id": "netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02", - "name": "a9793bf2-d220-4b8c-a5b5-ce31043445f9:panel_a9793bf2-d220-4b8c-a5b5-ce31043445f9", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "feaa25d0-fc21-4688-ad80-aac792a6f5a7:panel_feaa25d0-fc21-4688-ad80-aac792a6f5a7", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "366ab0ac-ca2e-42af-a6c3-ed7af9892b33:panel_366ab0ac-ca2e-42af-a6c3-ed7af9892b33", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "afe687dc-fbb2-4277-b415-2d63dc660034:panel_afe687dc-fbb2-4277-b415-2d63dc660034", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "84973327-83fa-4d3e-a605-942aa2f8d165:panel_84973327-83fa-4d3e-a605-942aa2f8d165", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "b4492c2d-8d65-4ba1-88ff-477837e47ba7:panel_b4492c2d-8d65-4ba1-88ff-477837e47ba7", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "1ff971d6-add3-4c2e-b392-13c5487ac4ee:panel_1ff971d6-add3-4c2e-b392-13c5487ac4ee", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "1f30c1e5-042e-48ce-99e5-5f1fc9e12d12:panel_1f30c1e5-042e-48ce-99e5-5f1fc9e12d12", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "e9392a59-5f4d-405d-8779-6b1400c25493:panel_e9392a59-5f4d-405d-8779-6b1400c25493", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "f722efca-df82-46e8-bb4d-8217b1fac3e3:panel_f722efca-df82-46e8-bb4d-8217b1fac3e3", - "type": "visualization" - }, - { - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "name": "8c4361bf-c0be-44e9-a898-0f2de9b10187:panel_8c4361bf-c0be-44e9-a898-0f2de9b10187", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "a65412a1-13cd-40ed-900e-4fc49f388ee7:panel_a65412a1-13cd-40ed-900e-4fc49f388ee7", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "eb9e1079-4966-4ae9-abbf-e0df000f17d6:panel_eb9e1079-4966-4ae9-abbf-e0df000f17d6", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "d726178a-8c9a-465c-ac2d-974f77abb85f:panel_d726178a-8c9a-465c-ac2d-974f77abb85f", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "5d065d8d-9b03-4707-9c50-4b655a013932:panel_5d065d8d-9b03-4707-9c50-4b655a013932", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "5da4dcb5-1642-48d8-8b08-cc24ad43f53d:panel_5da4dcb5-1642-48d8-8b08-cc24ad43f53d", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "65a1d845-2c17-4bd6-8cd8-d8c651d89bd5:panel_65a1d845-2c17-4bd6-8cd8-d8c651d89bd5", - "type": "visualization" - }, - { - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "name": "b2f14091-11cf-492c-bd71-06a8096e4cc2:panel_b2f14091-11cf-492c-bd71-06a8096e4cc2", - "type": "visualization" - }, - { - "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02", - "name": "e0331a0a-3091-48e8-8591-31ed4cb1e001:panel_e0331a0a-3091-48e8-8591-31ed4cb1e001", - "type": "visualization" - }, - { - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "name": "99617f89-4bf3-4426-9d51-d486cde5c8a6:panel_99617f89-4bf3-4426-9d51-d486cde5c8a6", - "type": "visualization" - }, - { - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "name": "44f4cc45-f34e-4034-aa95-aab9bae9be7b:panel_44f4cc45-f34e-4034-aa95-aab9bae9be7b", - "type": "visualization" - }, - { - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "name": "f01b8e09-267d-433e-965b-20d3483143a6:panel_f01b8e09-267d-433e-965b-20d3483143a6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index ec910490e0..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"9ecea79f-aedc-4c49-a78d-113c35d00646\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"9ecea79f-aedc-4c49-a78d-113c35d00646\",\"panelRefName\":\"panel_9ecea79f-aedc-4c49-a78d-113c35d00646\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f7136693-69cc-43e0-b9ad-3b975bbe830a\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"f7136693-69cc-43e0-b9ad-3b975bbe830a\",\"panelRefName\":\"panel_f7136693-69cc-43e0-b9ad-3b975bbe830a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6a352e9d-2bda-4c4d-a65f-70086fe9e098\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"6a352e9d-2bda-4c4d-a65f-70086fe9e098\",\"panelRefName\":\"panel_6a352e9d-2bda-4c4d-a65f-70086fe9e098\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"48681f61-2ad6-4dac-aafd-895b2c267d93\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"48681f61-2ad6-4dac-aafd-895b2c267d93\",\"panelRefName\":\"panel_48681f61-2ad6-4dac-aafd-895b2c267d93\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"414e518e-6119-4905-9052-0bab7a7e53c2\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"414e518e-6119-4905-9052-0bab7a7e53c2\",\"panelRefName\":\"panel_414e518e-6119-4905-9052-0bab7a7e53c2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f52d5fe1-0317-4341-8828-34c8eb20e6c5\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"f52d5fe1-0317-4341-8828-34c8eb20e6c5\",\"panelRefName\":\"panel_f52d5fe1-0317-4341-8828-34c8eb20e6c5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"dedb010c-aa2b-4849-a123-01d05df8391e\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"dedb010c-aa2b-4849-a123-01d05df8391e\",\"panelRefName\":\"panel_dedb010c-aa2b-4849-a123-01d05df8391e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"769bdbcd-f96e-41c7-ba73-76bc435f8573\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"769bdbcd-f96e-41c7-ba73-76bc435f8573\",\"panelRefName\":\"panel_769bdbcd-f96e-41c7-ba73-76bc435f8573\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c15e2f15-51e0-450b-8b65-68ad53160156\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c15e2f15-51e0-450b-8b65-68ad53160156\",\"panelRefName\":\"panel_c15e2f15-51e0-450b-8b65-68ad53160156\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"75d0c42b-7852-4914-95e7-6d2e92b99bd0\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"75d0c42b-7852-4914-95e7-6d2e92b99bd0\",\"panelRefName\":\"panel_75d0c42b-7852-4914-95e7-6d2e92b99bd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"abd95a27-a1f0-4808-88fb-3bb5f770f543\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"abd95a27-a1f0-4808-88fb-3bb5f770f543\",\"panelRefName\":\"panel_abd95a27-a1f0-4808-88fb-3bb5f770f543\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"15c3b9dc-93ee-48ca-a860-fd4f1b768c4c\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"15c3b9dc-93ee-48ca-a860-fd4f1b768c4c\",\"panelRefName\":\"panel_15c3b9dc-93ee-48ca-a860-fd4f1b768c4c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5fe16d63-f752-4c67-b033-54924d7a631a\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"5fe16d63-f752-4c67-b033-54924d7a631a\",\"panelRefName\":\"panel_5fe16d63-f752-4c67-b033-54924d7a631a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"87ee17ee-d40e-4a43-b26f-9622bf1bcbad\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"87ee17ee-d40e-4a43-b26f-9622bf1bcbad\",\"panelRefName\":\"panel_87ee17ee-d40e-4a43-b26f-9622bf1bcbad\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"802cd7a9-7704-4a53-b143-1b9a4f75cc2b\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"802cd7a9-7704-4a53-b143-1b9a4f75cc2b\",\"panelRefName\":\"panel_802cd7a9-7704-4a53-b143-1b9a4f75cc2b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f6e061ee-b7ac-47c8-9915-3fca33a23317\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"f6e061ee-b7ac-47c8-9915-3fca33a23317\",\"panelRefName\":\"panel_f6e061ee-b7ac-47c8-9915-3fca33a23317\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5a0acb1a-ce64-413f-a582-567d7fa79fc0\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5a0acb1a-ce64-413f-a582-567d7fa79fc0\",\"panelRefName\":\"panel_5a0acb1a-ce64-413f-a582-567d7fa79fc0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f9e38ddf-3807-4283-8612-12890da9ddbe\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"f9e38ddf-3807-4283-8612-12890da9ddbe\",\"panelRefName\":\"panel_f9e38ddf-3807-4283-8612-12890da9ddbe\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4f45dac1-2a01-418a-9174-86fa1d613f5f\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"4f45dac1-2a01-418a-9174-86fa1d613f5f\",\"panelRefName\":\"panel_4f45dac1-2a01-418a-9174-86fa1d613f5f\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Alerts] Security Assessment", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-1db9af70-71f4-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-f9097160-71f3-11ec-8c4b-cb281099ee02", - "name": "9ecea79f-aedc-4c49-a78d-113c35d00646:panel_9ecea79f-aedc-4c49-a78d-113c35d00646", - "type": "visualization" - }, - { - "id": "netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02", - "name": "f7136693-69cc-43e0-b9ad-3b975bbe830a:panel_f7136693-69cc-43e0-b9ad-3b975bbe830a", - "type": "visualization" - }, - { - "id": "netskope-187e0140-71f5-11ec-8c4b-cb281099ee02", - "name": "6a352e9d-2bda-4c4d-a65f-70086fe9e098:panel_6a352e9d-2bda-4c4d-a65f-70086fe9e098", - "type": "visualization" - }, - { - "id": "netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02", - "name": "48681f61-2ad6-4dac-aafd-895b2c267d93:panel_48681f61-2ad6-4dac-aafd-895b2c267d93", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "414e518e-6119-4905-9052-0bab7a7e53c2:panel_414e518e-6119-4905-9052-0bab7a7e53c2", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "f52d5fe1-0317-4341-8828-34c8eb20e6c5:panel_f52d5fe1-0317-4341-8828-34c8eb20e6c5", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "dedb010c-aa2b-4849-a123-01d05df8391e:panel_dedb010c-aa2b-4849-a123-01d05df8391e", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "769bdbcd-f96e-41c7-ba73-76bc435f8573:panel_769bdbcd-f96e-41c7-ba73-76bc435f8573", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "c15e2f15-51e0-450b-8b65-68ad53160156:panel_c15e2f15-51e0-450b-8b65-68ad53160156", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "75d0c42b-7852-4914-95e7-6d2e92b99bd0:panel_75d0c42b-7852-4914-95e7-6d2e92b99bd0", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "abd95a27-a1f0-4808-88fb-3bb5f770f543:panel_abd95a27-a1f0-4808-88fb-3bb5f770f543", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "15c3b9dc-93ee-48ca-a860-fd4f1b768c4c:panel_15c3b9dc-93ee-48ca-a860-fd4f1b768c4c", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "5fe16d63-f752-4c67-b033-54924d7a631a:panel_5fe16d63-f752-4c67-b033-54924d7a631a", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "87ee17ee-d40e-4a43-b26f-9622bf1bcbad:panel_87ee17ee-d40e-4a43-b26f-9622bf1bcbad", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "802cd7a9-7704-4a53-b143-1b9a4f75cc2b:panel_802cd7a9-7704-4a53-b143-1b9a4f75cc2b", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "f6e061ee-b7ac-47c8-9915-3fca33a23317:panel_f6e061ee-b7ac-47c8-9915-3fca33a23317", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "5a0acb1a-ce64-413f-a582-567d7fa79fc0:panel_5a0acb1a-ce64-413f-a582-567d7fa79fc0", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "f9e38ddf-3807-4283-8612-12890da9ddbe:panel_f9e38ddf-3807-4283-8612-12890da9ddbe", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "4f45dac1-2a01-418a-9174-86fa1d613f5f:panel_4f45dac1-2a01-418a-9174-86fa1d613f5f", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 1d99e0f070..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"de113850-0514-4327-bf4a-96fd3bff0aa1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"de113850-0514-4327-bf4a-96fd3bff0aa1\",\"panelRefName\":\"panel_de113850-0514-4327-bf4a-96fd3bff0aa1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842\",\"panelRefName\":\"panel_81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"1ae18052-f555-4f33-b76c-7f425a337c95\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1ae18052-f555-4f33-b76c-7f425a337c95\",\"panelRefName\":\"panel_1ae18052-f555-4f33-b76c-7f425a337c95\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cf91b73d-8723-4207-a9db-2f2eec6dbc83\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"cf91b73d-8723-4207-a9db-2f2eec6dbc83\",\"panelRefName\":\"panel_cf91b73d-8723-4207-a9db-2f2eec6dbc83\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"40a99b00-0503-4360-b2ee-4758402ddbc6\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"40a99b00-0503-4360-b2ee-4758402ddbc6\",\"panelRefName\":\"panel_40a99b00-0503-4360-b2ee-4758402ddbc6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c56aec99-3085-448f-b3ce-d68d4d758354\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"c56aec99-3085-448f-b3ce-d68d4d758354\",\"panelRefName\":\"panel_c56aec99-3085-448f-b3ce-d68d4d758354\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cfbe5876-f02d-42c0-ae50-b85b43223f2d\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"cfbe5876-f02d-42c0-ae50-b85b43223f2d\",\"panelRefName\":\"panel_cfbe5876-f02d-42c0-ae50-b85b43223f2d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"91fb5be5-9fe1-446c-b5de-0a9844698834\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"91fb5be5-9fe1-446c-b5de-0a9844698834\",\"panelRefName\":\"panel_91fb5be5-9fe1-446c-b5de-0a9844698834\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e89d1bab-dd1c-4b06-bad0-77f26fb8e217\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"e89d1bab-dd1c-4b06-bad0-77f26fb8e217\",\"panelRefName\":\"panel_e89d1bab-dd1c-4b06-bad0-77f26fb8e217\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cafd5a6f-d702-4870-b85d-8c5619997cb6\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"cafd5a6f-d702-4870-b85d-8c5619997cb6\",\"panelRefName\":\"panel_cafd5a6f-d702-4870-b85d-8c5619997cb6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"199442bd-7bb0-4112-ade5-3264743defd1\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"199442bd-7bb0-4112-ade5-3264743defd1\",\"panelRefName\":\"panel_199442bd-7bb0-4112-ade5-3264743defd1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"90e8a139-5ac8-4a10-a5ed-802d30eca519\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"90e8a139-5ac8-4a10-a5ed-802d30eca519\",\"panelRefName\":\"panel_90e8a139-5ac8-4a10-a5ed-802d30eca519\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339\",\"panelRefName\":\"panel_3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cbe6b18e-b303-4b00-b573-f9856a82e15e\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"cbe6b18e-b303-4b00-b573-f9856a82e15e\",\"panelRefName\":\"panel_cbe6b18e-b303-4b00-b573-f9856a82e15e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"68eae1da-9479-4de6-a888-790e7bee6449\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"68eae1da-9479-4de6-a888-790e7bee6449\",\"panelRefName\":\"panel_68eae1da-9479-4de6-a888-790e7bee6449\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"8368a6ca-b543-4adc-a9c5-624e74497329\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"8368a6ca-b543-4adc-a9c5-624e74497329\",\"panelRefName\":\"panel_8368a6ca-b543-4adc-a9c5-624e74497329\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4b05e711-810e-4014-9b25-0bd307954aa0\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"4b05e711-810e-4014-9b25-0bd307954aa0\",\"panelRefName\":\"panel_4b05e711-810e-4014-9b25-0bd307954aa0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"893dd429-9e30-4fd6-9419-dbe51aafc104\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"893dd429-9e30-4fd6-9419-dbe51aafc104\",\"panelRefName\":\"panel_893dd429-9e30-4fd6-9419-dbe51aafc104\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb\",\"panelRefName\":\"panel_5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"39191fce-eb15-468c-ad46-923e47f84456\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"39191fce-eb15-468c-ad46-923e47f84456\",\"panelRefName\":\"panel_39191fce-eb15-468c-ad46-923e47f84456\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"aedad988-c987-4390-b904-8ed71a118d4d\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"aedad988-c987-4390-b904-8ed71a118d4d\",\"panelRefName\":\"panel_aedad988-c987-4390-b904-8ed71a118d4d\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Events] Network", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-388b1e00-72ae-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-55144a90-72ab-11ec-8c4b-cb281099ee02", - "name": "de113850-0514-4327-bf4a-96fd3bff0aa1:panel_de113850-0514-4327-bf4a-96fd3bff0aa1", - "type": "visualization" - }, - { - "id": "netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02", - "name": "81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842:panel_81c7c9aa-e4bf-4f5f-81a8-8a9b2b329842", - "type": "visualization" - }, - { - "id": "netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02", - "name": "1ae18052-f555-4f33-b76c-7f425a337c95:panel_1ae18052-f555-4f33-b76c-7f425a337c95", - "type": "visualization" - }, - { - "id": "netskope-327320f0-72ac-11ec-8c4b-cb281099ee02", - "name": "cf91b73d-8723-4207-a9db-2f2eec6dbc83:panel_cf91b73d-8723-4207-a9db-2f2eec6dbc83", - "type": "visualization" - }, - { - "id": "netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02", - "name": "40a99b00-0503-4360-b2ee-4758402ddbc6:panel_40a99b00-0503-4360-b2ee-4758402ddbc6", - "type": "visualization" - }, - { - "id": "netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02", - "name": "c56aec99-3085-448f-b3ce-d68d4d758354:panel_c56aec99-3085-448f-b3ce-d68d4d758354", - "type": "visualization" - }, - { - "id": "netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02", - "name": "cfbe5876-f02d-42c0-ae50-b85b43223f2d:panel_cfbe5876-f02d-42c0-ae50-b85b43223f2d", - "type": "visualization" - }, - { - "id": "netskope-40a01500-72db-11ec-8c4b-cb281099ee02", - "name": "91fb5be5-9fe1-446c-b5de-0a9844698834:panel_91fb5be5-9fe1-446c-b5de-0a9844698834", - "type": "visualization" - }, - { - "id": "netskope-464ce970-72b7-11ec-8c4b-cb281099ee02", - "name": "e89d1bab-dd1c-4b06-bad0-77f26fb8e217:panel_e89d1bab-dd1c-4b06-bad0-77f26fb8e217", - "type": "visualization" - }, - { - "id": "netskope-891546c0-72db-11ec-8c4b-cb281099ee02", - "name": "cafd5a6f-d702-4870-b85d-8c5619997cb6:panel_cafd5a6f-d702-4870-b85d-8c5619997cb6", - "type": "visualization" - }, - { - "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02", - "name": "199442bd-7bb0-4112-ade5-3264743defd1:panel_199442bd-7bb0-4112-ade5-3264743defd1", - "type": "visualization" - }, - { - "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02", - "name": "90e8a139-5ac8-4a10-a5ed-802d30eca519:panel_90e8a139-5ac8-4a10-a5ed-802d30eca519", - "type": "visualization" - }, - { - "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02", - "name": "3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339:panel_3e9a0f3a-f5b1-4cc6-ba7f-645bf6f23339", - "type": "visualization" - }, - { - "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02", - "name": "cbe6b18e-b303-4b00-b573-f9856a82e15e:panel_cbe6b18e-b303-4b00-b573-f9856a82e15e", - "type": "visualization" - }, - { - "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02", - "name": "68eae1da-9479-4de6-a888-790e7bee6449:panel_68eae1da-9479-4de6-a888-790e7bee6449", - "type": "visualization" - }, - { - "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02", - "name": "8368a6ca-b543-4adc-a9c5-624e74497329:panel_8368a6ca-b543-4adc-a9c5-624e74497329", - "type": "visualization" - }, - { - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "name": "4b05e711-810e-4014-9b25-0bd307954aa0:panel_4b05e711-810e-4014-9b25-0bd307954aa0", - "type": "visualization" - }, - { - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "name": "893dd429-9e30-4fd6-9419-dbe51aafc104:panel_893dd429-9e30-4fd6-9419-dbe51aafc104", - "type": "visualization" - }, - { - "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02", - "name": "5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb:panel_5c2b0e3e-3fa6-4b04-9950-0a51dd2bc0bb", - "type": "visualization" - }, - { - "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02", - "name": "39191fce-eb15-468c-ad46-923e47f84456:panel_39191fce-eb15-468c-ad46-923e47f84456", - "type": "visualization" - }, - { - "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02", - "name": "aedad988-c987-4390-b904-8ed71a118d4d:panel_aedad988-c987-4390-b904-8ed71a118d4d", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index d2e6875041..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"infrastructure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"infrastructure\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"eef1d418-6eb7-4ca7-963c-376163e018cc\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"eef1d418-6eb7-4ca7-963c-376163e018cc\",\"panelRefName\":\"panel_eef1d418-6eb7-4ca7-963c-376163e018cc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b8ce0876-320e-4903-919e-3101df39f199\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"b8ce0876-320e-4903-919e-3101df39f199\",\"panelRefName\":\"panel_b8ce0876-320e-4903-919e-3101df39f199\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"bcd7cd0f-3d14-4165-ad36-411e407c1b3a\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"bcd7cd0f-3d14-4165-ad36-411e407c1b3a\",\"panelRefName\":\"panel_bcd7cd0f-3d14-4165-ad36-411e407c1b3a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cb25209c-af4f-46d4-8055-e0165377c186\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"cb25209c-af4f-46d4-8055-e0165377c186\",\"panelRefName\":\"panel_cb25209c-af4f-46d4-8055-e0165377c186\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Events] Infrastructure", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-4bdc8830-72af-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02", - "name": "eef1d418-6eb7-4ca7-963c-376163e018cc:panel_eef1d418-6eb7-4ca7-963c-376163e018cc", - "type": "visualization" - }, - { - "id": "netskope-719e0f30-72af-11ec-8c4b-cb281099ee02", - "name": "b8ce0876-320e-4903-919e-3101df39f199:panel_b8ce0876-320e-4903-919e-3101df39f199", - "type": "visualization" - }, - { - "id": "netskope-914898a0-72af-11ec-8c4b-cb281099ee02", - "name": "bcd7cd0f-3d14-4165-ad36-411e407c1b3a:panel_bcd7cd0f-3d14-4165-ad36-411e407c1b3a", - "type": "visualization" - }, - { - "id": "netskope-c01026d0-72af-11ec-8c4b-cb281099ee02", - "name": "cb25209c-af4f-46d4-8055-e0165377c186:panel_cb25209c-af4f-46d4-8055-e0165377c186", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 35312a2ab0..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"26fbf4d7-3b96-4d0a-a206-1c0b6c36a654\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"26fbf4d7-3b96-4d0a-a206-1c0b6c36a654\",\"panelRefName\":\"panel_26fbf4d7-3b96-4d0a-a206-1c0b6c36a654\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5a43e517-99d6-425a-b5cb-7ee124b327e7\",\"w\":24,\"x\":0,\"y\":5},\"panelIndex\":\"5a43e517-99d6-425a-b5cb-7ee124b327e7\",\"panelRefName\":\"panel_5a43e517-99d6-425a-b5cb-7ee124b327e7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"6a0e0f49-951b-47ca-8664-5507bae1d7f4\",\"w\":24,\"x\":24,\"y\":5},\"panelIndex\":\"6a0e0f49-951b-47ca-8664-5507bae1d7f4\",\"panelRefName\":\"panel_6a0e0f49-951b-47ca-8664-5507bae1d7f4\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"067dda5d-b9eb-495c-b663-5bb1eaa164da\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"067dda5d-b9eb-495c-b663-5bb1eaa164da\",\"panelRefName\":\"panel_067dda5d-b9eb-495c-b663-5bb1eaa164da\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"26a44d07-f0e4-4c58-a209-ebe227dfe682\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"26a44d07-f0e4-4c58-a209-ebe227dfe682\",\"panelRefName\":\"panel_26a44d07-f0e4-4c58-a209-ebe227dfe682\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"98d0578d-b4f5-46f6-8c5d-db6939548a41\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"98d0578d-b4f5-46f6-8c5d-db6939548a41\",\"panelRefName\":\"panel_98d0578d-b4f5-46f6-8c5d-db6939548a41\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"1150af83-f4ee-4aa3-8b31-7d5c5dccc716\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"1150af83-f4ee-4aa3-8b31-7d5c5dccc716\",\"panelRefName\":\"panel_1150af83-f4ee-4aa3-8b31-7d5c5dccc716\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"822a62d6-ed17-4a9c-bcbc-b29b25538156\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"822a62d6-ed17-4a9c-bcbc-b29b25538156\",\"panelRefName\":\"panel_822a62d6-ed17-4a9c-bcbc-b29b25538156\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec\",\"panelRefName\":\"panel_5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1773342f-dd53-4c10-9b38-82b4e09a7395\",\"w\":24,\"x\":0,\"y\":65},\"panelIndex\":\"1773342f-dd53-4c10-9b38-82b4e09a7395\",\"panelRefName\":\"panel_1773342f-dd53-4c10-9b38-82b4e09a7395\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e297318d-0e02-4fc2-a5dd-6b6d57f5e35b\",\"w\":24,\"x\":24,\"y\":65},\"panelIndex\":\"e297318d-0e02-4fc2-a5dd-6b6d57f5e35b\",\"panelRefName\":\"panel_e297318d-0e02-4fc2-a5dd-6b6d57f5e35b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d9355657-e78e-4edf-89b0-4f0e0698372e\",\"w\":24,\"x\":0,\"y\":80},\"panelIndex\":\"d9355657-e78e-4edf-89b0-4f0e0698372e\",\"panelRefName\":\"panel_d9355657-e78e-4edf-89b0-4f0e0698372e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"82495547-fdb7-4c0c-8e55-83246013d66f\",\"w\":24,\"x\":24,\"y\":80},\"panelIndex\":\"82495547-fdb7-4c0c-8e55-83246013d66f\",\"panelRefName\":\"panel_82495547-fdb7-4c0c-8e55-83246013d66f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c291aef0-c76c-4c83-ae56-2c2126f817a7\",\"w\":24,\"x\":0,\"y\":95},\"panelIndex\":\"c291aef0-c76c-4c83-ae56-2c2126f817a7\",\"panelRefName\":\"panel_c291aef0-c76c-4c83-ae56-2c2126f817a7\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope] Events Overview", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-93c4dce0-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02", - "name": "26fbf4d7-3b96-4d0a-a206-1c0b6c36a654:panel_26fbf4d7-3b96-4d0a-a206-1c0b6c36a654", - "type": "visualization" - }, - { - "id": "netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02", - "name": "5a43e517-99d6-425a-b5cb-7ee124b327e7:panel_5a43e517-99d6-425a-b5cb-7ee124b327e7", - "type": "visualization" - }, - { - "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02", - "name": "6a0e0f49-951b-47ca-8664-5507bae1d7f4:panel_6a0e0f49-951b-47ca-8664-5507bae1d7f4", - "type": "visualization" - }, - { - "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02", - "name": "067dda5d-b9eb-495c-b663-5bb1eaa164da:panel_067dda5d-b9eb-495c-b663-5bb1eaa164da", - "type": "visualization" - }, - { - "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02", - "name": "26a44d07-f0e4-4c58-a209-ebe227dfe682:panel_26a44d07-f0e4-4c58-a209-ebe227dfe682", - "type": "visualization" - }, - { - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "name": "98d0578d-b4f5-46f6-8c5d-db6939548a41:panel_98d0578d-b4f5-46f6-8c5d-db6939548a41", - "type": "visualization" - }, - { - "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02", - "name": "1150af83-f4ee-4aa3-8b31-7d5c5dccc716:panel_1150af83-f4ee-4aa3-8b31-7d5c5dccc716", - "type": "visualization" - }, - { - "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02", - "name": "822a62d6-ed17-4a9c-bcbc-b29b25538156:panel_822a62d6-ed17-4a9c-bcbc-b29b25538156", - "type": "visualization" - }, - { - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "name": "5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec:panel_5bc67aa4-4d7f-409e-bf28-a5c3a2f5caec", - "type": "visualization" - }, - { - "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02", - "name": "1773342f-dd53-4c10-9b38-82b4e09a7395:panel_1773342f-dd53-4c10-9b38-82b4e09a7395", - "type": "visualization" - }, - { - "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02", - "name": "e297318d-0e02-4fc2-a5dd-6b6d57f5e35b:panel_e297318d-0e02-4fc2-a5dd-6b6d57f5e35b", - "type": "visualization" - }, - { - "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02", - "name": "d9355657-e78e-4edf-89b0-4f0e0698372e:panel_d9355657-e78e-4edf-89b0-4f0e0698372e", - "type": "visualization" - }, - { - "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02", - "name": "82495547-fdb7-4c0c-8e55-83246013d66f:panel_82495547-fdb7-4c0c-8e55-83246013d66f", - "type": "visualization" - }, - { - "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02", - "name": "c291aef0-c76c-4c83-ae56-2c2126f817a7:panel_c291aef0-c76c-4c83-ae56-2c2126f817a7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-97349920-72b0-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-97349920-72b0-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 84042f8c6d..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-97349920-72b0-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"77a59f05-8734-4361-a4ee-f0081a667f90\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"77a59f05-8734-4361-a4ee-f0081a667f90\",\"panelRefName\":\"panel_77a59f05-8734-4361-a4ee-f0081a667f90\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ba5dff68-0c84-4678-bf9b-a20767da4594\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"ba5dff68-0c84-4678-bf9b-a20767da4594\",\"panelRefName\":\"panel_ba5dff68-0c84-4678-bf9b-a20767da4594\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04a815f0-2d0c-4189-9382-c4b5c4455bce\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"04a815f0-2d0c-4189-9382-c4b5c4455bce\",\"panelRefName\":\"panel_04a815f0-2d0c-4189-9382-c4b5c4455bce\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1fb9cef2-f112-4a25-985e-e191d044a824\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"1fb9cef2-f112-4a25-985e-e191d044a824\",\"panelRefName\":\"panel_1fb9cef2-f112-4a25-985e-e191d044a824\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d6851ddb-5402-419a-b8e2-91e060a5a715\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d6851ddb-5402-419a-b8e2-91e060a5a715\",\"panelRefName\":\"panel_d6851ddb-5402-419a-b8e2-91e060a5a715\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8c1ee365-4a0c-4b03-858a-26c7d6652699\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"8c1ee365-4a0c-4b03-858a-26c7d6652699\",\"panelRefName\":\"panel_8c1ee365-4a0c-4b03-858a-26c7d6652699\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Events] Audit", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-97349920-72b0-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-feb43930-72af-11ec-8c4b-cb281099ee02", - "name": "77a59f05-8734-4361-a4ee-f0081a667f90:panel_77a59f05-8734-4361-a4ee-f0081a667f90", - "type": "visualization" - }, - { - "id": "netskope-24907420-72b0-11ec-8c4b-cb281099ee02", - "name": "ba5dff68-0c84-4678-bf9b-a20767da4594:panel_ba5dff68-0c84-4678-bf9b-a20767da4594", - "type": "visualization" - }, - { - "id": "netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02", - "name": "04a815f0-2d0c-4189-9382-c4b5c4455bce:panel_04a815f0-2d0c-4189-9382-c4b5c4455bce", - "type": "visualization" - }, - { - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "name": "1fb9cef2-f112-4a25-985e-e191d044a824:panel_1fb9cef2-f112-4a25-985e-e191d044a824", - "type": "visualization" - }, - { - "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02", - "name": "d6851ddb-5402-419a-b8e2-91e060a5a715:panel_d6851ddb-5402-419a-b8e2-91e060a5a715", - "type": "visualization" - }, - { - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "name": "8c1ee365-4a0c-4b03-858a-26c7d6652699:panel_8c1ee365-4a0c-4b03-858a-26c7d6652699", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 94ccc020a5..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ab32506e-cd95-4643-94f4-ff3d7f10655b\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"ab32506e-cd95-4643-94f4-ff3d7f10655b\",\"panelRefName\":\"panel_ab32506e-cd95-4643-94f4-ff3d7f10655b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f04eaee2-b656-45f0-bf2e-7db096fe5ba5\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"f04eaee2-b656-45f0-bf2e-7db096fe5ba5\",\"panelRefName\":\"panel_f04eaee2-b656-45f0-bf2e-7db096fe5ba5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85a443dc-c3dd-4198-8273-b2edbe5254a6\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"85a443dc-c3dd-4198-8273-b2edbe5254a6\",\"panelRefName\":\"panel_85a443dc-c3dd-4198-8273-b2edbe5254a6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d8da7946-0d47-405d-b219-b3f4519ee4d9\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"d8da7946-0d47-405d-b219-b3f4519ee4d9\",\"panelRefName\":\"panel_d8da7946-0d47-405d-b219-b3f4519ee4d9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"516a4ca3-23b4-4d6d-9162-50197cbfe306\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"516a4ca3-23b4-4d6d-9162-50197cbfe306\",\"panelRefName\":\"panel_516a4ca3-23b4-4d6d-9162-50197cbfe306\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ab75c7fa-d665-4ce4-b2d0-62428fd846da\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ab75c7fa-d665-4ce4-b2d0-62428fd846da\",\"panelRefName\":\"panel_ab75c7fa-d665-4ce4-b2d0-62428fd846da\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e6fdc807-d7d7-4c8d-a592-584e42001712\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"e6fdc807-d7d7-4c8d-a592-584e42001712\",\"panelRefName\":\"panel_e6fdc807-d7d7-4c8d-a592-584e42001712\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"fe337472-7a96-402a-b7e5-b8ea37e6328c\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"fe337472-7a96-402a-b7e5-b8ea37e6328c\",\"panelRefName\":\"panel_fe337472-7a96-402a-b7e5-b8ea37e6328c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5de4021e-f3ba-4155-83c6-d44937ad4564\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"5de4021e-f3ba-4155-83c6-d44937ad4564\",\"panelRefName\":\"panel_5de4021e-f3ba-4155-83c6-d44937ad4564\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6b88f03d-4441-4081-b031-7af3644a3421\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"6b88f03d-4441-4081-b031-7af3644a3421\",\"panelRefName\":\"panel_6b88f03d-4441-4081-b031-7af3644a3421\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ebf8e192-7eba-438f-96cc-5e6d80d08fd0\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"ebf8e192-7eba-438f-96cc-5e6d80d08fd0\",\"panelRefName\":\"panel_ebf8e192-7eba-438f-96cc-5e6d80d08fd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6a003a65-76ee-43fa-9f63-a8c96c129fd1\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"6a003a65-76ee-43fa-9f63-a8c96c129fd1\",\"panelRefName\":\"panel_6a003a65-76ee-43fa-9f63-a8c96c129fd1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4\",\"panelRefName\":\"panel_942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"51fc9a00-6109-46eb-9264-cfb81fafbb90\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"51fc9a00-6109-46eb-9264-cfb81fafbb90\",\"panelRefName\":\"panel_51fc9a00-6109-46eb-9264-cfb81fafbb90\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85ba4c06-11ce-4bfe-ba79-983562383efb\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"85ba4c06-11ce-4bfe-ba79-983562383efb\",\"panelRefName\":\"panel_85ba4c06-11ce-4bfe-ba79-983562383efb\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2209097a-5361-4924-b89b-30cb69fc1aa9\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"2209097a-5361-4924-b89b-30cb69fc1aa9\",\"panelRefName\":\"panel_2209097a-5361-4924-b89b-30cb69fc1aa9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"313214f2-83b2-41eb-98f6-d2e061b84267\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"313214f2-83b2-41eb-98f6-d2e061b84267\",\"panelRefName\":\"panel_313214f2-83b2-41eb-98f6-d2e061b84267\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"18e2231e-c783-4353-a799-b41f01154e97\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"18e2231e-c783-4353-a799-b41f01154e97\",\"panelRefName\":\"panel_18e2231e-c783-4353-a799-b41f01154e97\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Events] Application", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-9e55e880-72b5-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02", - "name": "ab32506e-cd95-4643-94f4-ff3d7f10655b:panel_ab32506e-cd95-4643-94f4-ff3d7f10655b", - "type": "visualization" - }, - { - "id": "netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02", - "name": "f04eaee2-b656-45f0-bf2e-7db096fe5ba5:panel_f04eaee2-b656-45f0-bf2e-7db096fe5ba5", - "type": "visualization" - }, - { - "id": "netskope-5e243140-72b5-11ec-8c4b-cb281099ee02", - "name": "85a443dc-c3dd-4198-8273-b2edbe5254a6:panel_85a443dc-c3dd-4198-8273-b2edbe5254a6", - "type": "visualization" - }, - { - "id": "netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02", - "name": "d8da7946-0d47-405d-b219-b3f4519ee4d9:panel_d8da7946-0d47-405d-b219-b3f4519ee4d9", - "type": "visualization" - }, - { - "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02", - "name": "516a4ca3-23b4-4d6d-9162-50197cbfe306:panel_516a4ca3-23b4-4d6d-9162-50197cbfe306", - "type": "visualization" - }, - { - "id": "netskope-917c9230-72b5-11ec-8c4b-cb281099ee02", - "name": "ab75c7fa-d665-4ce4-b2d0-62428fd846da:panel_ab75c7fa-d665-4ce4-b2d0-62428fd846da", - "type": "visualization" - }, - { - "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02", - "name": "e6fdc807-d7d7-4c8d-a592-584e42001712:panel_e6fdc807-d7d7-4c8d-a592-584e42001712", - "type": "visualization" - }, - { - "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02", - "name": "fe337472-7a96-402a-b7e5-b8ea37e6328c:panel_fe337472-7a96-402a-b7e5-b8ea37e6328c", - "type": "visualization" - }, - { - "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02", - "name": "5de4021e-f3ba-4155-83c6-d44937ad4564:panel_5de4021e-f3ba-4155-83c6-d44937ad4564", - "type": "visualization" - }, - { - "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02", - "name": "6b88f03d-4441-4081-b031-7af3644a3421:panel_6b88f03d-4441-4081-b031-7af3644a3421", - "type": "visualization" - }, - { - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "name": "ebf8e192-7eba-438f-96cc-5e6d80d08fd0:panel_ebf8e192-7eba-438f-96cc-5e6d80d08fd0", - "type": "visualization" - }, - { - "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02", - "name": "6a003a65-76ee-43fa-9f63-a8c96c129fd1:panel_6a003a65-76ee-43fa-9f63-a8c96c129fd1", - "type": "visualization" - }, - { - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "name": "942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4:panel_942c0bf9-1f9a-4a8a-9f9c-70e32e61d1a4", - "type": "visualization" - }, - { - "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02", - "name": "51fc9a00-6109-46eb-9264-cfb81fafbb90:panel_51fc9a00-6109-46eb-9264-cfb81fafbb90", - "type": "visualization" - }, - { - "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02", - "name": "85ba4c06-11ce-4bfe-ba79-983562383efb:panel_85ba4c06-11ce-4bfe-ba79-983562383efb", - "type": "visualization" - }, - { - "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02", - "name": "2209097a-5361-4924-b89b-30cb69fc1aa9:panel_2209097a-5361-4924-b89b-30cb69fc1aa9", - "type": "visualization" - }, - { - "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02", - "name": "313214f2-83b2-41eb-98f6-d2e061b84267:panel_313214f2-83b2-41eb-98f6-d2e061b84267", - "type": "visualization" - }, - { - "id": "netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02", - "name": "18e2231e-c783-4353-a799-b41f01154e97:panel_18e2231e-c783-4353-a799-b41f01154e97", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-a03670f0-7208-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-a03670f0-7208-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 0c48984958..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-a03670f0-7208-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,182 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3b340e55-d9eb-4304-a0d3-583150bd54eb\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"3b340e55-d9eb-4304-a0d3-583150bd54eb\",\"panelRefName\":\"panel_3b340e55-d9eb-4304-a0d3-583150bd54eb\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"df123261-3370-4572-b118-09a2654264f2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"df123261-3370-4572-b118-09a2654264f2\",\"panelRefName\":\"panel_df123261-3370-4572-b118-09a2654264f2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"649b0d8e-5d17-411d-9117-a63ad74960f1\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"649b0d8e-5d17-411d-9117-a63ad74960f1\",\"panelRefName\":\"panel_649b0d8e-5d17-411d-9117-a63ad74960f1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"92b99046-01c4-413a-84dd-93ad174171b0\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"92b99046-01c4-413a-84dd-93ad174171b0\",\"panelRefName\":\"panel_92b99046-01c4-413a-84dd-93ad174171b0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"aa10cc62-fe46-420a-88fc-9df0b78e58c1\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"aa10cc62-fe46-420a-88fc-9df0b78e58c1\",\"panelRefName\":\"panel_aa10cc62-fe46-420a-88fc-9df0b78e58c1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"3d78958c-581d-4ad4-a768-346a4f234b25\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"3d78958c-581d-4ad4-a768-346a4f234b25\",\"panelRefName\":\"panel_3d78958c-581d-4ad4-a768-346a4f234b25\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"cee9c637-74f0-42bd-8a30-7c8b8cb4ed01\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"cee9c637-74f0-42bd-8a30-7c8b8cb4ed01\",\"panelRefName\":\"panel_cee9c637-74f0-42bd-8a30-7c8b8cb4ed01\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9422ea18-43fb-4271-9c06-bfb40b9f9c78\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"9422ea18-43fb-4271-9c06-bfb40b9f9c78\",\"panelRefName\":\"panel_9422ea18-43fb-4271-9c06-bfb40b9f9c78\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e0b7f071-f82f-457c-ad45-de3f45cd9ee8\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"e0b7f071-f82f-457c-ad45-de3f45cd9ee8\",\"panelRefName\":\"panel_e0b7f071-f82f-457c-ad45-de3f45cd9ee8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":162},{\"colIndex\":1,\"width\":355.5}]}}},\"gridData\":{\"h\":15,\"i\":\"b205b75e-5675-49ed-90d3-f183e7b80d2f\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"b205b75e-5675-49ed-90d3-f183e7b80d2f\",\"panelRefName\":\"panel_b205b75e-5675-49ed-90d3-f183e7b80d2f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5513d359-dd47-44a7-856b-fadc0178aa5f\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"5513d359-dd47-44a7-856b-fadc0178aa5f\",\"panelRefName\":\"panel_5513d359-dd47-44a7-856b-fadc0178aa5f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ccf70172-a85b-40e1-a616-b3b1e9a6088c\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"ccf70172-a85b-40e1-a616-b3b1e9a6088c\",\"panelRefName\":\"panel_ccf70172-a85b-40e1-a616-b3b1e9a6088c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"6c932713-9d4b-430a-a799-6d31b45ecacf\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"6c932713-9d4b-430a-a799-6d31b45ecacf\",\"panelRefName\":\"panel_6c932713-9d4b-430a-a799-6d31b45ecacf\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"c483ecaf-49f8-4dc5-b0f0-0e1339a67d22\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"c483ecaf-49f8-4dc5-b0f0-0e1339a67d22\",\"panelRefName\":\"panel_c483ecaf-49f8-4dc5-b0f0-0e1339a67d22\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"90096c7a-a554-4a30-89a3-7d0d63ea804c\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"90096c7a-a554-4a30-89a3-7d0d63ea804c\",\"panelRefName\":\"panel_90096c7a-a554-4a30-89a3-7d0d63ea804c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cd490c17-67ea-4bd1-aa9a-88f1a9c139b5\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"cd490c17-67ea-4bd1-aa9a-88f1a9c139b5\",\"panelRefName\":\"panel_cd490c17-67ea-4bd1-aa9a-88f1a9c139b5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0b6ca0f2-57a6-4e90-9592-56bb052d4ca7\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"0b6ca0f2-57a6-4e90-9592-56bb052d4ca7\",\"panelRefName\":\"panel_0b6ca0f2-57a6-4e90-9592-56bb052d4ca7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"650391d6-5467-4b6e-b529-f89b34cacdee\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"650391d6-5467-4b6e-b529-f89b34cacdee\",\"panelRefName\":\"panel_650391d6-5467-4b6e-b529-f89b34cacdee\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6b8089ba-e257-40d5-847f-516759ce8475\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"6b8089ba-e257-40d5-847f-516759ce8475\",\"panelRefName\":\"panel_6b8089ba-e257-40d5-847f-516759ce8475\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2d4098eb-54b0-474e-81b5-75fc222cb341\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"2d4098eb-54b0-474e-81b5-75fc222cb341\",\"panelRefName\":\"panel_2d4098eb-54b0-474e-81b5-75fc222cb341\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bbc3957b-53a2-47dd-9760-56f8ceb5289d\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"bbc3957b-53a2-47dd-9760-56f8ceb5289d\",\"panelRefName\":\"panel_bbc3957b-53a2-47dd-9760-56f8ceb5289d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"37776b9c-bfc6-4c6f-9079-2c0d23fe4a89\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"37776b9c-bfc6-4c6f-9079-2c0d23fe4a89\",\"panelRefName\":\"panel_37776b9c-bfc6-4c6f-9079-2c0d23fe4a89\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"690c706e-c8bc-4f19-ab9e-9ba64e268647\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"690c706e-c8bc-4f19-ab9e-9ba64e268647\",\"panelRefName\":\"panel_690c706e-c8bc-4f19-ab9e-9ba64e268647\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3753bbb6-64ab-4b10-8526-232375c9da38\",\"w\":24,\"x\":0,\"y\":180},\"panelIndex\":\"3753bbb6-64ab-4b10-8526-232375c9da38\",\"panelRefName\":\"panel_3753bbb6-64ab-4b10-8526-232375c9da38\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ebec8d00-4d63-44cd-9970-4882fcf5108f\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"ebec8d00-4d63-44cd-9970-4882fcf5108f\",\"panelRefName\":\"panel_ebec8d00-4d63-44cd-9970-4882fcf5108f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"97611e00-8013-43c4-856d-54b0e78313d5\",\"w\":24,\"x\":0,\"y\":195},\"panelIndex\":\"97611e00-8013-43c4-856d-54b0e78313d5\",\"panelRefName\":\"panel_97611e00-8013-43c4-856d-54b0e78313d5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"32296ddd-d26c-431a-8227-7ee72592cb3e\",\"w\":24,\"x\":24,\"y\":180},\"panelIndex\":\"32296ddd-d26c-431a-8227-7ee72592cb3e\",\"panelRefName\":\"panel_32296ddd-d26c-431a-8227-7ee72592cb3e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1394aa3a-d711-4634-9623-5dbaff400068\",\"w\":24,\"x\":0,\"y\":210},\"panelIndex\":\"1394aa3a-d711-4634-9623-5dbaff400068\",\"panelRefName\":\"panel_1394aa3a-d711-4634-9623-5dbaff400068\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4812c275-ae66-4de9-913e-4ebe6b8a7782\",\"w\":24,\"x\":24,\"y\":195},\"panelIndex\":\"4812c275-ae66-4de9-913e-4ebe6b8a7782\",\"panelRefName\":\"panel_4812c275-ae66-4de9-913e-4ebe6b8a7782\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc\",\"w\":24,\"x\":0,\"y\":225},\"panelIndex\":\"5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc\",\"panelRefName\":\"panel_5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2be4e6e2-c325-4e05-9ed7-bb4534507f5a\",\"w\":24,\"x\":24,\"y\":210},\"panelIndex\":\"2be4e6e2-c325-4e05-9ed7-bb4534507f5a\",\"panelRefName\":\"panel_2be4e6e2-c325-4e05-9ed7-bb4534507f5a\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Alerts] UBA", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a03670f0-7208-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-f1c99420-7207-11ec-8c4b-cb281099ee02", - "name": "3b340e55-d9eb-4304-a0d3-583150bd54eb:panel_3b340e55-d9eb-4304-a0d3-583150bd54eb", - "type": "visualization" - }, - { - "id": "netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02", - "name": "df123261-3370-4572-b118-09a2654264f2:panel_df123261-3370-4572-b118-09a2654264f2", - "type": "visualization" - }, - { - "id": "netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02", - "name": "649b0d8e-5d17-411d-9117-a63ad74960f1:panel_649b0d8e-5d17-411d-9117-a63ad74960f1", - "type": "visualization" - }, - { - "id": "netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02", - "name": "92b99046-01c4-413a-84dd-93ad174171b0:panel_92b99046-01c4-413a-84dd-93ad174171b0", - "type": "visualization" - }, - { - "id": "netskope-bc70e470-7209-11ec-8c4b-cb281099ee02", - "name": "aa10cc62-fe46-420a-88fc-9df0b78e58c1:panel_aa10cc62-fe46-420a-88fc-9df0b78e58c1", - "type": "visualization" - }, - { - "id": "netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02", - "name": "3d78958c-581d-4ad4-a768-346a4f234b25:panel_3d78958c-581d-4ad4-a768-346a4f234b25", - "type": "visualization" - }, - { - "id": "netskope-648c79d0-720a-11ec-8c4b-cb281099ee02", - "name": "cee9c637-74f0-42bd-8a30-7c8b8cb4ed01:panel_cee9c637-74f0-42bd-8a30-7c8b8cb4ed01", - "type": "visualization" - }, - { - "id": "netskope-03150a40-720b-11ec-8c4b-cb281099ee02", - "name": "9422ea18-43fb-4271-9c06-bfb40b9f9c78:panel_9422ea18-43fb-4271-9c06-bfb40b9f9c78", - "type": "visualization" - }, - { - "id": "netskope-0922ae70-720a-11ec-8c4b-cb281099ee02", - "name": "e0b7f071-f82f-457c-ad45-de3f45cd9ee8:panel_e0b7f071-f82f-457c-ad45-de3f45cd9ee8", - "type": "visualization" - }, - { - "id": "netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02", - "name": "b205b75e-5675-49ed-90d3-f183e7b80d2f:panel_b205b75e-5675-49ed-90d3-f183e7b80d2f", - "type": "visualization" - }, - { - "id": "netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02", - "name": "5513d359-dd47-44a7-856b-fadc0178aa5f:panel_5513d359-dd47-44a7-856b-fadc0178aa5f", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "ccf70172-a85b-40e1-a616-b3b1e9a6088c:panel_ccf70172-a85b-40e1-a616-b3b1e9a6088c", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "6c932713-9d4b-430a-a799-6d31b45ecacf:panel_6c932713-9d4b-430a-a799-6d31b45ecacf", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "c483ecaf-49f8-4dc5-b0f0-0e1339a67d22:panel_c483ecaf-49f8-4dc5-b0f0-0e1339a67d22", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "90096c7a-a554-4a30-89a3-7d0d63ea804c:panel_90096c7a-a554-4a30-89a3-7d0d63ea804c", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "cd490c17-67ea-4bd1-aa9a-88f1a9c139b5:panel_cd490c17-67ea-4bd1-aa9a-88f1a9c139b5", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "0b6ca0f2-57a6-4e90-9592-56bb052d4ca7:panel_0b6ca0f2-57a6-4e90-9592-56bb052d4ca7", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "650391d6-5467-4b6e-b529-f89b34cacdee:panel_650391d6-5467-4b6e-b529-f89b34cacdee", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "6b8089ba-e257-40d5-847f-516759ce8475:panel_6b8089ba-e257-40d5-847f-516759ce8475", - "type": "visualization" - }, - { - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "name": "2d4098eb-54b0-474e-81b5-75fc222cb341:panel_2d4098eb-54b0-474e-81b5-75fc222cb341", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "bbc3957b-53a2-47dd-9760-56f8ceb5289d:panel_bbc3957b-53a2-47dd-9760-56f8ceb5289d", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "37776b9c-bfc6-4c6f-9079-2c0d23fe4a89:panel_37776b9c-bfc6-4c6f-9079-2c0d23fe4a89", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "690c706e-c8bc-4f19-ab9e-9ba64e268647:panel_690c706e-c8bc-4f19-ab9e-9ba64e268647", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "3753bbb6-64ab-4b10-8526-232375c9da38:panel_3753bbb6-64ab-4b10-8526-232375c9da38", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "ebec8d00-4d63-44cd-9970-4882fcf5108f:panel_ebec8d00-4d63-44cd-9970-4882fcf5108f", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "97611e00-8013-43c4-856d-54b0e78313d5:panel_97611e00-8013-43c4-856d-54b0e78313d5", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "32296ddd-d26c-431a-8227-7ee72592cb3e:panel_32296ddd-d26c-431a-8227-7ee72592cb3e", - "type": "visualization" - }, - { - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "name": "1394aa3a-d711-4634-9623-5dbaff400068:panel_1394aa3a-d711-4634-9623-5dbaff400068", - "type": "visualization" - }, - { - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "name": "4812c275-ae66-4de9-913e-4ebe6b8a7782:panel_4812c275-ae66-4de9-913e-4ebe6b8a7782", - "type": "visualization" - }, - { - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "name": "5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc:panel_5a0aad03-2a3b-4dcf-97d0-dc6799f2cccc", - "type": "visualization" - }, - { - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "name": "2be4e6e2-c325-4e05-9ed7-bb4534507f5a:panel_2be4e6e2-c325-4e05-9ed7-bb4534507f5a", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 1ef5de3f2e..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"policy\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"policy\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"baaf2231-c596-479b-b0ad-238fc8c7405f\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"baaf2231-c596-479b-b0ad-238fc8c7405f\",\"panelRefName\":\"panel_baaf2231-c596-479b-b0ad-238fc8c7405f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"4202f297-6899-4b88-8d71-286c85369671\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4202f297-6899-4b88-8d71-286c85369671\",\"panelRefName\":\"panel_4202f297-6899-4b88-8d71-286c85369671\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5a6d5d65-1709-4f03-8bfb-f8fc721c932d\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"5a6d5d65-1709-4f03-8bfb-f8fc721c932d\",\"panelRefName\":\"panel_5a6d5d65-1709-4f03-8bfb-f8fc721c932d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"714f5073-96fc-4838-a2b3-987a3b62bc33\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"714f5073-96fc-4838-a2b3-987a3b62bc33\",\"panelRefName\":\"panel_714f5073-96fc-4838-a2b3-987a3b62bc33\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"323b1896-5cd9-4382-982c-7be72721ae48\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"323b1896-5cd9-4382-982c-7be72721ae48\",\"panelRefName\":\"panel_323b1896-5cd9-4382-982c-7be72721ae48\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bf72a578-2949-4de8-b4de-5d56b067efd0\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"bf72a578-2949-4de8-b4de-5d56b067efd0\",\"panelRefName\":\"panel_bf72a578-2949-4de8-b4de-5d56b067efd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"069358fe-da68-4d45-a0f0-aa7eaa4c1db7\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"069358fe-da68-4d45-a0f0-aa7eaa4c1db7\",\"panelRefName\":\"panel_069358fe-da68-4d45-a0f0-aa7eaa4c1db7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f4521dff-0b61-4d7c-b86d-8cd3fe341b61\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"f4521dff-0b61-4d7c-b86d-8cd3fe341b61\",\"panelRefName\":\"panel_f4521dff-0b61-4d7c-b86d-8cd3fe341b61\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ca498f3d-dee7-4ad3-ad0b-92e9719890f6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"ca498f3d-dee7-4ad3-ad0b-92e9719890f6\",\"panelRefName\":\"panel_ca498f3d-dee7-4ad3-ad0b-92e9719890f6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f7bb1094-f089-4f2d-98b2-8ad73597a045\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"f7bb1094-f089-4f2d-98b2-8ad73597a045\",\"panelRefName\":\"panel_f7bb1094-f089-4f2d-98b2-8ad73597a045\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"648b3fc0-5826-4478-a8a8-be02ec93b757\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"648b3fc0-5826-4478-a8a8-be02ec93b757\",\"panelRefName\":\"panel_648b3fc0-5826-4478-a8a8-be02ec93b757\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5ac14a5f-c30a-4e76-8d13-984f21ceb9ba\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5ac14a5f-c30a-4e76-8d13-984f21ceb9ba\",\"panelRefName\":\"panel_5ac14a5f-c30a-4e76-8d13-984f21ceb9ba\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"365a5a5d-0a5a-4723-935c-346fafc76c55\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"365a5a5d-0a5a-4723-935c-346fafc76c55\",\"panelRefName\":\"panel_365a5a5d-0a5a-4723-935c-346fafc76c55\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dce8a31-9c43-4a5c-afcd-a0ca9cdda312\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"8dce8a31-9c43-4a5c-afcd-a0ca9cdda312\",\"panelRefName\":\"panel_8dce8a31-9c43-4a5c-afcd-a0ca9cdda312\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bfbea77-62ee-49f6-a0c4-d38b5894a137\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"6bfbea77-62ee-49f6-a0c4-d38b5894a137\",\"panelRefName\":\"panel_6bfbea77-62ee-49f6-a0c4-d38b5894a137\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fd2a100e-72d7-4432-8fdf-2b8185964894\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"fd2a100e-72d7-4432-8fdf-2b8185964894\",\"panelRefName\":\"panel_fd2a100e-72d7-4432-8fdf-2b8185964894\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0a553ef7-103e-495c-9e6d-3e3fe2945fbe\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"0a553ef7-103e-495c-9e6d-3e3fe2945fbe\",\"panelRefName\":\"panel_0a553ef7-103e-495c-9e6d-3e3fe2945fbe\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d7e9ce08-5c56-4606-a7c9-afc702edee17\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"d7e9ce08-5c56-4606-a7c9-afc702edee17\",\"panelRefName\":\"panel_d7e9ce08-5c56-4606-a7c9-afc702edee17\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"36f7a988-2b45-4ce1-b613-5a97f2708865\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"36f7a988-2b45-4ce1-b613-5a97f2708865\",\"panelRefName\":\"panel_36f7a988-2b45-4ce1-b613-5a97f2708865\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cbc5ad63-8ee6-4f93-8502-60ceb118e14e\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"cbc5ad63-8ee6-4f93-8502-60ceb118e14e\",\"panelRefName\":\"panel_cbc5ad63-8ee6-4f93-8502-60ceb118e14e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"162ca71c-5ea9-44d1-9667-c48682cd7292\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"162ca71c-5ea9-44d1-9667-c48682cd7292\",\"panelRefName\":\"panel_162ca71c-5ea9-44d1-9667-c48682cd7292\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4e858190-599f-4e73-8772-c8a0d3fe103f\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"4e858190-599f-4e73-8772-c8a0d3fe103f\",\"panelRefName\":\"panel_4e858190-599f-4e73-8772-c8a0d3fe103f\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Alerts] Policy", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-ae3f6d70-71e3-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02", - "name": "baaf2231-c596-479b-b0ad-238fc8c7405f:panel_baaf2231-c596-479b-b0ad-238fc8c7405f", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "4202f297-6899-4b88-8d71-286c85369671:panel_4202f297-6899-4b88-8d71-286c85369671", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "5a6d5d65-1709-4f03-8bfb-f8fc721c932d:panel_5a6d5d65-1709-4f03-8bfb-f8fc721c932d", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "714f5073-96fc-4838-a2b3-987a3b62bc33:panel_714f5073-96fc-4838-a2b3-987a3b62bc33", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "323b1896-5cd9-4382-982c-7be72721ae48:panel_323b1896-5cd9-4382-982c-7be72721ae48", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "bf72a578-2949-4de8-b4de-5d56b067efd0:panel_bf72a578-2949-4de8-b4de-5d56b067efd0", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "069358fe-da68-4d45-a0f0-aa7eaa4c1db7:panel_069358fe-da68-4d45-a0f0-aa7eaa4c1db7", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "f4521dff-0b61-4d7c-b86d-8cd3fe341b61:panel_f4521dff-0b61-4d7c-b86d-8cd3fe341b61", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "ca498f3d-dee7-4ad3-ad0b-92e9719890f6:panel_ca498f3d-dee7-4ad3-ad0b-92e9719890f6", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "f7bb1094-f089-4f2d-98b2-8ad73597a045:panel_f7bb1094-f089-4f2d-98b2-8ad73597a045", - "type": "visualization" - }, - { - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "name": "648b3fc0-5826-4478-a8a8-be02ec93b757:panel_648b3fc0-5826-4478-a8a8-be02ec93b757", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "5ac14a5f-c30a-4e76-8d13-984f21ceb9ba:panel_5ac14a5f-c30a-4e76-8d13-984f21ceb9ba", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "365a5a5d-0a5a-4723-935c-346fafc76c55:panel_365a5a5d-0a5a-4723-935c-346fafc76c55", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "8dce8a31-9c43-4a5c-afcd-a0ca9cdda312:panel_8dce8a31-9c43-4a5c-afcd-a0ca9cdda312", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "6bfbea77-62ee-49f6-a0c4-d38b5894a137:panel_6bfbea77-62ee-49f6-a0c4-d38b5894a137", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "fd2a100e-72d7-4432-8fdf-2b8185964894:panel_fd2a100e-72d7-4432-8fdf-2b8185964894", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "0a553ef7-103e-495c-9e6d-3e3fe2945fbe:panel_0a553ef7-103e-495c-9e6d-3e3fe2945fbe", - "type": "visualization" - }, - { - "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02", - "name": "d7e9ce08-5c56-4606-a7c9-afc702edee17:panel_d7e9ce08-5c56-4606-a7c9-afc702edee17", - "type": "visualization" - }, - { - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "name": "36f7a988-2b45-4ce1-b613-5a97f2708865:panel_36f7a988-2b45-4ce1-b613-5a97f2708865", - "type": "visualization" - }, - { - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "name": "cbc5ad63-8ee6-4f93-8502-60ceb118e14e:panel_cbc5ad63-8ee6-4f93-8502-60ceb118e14e", - "type": "visualization" - }, - { - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "name": "162ca71c-5ea9-44d1-9667-c48682cd7292:panel_162ca71c-5ea9-44d1-9667-c48682cd7292", - "type": "visualization" - }, - { - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "name": "4e858190-599f-4e73-8772-c8a0d3fe103f:panel_4e858190-599f-4e73-8772-c8a0d3fe103f", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 36550b0059..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"729f9e92-d075-4a1a-bcf0-db456d39e724\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"729f9e92-d075-4a1a-bcf0-db456d39e724\",\"panelRefName\":\"panel_729f9e92-d075-4a1a-bcf0-db456d39e724\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1c47cf4d-6ec1-48fd-9db4-237bbf50dcde\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"1c47cf4d-6ec1-48fd-9db4-237bbf50dcde\",\"panelRefName\":\"panel_1c47cf4d-6ec1-48fd-9db4-237bbf50dcde\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc\",\"panelRefName\":\"panel_66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c\",\"panelRefName\":\"panel_e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"92b187cb-5b44-404e-890b-fa8326868e36\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"92b187cb-5b44-404e-890b-fa8326868e36\",\"panelRefName\":\"panel_92b187cb-5b44-404e-890b-fa8326868e36\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9\",\"panelRefName\":\"panel_89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"23dfb547-1341-4b1a-9011-02f307aed221\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"23dfb547-1341-4b1a-9011-02f307aed221\",\"panelRefName\":\"panel_23dfb547-1341-4b1a-9011-02f307aed221\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b\",\"panelRefName\":\"panel_2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"faced4fb-cc57-4a4e-a51b-5b27fda57ab0\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"faced4fb-cc57-4a4e-a51b-5b27fda57ab0\",\"panelRefName\":\"panel_faced4fb-cc57-4a4e-a51b-5b27fda57ab0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a2bf7e9f-4500-4848-b180-0a567d702d6b\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"a2bf7e9f-4500-4848-b180-0a567d702d6b\",\"panelRefName\":\"panel_a2bf7e9f-4500-4848-b180-0a567d702d6b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"55bda241-c95f-4c9f-ad5b-8a199890b163\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"55bda241-c95f-4c9f-ad5b-8a199890b163\",\"panelRefName\":\"panel_55bda241-c95f-4c9f-ad5b-8a199890b163\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8eee17e1-802f-47f7-b29d-669762b68849\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"8eee17e1-802f-47f7-b29d-669762b68849\",\"panelRefName\":\"panel_8eee17e1-802f-47f7-b29d-669762b68849\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9175a01c-5781-4771-b5ab-fceaf12bfcc7\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"9175a01c-5781-4771-b5ab-fceaf12bfcc7\",\"panelRefName\":\"panel_9175a01c-5781-4771-b5ab-fceaf12bfcc7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"decfcd4a-6565-43ab-bccf-0ba7a992fd94\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"decfcd4a-6565-43ab-bccf-0ba7a992fd94\",\"panelRefName\":\"panel_decfcd4a-6565-43ab-bccf-0ba7a992fd94\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"41f74a84-f471-4895-9443-cdf02a955cd8\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"41f74a84-f471-4895-9443-cdf02a955cd8\",\"panelRefName\":\"panel_41f74a84-f471-4895-9443-cdf02a955cd8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0\",\"panelRefName\":\"panel_ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f3a73b11-012a-4517-9a2f-623494321346\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"f3a73b11-012a-4517-9a2f-623494321346\",\"panelRefName\":\"panel_f3a73b11-012a-4517-9a2f-623494321346\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f43a0df7-6e17-4523-891c-04e65c22ad22\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"f43a0df7-6e17-4523-891c-04e65c22ad22\",\"panelRefName\":\"panel_f43a0df7-6e17-4523-891c-04e65c22ad22\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"774541fd-cefb-422b-ac26-12f4b8528e7e\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"774541fd-cefb-422b-ac26-12f4b8528e7e\",\"panelRefName\":\"panel_774541fd-cefb-422b-ac26-12f4b8528e7e\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"38569123-9613-46c8-ae0f-10f87bee71ed\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"38569123-9613-46c8-ae0f-10f87bee71ed\",\"panelRefName\":\"panel_38569123-9613-46c8-ae0f-10f87bee71ed\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a9d1659e-0caf-416c-8520-f96b7e765fb1\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"a9d1659e-0caf-416c-8520-f96b7e765fb1\",\"panelRefName\":\"panel_a9d1659e-0caf-416c-8520-f96b7e765fb1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1e02ac55-c2e1-4383-a282-129bcf97ef4f\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"1e02ac55-c2e1-4383-a282-129bcf97ef4f\",\"panelRefName\":\"panel_1e02ac55-c2e1-4383-a282-129bcf97ef4f\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"89576865-7807-4305-abee-1b92248de9fc\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"89576865-7807-4305-abee-1b92248de9fc\",\"panelRefName\":\"panel_89576865-7807-4305-abee-1b92248de9fc\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2b3e3a8f-4689-4aad-a5ef-8380200768c0\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"2b3e3a8f-4689-4aad-a5ef-8380200768c0\",\"panelRefName\":\"panel_2b3e3a8f-4689-4aad-a5ef-8380200768c0\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Alerts] DLP", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e538e5c0-71ea-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-516130e0-71eb-11ec-8c4b-cb281099ee02", - "name": "729f9e92-d075-4a1a-bcf0-db456d39e724:panel_729f9e92-d075-4a1a-bcf0-db456d39e724", - "type": "visualization" - }, - { - "id": "netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02", - "name": "1c47cf4d-6ec1-48fd-9db4-237bbf50dcde:panel_1c47cf4d-6ec1-48fd-9db4-237bbf50dcde", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc:panel_66cb1e9c-2f52-409e-9c62-0ad6b92cdfcc", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c:panel_e77aa5dc-d13c-47fe-b1a0-9d31fef6f43c", - "type": "visualization" - }, - { - "id": "netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02", - "name": "92b187cb-5b44-404e-890b-fa8326868e36:panel_92b187cb-5b44-404e-890b-fa8326868e36", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9:panel_89cb7e35-d97e-4c2e-9d1c-49bf3825bfe9", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "23dfb547-1341-4b1a-9011-02f307aed221:panel_23dfb547-1341-4b1a-9011-02f307aed221", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b:panel_2c03ec65-55cd-4a12-8949-3e4e0bf0fc4b", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "faced4fb-cc57-4a4e-a51b-5b27fda57ab0:panel_faced4fb-cc57-4a4e-a51b-5b27fda57ab0", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "a2bf7e9f-4500-4848-b180-0a567d702d6b:panel_a2bf7e9f-4500-4848-b180-0a567d702d6b", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "55bda241-c95f-4c9f-ad5b-8a199890b163:panel_55bda241-c95f-4c9f-ad5b-8a199890b163", - "type": "visualization" - }, - { - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "name": "8eee17e1-802f-47f7-b29d-669762b68849:panel_8eee17e1-802f-47f7-b29d-669762b68849", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "9175a01c-5781-4771-b5ab-fceaf12bfcc7:panel_9175a01c-5781-4771-b5ab-fceaf12bfcc7", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "decfcd4a-6565-43ab-bccf-0ba7a992fd94:panel_decfcd4a-6565-43ab-bccf-0ba7a992fd94", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "41f74a84-f471-4895-9443-cdf02a955cd8:panel_41f74a84-f471-4895-9443-cdf02a955cd8", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0:panel_ce4172c4-1b4c-498a-8ee2-65af0c6a9cd0", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "f3a73b11-012a-4517-9a2f-623494321346:panel_f3a73b11-012a-4517-9a2f-623494321346", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "f43a0df7-6e17-4523-891c-04e65c22ad22:panel_f43a0df7-6e17-4523-891c-04e65c22ad22", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "774541fd-cefb-422b-ac26-12f4b8528e7e:panel_774541fd-cefb-422b-ac26-12f4b8528e7e", - "type": "visualization" - }, - { - "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02", - "name": "38569123-9613-46c8-ae0f-10f87bee71ed:panel_38569123-9613-46c8-ae0f-10f87bee71ed", - "type": "visualization" - }, - { - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "name": "a9d1659e-0caf-416c-8520-f96b7e765fb1:panel_a9d1659e-0caf-416c-8520-f96b7e765fb1", - "type": "visualization" - }, - { - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "name": "1e02ac55-c2e1-4383-a282-129bcf97ef4f:panel_1e02ac55-c2e1-4383-a282-129bcf97ef4f", - "type": "visualization" - }, - { - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "name": "89576865-7807-4305-abee-1b92248de9fc:panel_89576865-7807-4305-abee-1b92248de9fc", - "type": "visualization" - }, - { - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "name": "2b3e3a8f-4689-4aad-a5ef-8380200768c0:panel_2b3e3a8f-4689-4aad-a5ef-8380200768c0", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 8f2f13b1cf..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"9b39019c-58f4-4613-9109-2865e86acee2\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"9b39019c-58f4-4613-9109-2865e86acee2\",\"panelRefName\":\"panel_9b39019c-58f4-4613-9109-2865e86acee2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ad69cae5-30ec-424e-b6b9-44e3d3979273\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"ad69cae5-30ec-424e-b6b9-44e3d3979273\",\"panelRefName\":\"panel_ad69cae5-30ec-424e-b6b9-44e3d3979273\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"8c6f7513-48aa-4457-ab23-7e528bfe1dcd\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"8c6f7513-48aa-4457-ab23-7e528bfe1dcd\",\"panelRefName\":\"panel_8c6f7513-48aa-4457-ab23-7e528bfe1dcd\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"fa6b11ac-3e40-4a52-9596-52d73081690d\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"fa6b11ac-3e40-4a52-9596-52d73081690d\",\"panelRefName\":\"panel_fa6b11ac-3e40-4a52-9596-52d73081690d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a1e0af01-0501-4fa8-96ab-b5f8cccd50c3\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"a1e0af01-0501-4fa8-96ab-b5f8cccd50c3\",\"panelRefName\":\"panel_a1e0af01-0501-4fa8-96ab-b5f8cccd50c3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745\",\"panelRefName\":\"panel_ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b7a38f86-d6e4-45d5-a490-34a522910597\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"b7a38f86-d6e4-45d5-a490-34a522910597\",\"panelRefName\":\"panel_b7a38f86-d6e4-45d5-a490-34a522910597\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5\",\"panelRefName\":\"panel_8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3729697c-99a7-44aa-b08f-956fbdd7fd52\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"3729697c-99a7-44aa-b08f-956fbdd7fd52\",\"panelRefName\":\"panel_3729697c-99a7-44aa-b08f-956fbdd7fd52\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"428a29ce-c3cf-4c1e-8884-28216396972a\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"428a29ce-c3cf-4c1e-8884-28216396972a\",\"panelRefName\":\"panel_428a29ce-c3cf-4c1e-8884-28216396972a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"8236132e-146b-46b9-80c7-8566b41ac58c\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"8236132e-146b-46b9-80c7-8566b41ac58c\",\"panelRefName\":\"panel_8236132e-146b-46b9-80c7-8566b41ac58c\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"bc8801ce-4f2e-43ee-94f9-7dbed415fa95\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"bc8801ce-4f2e-43ee-94f9-7dbed415fa95\",\"panelRefName\":\"panel_bc8801ce-4f2e-43ee-94f9-7dbed415fa95\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"87729323-edef-43f8-9ec7-b9c3212ba067\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"87729323-edef-43f8-9ec7-b9c3212ba067\",\"panelRefName\":\"panel_87729323-edef-43f8-9ec7-b9c3212ba067\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6ae15ec6-52a8-4037-82f4-0c6d6438a301\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"6ae15ec6-52a8-4037-82f4-0c6d6438a301\",\"panelRefName\":\"panel_6ae15ec6-52a8-4037-82f4-0c6d6438a301\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"014d7310-feb8-4078-9ff4-4174cf8f0c7a\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"014d7310-feb8-4078-9ff4-4174cf8f0c7a\",\"panelRefName\":\"panel_014d7310-feb8-4078-9ff4-4174cf8f0c7a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"29065c13-ac1a-49d3-a76e-de75726936ac\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"29065c13-ac1a-49d3-a76e-de75726936ac\",\"panelRefName\":\"panel_29065c13-ac1a-49d3-a76e-de75726936ac\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"49f8d21b-3a7b-4d6e-a478-e815766c292a\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"49f8d21b-3a7b-4d6e-a478-e815766c292a\",\"panelRefName\":\"panel_49f8d21b-3a7b-4d6e-a478-e815766c292a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"13b86156-05e3-4be7-98b9-1e4b9833c411\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"13b86156-05e3-4be7-98b9-1e4b9833c411\",\"panelRefName\":\"panel_13b86156-05e3-4be7-98b9-1e4b9833c411\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8\",\"panelRefName\":\"panel_fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1aa39804-8029-4770-bc25-e2e94a29e83b\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"1aa39804-8029-4770-bc25-e2e94a29e83b\",\"panelRefName\":\"panel_1aa39804-8029-4770-bc25-e2e94a29e83b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85675e54-cd8f-4ca1-b0a6-e4f2766011e2\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"85675e54-cd8f-4ca1-b0a6-e4f2766011e2\",\"panelRefName\":\"panel_85675e54-cd8f-4ca1-b0a6-e4f2766011e2\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope][Events] Page", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e6184f90-72b6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "netskope-914898a0-72af-11ec-8c4b-cb281099ee02", - "name": "9b39019c-58f4-4613-9109-2865e86acee2:panel_9b39019c-58f4-4613-9109-2865e86acee2", - "type": "visualization" - }, - { - "id": "netskope-c01026d0-72af-11ec-8c4b-cb281099ee02", - "name": "ad69cae5-30ec-424e-b6b9-44e3d3979273:panel_ad69cae5-30ec-424e-b6b9-44e3d3979273", - "type": "visualization" - }, - { - "id": "netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02", - "name": "8c6f7513-48aa-4457-ab23-7e528bfe1dcd:panel_8c6f7513-48aa-4457-ab23-7e528bfe1dcd", - "type": "visualization" - }, - { - "id": "netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02", - "name": "fa6b11ac-3e40-4a52-9596-52d73081690d:panel_fa6b11ac-3e40-4a52-9596-52d73081690d", - "type": "visualization" - }, - { - "id": "netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02", - "name": "a1e0af01-0501-4fa8-96ab-b5f8cccd50c3:panel_a1e0af01-0501-4fa8-96ab-b5f8cccd50c3", - "type": "visualization" - }, - { - "id": "netskope-528169b0-72b6-11ec-8c4b-cb281099ee02", - "name": "ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745:panel_ecbf5a0c-05d8-4bdc-9ad6-9f928c7d9745", - "type": "visualization" - }, - { - "id": "netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02", - "name": "b7a38f86-d6e4-45d5-a490-34a522910597:panel_b7a38f86-d6e4-45d5-a490-34a522910597", - "type": "visualization" - }, - { - "id": "netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02", - "name": "8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5:panel_8db6d9a0-afd6-4d8a-9e4c-d85a8b9cccc5", - "type": "visualization" - }, - { - "id": "netskope-40a01500-72db-11ec-8c4b-cb281099ee02", - "name": "3729697c-99a7-44aa-b08f-956fbdd7fd52:panel_3729697c-99a7-44aa-b08f-956fbdd7fd52", - "type": "visualization" - }, - { - "id": "netskope-891546c0-72db-11ec-8c4b-cb281099ee02", - "name": "428a29ce-c3cf-4c1e-8884-28216396972a:panel_428a29ce-c3cf-4c1e-8884-28216396972a", - "type": "visualization" - }, - { - "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02", - "name": "8236132e-146b-46b9-80c7-8566b41ac58c:panel_8236132e-146b-46b9-80c7-8566b41ac58c", - "type": "visualization" - }, - { - "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02", - "name": "bc8801ce-4f2e-43ee-94f9-7dbed415fa95:panel_bc8801ce-4f2e-43ee-94f9-7dbed415fa95", - "type": "visualization" - }, - { - "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02", - "name": "87729323-edef-43f8-9ec7-b9c3212ba067:panel_87729323-edef-43f8-9ec7-b9c3212ba067", - "type": "visualization" - }, - { - "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02", - "name": "6ae15ec6-52a8-4037-82f4-0c6d6438a301:panel_6ae15ec6-52a8-4037-82f4-0c6d6438a301", - "type": "visualization" - }, - { - "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02", - "name": "014d7310-feb8-4078-9ff4-4174cf8f0c7a:panel_014d7310-feb8-4078-9ff4-4174cf8f0c7a", - "type": "visualization" - }, - { - "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02", - "name": "29065c13-ac1a-49d3-a76e-de75726936ac:panel_29065c13-ac1a-49d3-a76e-de75726936ac", - "type": "visualization" - }, - { - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "name": "49f8d21b-3a7b-4d6e-a478-e815766c292a:panel_49f8d21b-3a7b-4d6e-a478-e815766c292a", - "type": "visualization" - }, - { - "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02", - "name": "13b86156-05e3-4be7-98b9-1e4b9833c411:panel_13b86156-05e3-4be7-98b9-1e4b9833c411", - "type": "visualization" - }, - { - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "name": "fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8:panel_fb4d6560-8b66-4ed2-b848-94dcf4d1d8b8", - "type": "visualization" - }, - { - "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02", - "name": "1aa39804-8029-4770-bc25-e2e94a29e83b:panel_1aa39804-8029-4770-bc25-e2e94a29e83b", - "type": "visualization" - }, - { - "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02", - "name": "85675e54-cd8f-4ca1-b0a6-e4f2766011e2:panel_85675e54-cd8f-4ca1-b0a6-e4f2766011e2", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/dashboard/netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/dashboard/netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index f6150287fe..0000000000 --- a/packages/netskope/1.0.0/kibana/dashboard/netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":5,\"i\":\"7b3d09e3-1987-4202-a3a7-6f0ea3c441d3\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"7b3d09e3-1987-4202-a3a7-6f0ea3c441d3\",\"panelRefName\":\"panel_7b3d09e3-1987-4202-a3a7-6f0ea3c441d3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"a6294ee5-eaed-4c98-9e3d-2ddcc1c24649\",\"w\":24,\"x\":0,\"y\":5},\"panelIndex\":\"a6294ee5-eaed-4c98-9e3d-2ddcc1c24649\",\"panelRefName\":\"panel_a6294ee5-eaed-4c98-9e3d-2ddcc1c24649\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"3f9bbd86-5074-4a11-82e0-dd80b2727b63\",\"w\":24,\"x\":24,\"y\":5},\"panelIndex\":\"3f9bbd86-5074-4a11-82e0-dd80b2727b63\",\"panelRefName\":\"panel_3f9bbd86-5074-4a11-82e0-dd80b2727b63\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"758d5f91-4e32-4dba-b9a2-78dd39a2ae33\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"758d5f91-4e32-4dba-b9a2-78dd39a2ae33\",\"panelRefName\":\"panel_758d5f91-4e32-4dba-b9a2-78dd39a2ae33\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"50a67c99-45bf-4877-a02a-1c2fbabf5a7d\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"50a67c99-45bf-4877-a02a-1c2fbabf5a7d\",\"panelRefName\":\"panel_50a67c99-45bf-4877-a02a-1c2fbabf5a7d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a\",\"panelRefName\":\"panel_92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e71428cd-6aa7-410e-9401-b00c6661589d\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"e71428cd-6aa7-410e-9401-b00c6661589d\",\"panelRefName\":\"panel_e71428cd-6aa7-410e-9401-b00c6661589d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5296e207-4ad5-4936-b802-7a57e9bad6f5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5296e207-4ad5-4936-b802-7a57e9bad6f5\",\"panelRefName\":\"panel_5296e207-4ad5-4936-b802-7a57e9bad6f5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e6adbd85-a30a-4210-a05a-0c56c2362657\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"e6adbd85-a30a-4210-a05a-0c56c2362657\",\"panelRefName\":\"panel_e6adbd85-a30a-4210-a05a-0c56c2362657\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2\",\"w\":24,\"x\":0,\"y\":65},\"panelIndex\":\"3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2\",\"panelRefName\":\"panel_3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a7581748-99c7-4a63-aa09-61a0c039fe4b\",\"w\":24,\"x\":24,\"y\":65},\"panelIndex\":\"a7581748-99c7-4a63-aa09-61a0c039fe4b\",\"panelRefName\":\"panel_a7581748-99c7-4a63-aa09-61a0c039fe4b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"651622f6-9e33-486b-b996-6fe0a89d3ad9\",\"w\":24,\"x\":0,\"y\":80},\"panelIndex\":\"651622f6-9e33-486b-b996-6fe0a89d3ad9\",\"panelRefName\":\"panel_651622f6-9e33-486b-b996-6fe0a89d3ad9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"454a5cbd-3538-4448-84fc-b0f83c8a1970\",\"w\":24,\"x\":24,\"y\":80},\"panelIndex\":\"454a5cbd-3538-4448-84fc-b0f83c8a1970\",\"panelRefName\":\"panel_454a5cbd-3538-4448-84fc-b0f83c8a1970\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bcd9b35e-19ef-42d9-847a-d7518a21b0d9\",\"w\":24,\"x\":0,\"y\":95},\"panelIndex\":\"bcd9b35e-19ef-42d9-847a-d7518a21b0d9\",\"panelRefName\":\"panel_bcd9b35e-19ef-42d9-847a-d7518a21b0d9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"22dad9c8-4909-4efa-9f59-02a3ca979151\",\"w\":24,\"x\":24,\"y\":95},\"panelIndex\":\"22dad9c8-4909-4efa-9f59-02a3ca979151\",\"panelRefName\":\"panel_22dad9c8-4909-4efa-9f59-02a3ca979151\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8c6ab1fd-e0c5-438b-b0c9-392d90c273b1\",\"w\":24,\"x\":0,\"y\":110},\"panelIndex\":\"8c6ab1fd-e0c5-438b-b0c9-392d90c273b1\",\"panelRefName\":\"panel_8c6ab1fd-e0c5-438b-b0c9-392d90c273b1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a5927e76-29f1-4c6b-85e0-ed1dee3de6c9\",\"w\":24,\"x\":24,\"y\":110},\"panelIndex\":\"a5927e76-29f1-4c6b-85e0-ed1dee3de6c9\",\"panelRefName\":\"panel_a5927e76-29f1-4c6b-85e0-ed1dee3de6c9\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7846948a-db42-497c-b956-ac5d7dd7383d\",\"w\":24,\"x\":0,\"y\":140},\"panelIndex\":\"7846948a-db42-497c-b956-ac5d7dd7383d\",\"panelRefName\":\"panel_7846948a-db42-497c-b956-ac5d7dd7383d\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8cb62986-e557-4d71-8de0-6f88ec7535d8\",\"w\":24,\"x\":24,\"y\":125},\"panelIndex\":\"8cb62986-e557-4d71-8de0-6f88ec7535d8\",\"panelRefName\":\"panel_8cb62986-e557-4d71-8de0-6f88ec7535d8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"de6f44ab-bef8-4518-bbb0-4afde2144001\",\"w\":24,\"x\":0,\"y\":125},\"panelIndex\":\"de6f44ab-bef8-4518-bbb0-4afde2144001\",\"panelRefName\":\"panel_de6f44ab-bef8-4518-bbb0-4afde2144001\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b2e8e6c8-d585-49c1-ba49-5a8c4fab5080\",\"w\":24,\"x\":24,\"y\":140},\"panelIndex\":\"b2e8e6c8-d585-49c1-ba49-5a8c4fab5080\",\"panelRefName\":\"panel_b2e8e6c8-d585-49c1-ba49-5a8c4fab5080\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d1633b77-5ee0-42ed-995f-d5e01cef7d3b\",\"w\":24,\"x\":0,\"y\":155},\"panelIndex\":\"d1633b77-5ee0-42ed-995f-d5e01cef7d3b\",\"panelRefName\":\"panel_d1633b77-5ee0-42ed-995f-d5e01cef7d3b\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"17fbf33c-a3be-4e8e-afae-195fb4a37fa8\",\"w\":24,\"x\":24,\"y\":155},\"panelIndex\":\"17fbf33c-a3be-4e8e-afae-195fb4a37fa8\",\"panelRefName\":\"panel_17fbf33c-a3be-4e8e-afae-195fb4a37fa8\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Netskope] Alerts Overview", - "version": 1 - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-f181cba0-71d9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "netskope-de309310-71d9-11ec-8c4b-cb281099ee02", - "name": "7b3d09e3-1987-4202-a3a7-6f0ea3c441d3:panel_7b3d09e3-1987-4202-a3a7-6f0ea3c441d3", - "type": "visualization" - }, - { - "id": "netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02", - "name": "a6294ee5-eaed-4c98-9e3d-2ddcc1c24649:panel_a6294ee5-eaed-4c98-9e3d-2ddcc1c24649", - "type": "visualization" - }, - { - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "name": "3f9bbd86-5074-4a11-82e0-dd80b2727b63:panel_3f9bbd86-5074-4a11-82e0-dd80b2727b63", - "type": "visualization" - }, - { - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "name": "758d5f91-4e32-4dba-b9a2-78dd39a2ae33:panel_758d5f91-4e32-4dba-b9a2-78dd39a2ae33", - "type": "visualization" - }, - { - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "name": "50a67c99-45bf-4877-a02a-1c2fbabf5a7d:panel_50a67c99-45bf-4877-a02a-1c2fbabf5a7d", - "type": "visualization" - }, - { - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "name": "92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a:panel_92098d7d-bd52-4b7c-8fc2-c38f0aca5c1a", - "type": "visualization" - }, - { - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "name": "e71428cd-6aa7-410e-9401-b00c6661589d:panel_e71428cd-6aa7-410e-9401-b00c6661589d", - "type": "visualization" - }, - { - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "name": "5296e207-4ad5-4936-b802-7a57e9bad6f5:panel_5296e207-4ad5-4936-b802-7a57e9bad6f5", - "type": "visualization" - }, - { - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "name": "e6adbd85-a30a-4210-a05a-0c56c2362657:panel_e6adbd85-a30a-4210-a05a-0c56c2362657", - "type": "visualization" - }, - { - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "name": "3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2:panel_3cbd8e3d-7d76-4ba3-8355-a23cf9465ee2", - "type": "visualization" - }, - { - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "name": "a7581748-99c7-4a63-aa09-61a0c039fe4b:panel_a7581748-99c7-4a63-aa09-61a0c039fe4b", - "type": "visualization" - }, - { - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "name": "651622f6-9e33-486b-b996-6fe0a89d3ad9:panel_651622f6-9e33-486b-b996-6fe0a89d3ad9", - "type": "visualization" - }, - { - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "name": "454a5cbd-3538-4448-84fc-b0f83c8a1970:panel_454a5cbd-3538-4448-84fc-b0f83c8a1970", - "type": "visualization" - }, - { - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "name": "bcd9b35e-19ef-42d9-847a-d7518a21b0d9:panel_bcd9b35e-19ef-42d9-847a-d7518a21b0d9", - "type": "visualization" - }, - { - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "name": "22dad9c8-4909-4efa-9f59-02a3ca979151:panel_22dad9c8-4909-4efa-9f59-02a3ca979151", - "type": "visualization" - }, - { - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "name": "8c6ab1fd-e0c5-438b-b0c9-392d90c273b1:panel_8c6ab1fd-e0c5-438b-b0c9-392d90c273b1", - "type": "visualization" - }, - { - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "name": "a5927e76-29f1-4c6b-85e0-ed1dee3de6c9:panel_a5927e76-29f1-4c6b-85e0-ed1dee3de6c9", - "type": "visualization" - }, - { - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "name": "7846948a-db42-497c-b956-ac5d7dd7383d:panel_7846948a-db42-497c-b956-ac5d7dd7383d", - "type": "visualization" - }, - { - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "name": "8cb62986-e557-4d71-8de0-6f88ec7535d8:panel_8cb62986-e557-4d71-8de0-6f88ec7535d8", - "type": "visualization" - }, - { - "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02", - "name": "de6f44ab-bef8-4518-bbb0-4afde2144001:panel_de6f44ab-bef8-4518-bbb0-4afde2144001", - "type": "visualization" - }, - { - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "name": "b2e8e6c8-d585-49c1-ba49-5a8c4fab5080:panel_b2e8e6c8-d585-49c1-ba49-5a8c4fab5080", - "type": "visualization" - }, - { - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "name": "d1633b77-5ee0-42ed-995f-d5e01cef7d3b:panel_d1633b77-5ee0-42ed-995f-d5e01cef7d3b", - "type": "visualization" - }, - { - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "name": "17fbf33c-a3be-4e8e-afae-195fb4a37fa8:panel_17fbf33c-a3be-4e8e-afae-195fb4a37fa8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-03150a40-720b-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-03150a40-720b-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index e63d8d3ea0..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-03150a40-720b-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.telemetry.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.telemetry.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Telemetery App", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Telemetry App\",\"exclude\":\"none\",\"field\":\"netskope.alerts.telemetry.app\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of UBA Alerts by Telemetery App\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-03150a40-720b-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index de6a746151..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.access_method\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.access_method\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Access Method", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Access Method\",\"field\":\"netskope.events.access_method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Access Method\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-06bf2da0-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-0922ae70-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-0922ae70-720a-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 65bda788f2..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-0922ae70-720a-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.page.site\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.page.site\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Page Site", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Page Site\",\"field\":\"netskope.alerts.page.site\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Page Site\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-0922ae70-720a-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 82e9f663f4..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.category.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.category.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"netskope.events.category.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Category\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-0e9511e0-72aa-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index d150083ad3..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.os.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by OS", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"user_agent.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by OS\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-0f05ca90-7456-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-187e0140-71f5-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-187e0140-71f5-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 97177729c6..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-187e0140-71f5-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.sa.rule.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.sa.rule.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Top 10 Security Assessment Rule Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Security Assessment Rule Name\",\"field\":\"netskope.alerts.sa.rule.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Security Assessment Rule Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-187e0140-71f5-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 155dfcfe37..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.activity.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.activity.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Activity", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Activity\",\"field\":\"netskope.alerts.activity.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Activity\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-1b3226c0-71df-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 7dcdb32b6d..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.tunnel.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.tunnel.up_time\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.up_time\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Tunnel Uptime Over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Tunnel Uptime\",\"field\":\"netskope.events.tunnel.up_time\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Tunnel Type\",\"field\":\"netskope.events.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Tunnel Uptime\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Tunnel Uptime\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Tunnel Uptime Over Time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-2044d2a0-72ae-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-24907420-72b0-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-24907420-72b0-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 06e6a0996b..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-24907420-72b0-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Severity Level Over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Severity Level\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Severity Level Over Time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-24907420-72b0-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 1db1e211f9..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.dlp.file\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.dlp.file\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 DLP Files", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"DLP Files\",\"field\":\"netskope.alerts.dlp.file\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 DLP Files\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-25b07fa0-71eb-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index b076fbb38e..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"file.mime_type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"file.mime_type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 File Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"File Types\",\"field\":\"file.mime_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 File Types\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-26d9c5c0-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-2b81f870-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-2b81f870-71da-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 1aeeb1b3e6..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-2b81f870-71da-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.access_method\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.access_method\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Access Method", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Access Method\",\"field\":\"netskope.alerts.access_method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Access Method\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-2b81f870-71da-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index fbf09761cb..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 UBA Policy", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"netskope.alerts.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 UBA Policy\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-301d9fd0-720a-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 0362694068..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.managed.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.managed.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Percentage of Managed Apps", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Managed App\",\"field\":\"netskope.alerts.managed.app\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Percentage of Managed Apps\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-304fa1c0-7209-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-327320f0-72ac-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-327320f0-72ac-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index dd7813210d..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-327320f0-72ac-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.tunnel.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Network Events by Tunnel Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel Type\",\"field\":\"netskope.events.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Network Events by Tunnel Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-327320f0-72ac-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-357672b0-72a8-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-357672b0-72a8-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 55fea541c8..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-357672b0-72a8-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.site\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.site\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Sites", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Site\",\"field\":\"netskope.events.site\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Sites\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-357672b0-72a8-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-37409a80-71db-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-37409a80-71db-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 3b2074fa94..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-37409a80-71db-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.app.category\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.app.category\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Alerts by App Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"App Category\",\"field\":\"netskope.alerts.app.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by App Category\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-37409a80-71db-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index a5bcfcf409..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.threshold.value\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.threshold.value\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Max Threshold Value per User", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threshold Value\",\"field\":\"netskope.alerts.threshold.value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Max Threshold Value per User\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-3ec223c0-720b-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-40a01500-72db-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-40a01500-72db-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index e233be9f9a..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-40a01500-72db-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.city_name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"source.geo.region_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.region_name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"source.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.country_iso_code\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Source Location, Source Region, Source Country", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Location\",\"field\":\"source.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Region\",\"field\":\"source.geo.region_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Source Location, Source Region, Source Country\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-40a01500-72db-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-41932530-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-41932530-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 75dd366a3f..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-41932530-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.device.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.device.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Device", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"netskope.events.device.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Device\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-41932530-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-464ce970-72b7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-464ce970-72b7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 0291951a06..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-464ce970-72b7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.tunnel.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.tunnel.up_time\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.tunnel.up_time\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Highest Tunnel Uptime for Tunnel Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Max Tunnel Uptime\",\"field\":\"netskope.events.tunnel.up_time\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel Type\",\"field\":\"netskope.events.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Highest Tunnel Uptime for Tunnel Type\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-464ce970-72b7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-47132800-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-47132800-72a9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 7636bd384a..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-47132800-72a9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Cloud Confidence Level", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.events.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Cloud Confidence Level\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-47132800-72a9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 8308ba4195..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Trend of Cloud Confidence Level Over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.alerts.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Trend of Cloud Confidence Level Over Time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-4a1cfbc0-71dc-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-516130e0-71eb-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-516130e0-71eb-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index f08ad9f6bf..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-516130e0-71eb-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.dlp.rule.severity\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.dlp.rule.severity\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of DLP Alerts by DLP Rule Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"DLP Rule Severity\",\"field\":\"netskope.alerts.dlp.rule.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of DLP Alerts by DLP Rule Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-516130e0-71eb-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 72987c814c..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user_agent.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.version\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Browser, Browser Version", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Browser\",\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Browser, Browser Version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-51bf6fb0-72aa-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-528169b0-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-528169b0-72b6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index ff92cee1a0..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-528169b0-72b6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.domain\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.domain\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Domain Accessed by Page Events", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domain\",\"field\":\"netskope.events.domain\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Domain Accessed by Page Events\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-528169b0-72b6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-55144a90-72ab-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-55144a90-72ab-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index ece13da665..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-55144a90-72ab-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Policy used", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"netskope.events.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Policy used\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-55144a90-72ab-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index ea167e2cc1..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.object.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.object.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Object Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object Type\",\"field\":\"netskope.alerts.object.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Object Type\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-55b418a0-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 8c2a0beaab..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.action\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"event.action\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Network Events by Action", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Network Events by Action\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5982c0e0-72ae-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 08db6fd3dc..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Policy for Quarantine Alerts", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"netskope.alerts.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Policy for Quarantine Alerts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5b54d5f0-71f7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 5bc1f93605..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"policy\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"policy\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.alert.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.alert.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Policy Alerts by Alert Name ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Name\",\"field\":\"netskope.alerts.alert.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Policy Alerts by Alert Name \",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5def8dc0-71e6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-5e243140-72b5-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-5e243140-72b5-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 264570500c..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-5e243140-72b5-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.app.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.app.activity\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.activity\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Application Activities by Application", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Application Activities\",\"field\":\"netskope.events.app.activity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Application\",\"field\":\"netskope.events.app.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Application Activities by Application\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5e243140-72b5-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index c8ee17f5e9..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.app.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Application Activities", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Applications\",\"field\":\"netskope.events.app.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Application Activities\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5efbfc00-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-5f452920-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-5f452920-71da-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 585f434e24..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-5f452920-71da-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.acked\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.acked\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Alerts by Acknowledgement", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"netskope.alerts.acked : false\"},\"label\":\"False\"},{\"input\":{\"language\":\"kuery\",\"query\":\"netskope.alerts.acked : true\"},\"label\":\"True\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Acknowledgement\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-5f452920-71da-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-648c79d0-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-648c79d0-720a-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 35dd2ab157..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-648c79d0-720a-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.actions\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.actions\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Policy Action", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Action\",\"field\":\"netskope.alerts.policy.actions\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Policy Action\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-648c79d0-720a-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index a6e659852a..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.country_iso_code\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Source Country", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Source Country\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-662de6e0-71e0-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-719e0f30-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-719e0f30-72af-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index b66ef1d6cd..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-719e0f30-72af-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"infrastructure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"infrastructure\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.device.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.device.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Infrastructure Events by Device Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"netskope.events.device.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Infrastructure Events by Device Name\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-719e0f30-72af-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index a801c22acc..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.page\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.page\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Page Accessed by Page Events", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Page\",\"field\":\"netskope.events.page\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Page Accessed by Page Events\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-75f900b0-72b6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index c50947064c..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.ip.protocol\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.ip.protocol\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Networks Events by IP Protocol", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IP Protocol\",\"field\":\"netskope.events.ip.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Networks Events by IP Protocol\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7d1142a0-72ab-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 8bc7685fcb..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.region.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.region.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of SA Alerts by Region Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Region Name\",\"field\":\"netskope.alerts.region.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of SA Alerts by Region Name\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7d7e2260-71f4-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index d51452f475..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.file.lang\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.file.lang\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by File Language ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"File Language\",\"field\":\"netskope.alerts.file.lang\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by File Language \",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7edc5f60-71df-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 5f68195714..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.site\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.site\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Site", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Site\",\"field\":\"netskope.alerts.site\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Site\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7f41e9e0-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 9453bd293f..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Alerts by Cloud Confidence Level", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.alerts.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Cloud Confidence Level\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7f8d83c0-71db-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 65c66d83c7..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.orig_ty\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.orig_ty\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Event Type of Original Event ", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event type of Original Event\",\"field\":\"netskope.alerts.orig_ty\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Event Type of Original Event \",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-7f9d2540-7209-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 179a06a4ba..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.access_method\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.access_method\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.email\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user.email\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top Users By Access Method", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Access Method\",\"field\":\"netskope.events.access_method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top Users By Access Method\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-83fa5a10-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-8705deb0-71de-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-8705deb0-71de-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index b21098fd2a..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-8705deb0-71de-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.email\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user.email\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Top 10 Alert Type by User ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"netskope.alerts.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":11},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":11},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Alert Type by User \",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-8705deb0-71de-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-891546c0-72db-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-891546c0-72db-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 63cd952080..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-891546c0-72db-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"destination.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.country_iso_code\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"destination.geo.region_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.region_name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"destination.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.city_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Destination Location, Destination Region, Destination Country", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Location\",\"field\":\"destination.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Region\",\"field\":\"destination.geo.region_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Country\",\"field\":\"destination.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Destination Location, Destination Region, Destination Country\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-891546c0-72db-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 24544002e8..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.quarantine.original.shared\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.quarantine.original.shared\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Quarantine Events by File Shared ", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"File Shared\",\"field\":\"netskope.alerts.quarantine.original.shared\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Quarantine Events by File Shared \",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-8c226d50-71f7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 26b81c25f7..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.city_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Source Location", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Location\",\"field\":\"source.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Source Location\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-8efd9840-71e0-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index aa1a3fd85e..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.audit.log.event\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.audit.log.event\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Audit Events by User, Audit Log Event", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Audit Log Event\",\"field\":\"netskope.events.audit.log.event\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Distribution of Audit Events by User, Audit Log Event\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-8fc2c680-72b0-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-914898a0-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-914898a0-72af-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 0510139e15..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-914898a0-72af-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-914898a0-72af-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-917c9230-72b5-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-917c9230-72b5-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index dbdd28303a..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-917c9230-72b5-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.object.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.object.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Objects which is being acted on", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object\",\"field\":\"netskope.events.object.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Objects which is being acted on\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-917c9230-72b5-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 53cadf2c6b..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.ccl\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.ccl\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Trend of Cloud Confidence Level Over Time for Events", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Cloud Confidence Level\",\"field\":\"netskope.events.ccl\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Trend of Cloud Confidence Level Over Time for Events\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-93433ee0-72a9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 95533fb16a..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Alerts by Browser", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Browser\",\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Browser\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-9b93d9d0-71da-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index b2644fad90..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.alert.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.alert.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Security Assessment Alert Names", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Name\",\"field\":\"netskope.alerts.alert.name\",\"json\":\"\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Security Assessment Alert Names\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-9c6d6030-71f6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 6b50b42626..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"network\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"network\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"network.protocol\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Networks Events by Protocol", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Networks Events by Protocol\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a2047d20-72ab-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 344a4153b5..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Application Events by Browser", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Browser\",\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Application Events by Browser\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a3c6c270-745f-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 613ab40309..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.request.count\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.request.count\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.page\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.page\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Request Count for Page", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Request Count\",\"field\":\"netskope.events.request.count\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Page\",\"field\":\"netskope.events.page\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Request Count for Page\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a3e5e650-72b6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index c7a1d45680..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.object.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.object.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Application Events by Object Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object Type\",\"field\":\"netskope.events.object.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Application Events by Object Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a44f4160-72b4-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-a4745040-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-a4745040-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 3972019d7b..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-a4745040-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.traffic.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.traffic.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Traffic Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Traffic Type\",\"field\":\"netskope.alerts.traffic.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Traffic Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a4745040-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index bf2807eacf..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Netskope][Events] Select Event Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"netskope.events.event_type\",\"id\":\"1641881851553\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Event Type Selection\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"[Netskope][Events] Select Event Type\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a6e2ecf0-72a6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 8dc80cbff7..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"netskope.alerts.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-a8fb1770-720a-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index bc2e9cf751..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"source.geo.region_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"source.geo.region_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Source Region", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Region\",\"field\":\"source.geo.region_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":7},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Source Region\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-abcc6a30-72aa-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-b0b26610-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-b0b26610-71df-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 65b9d928d6..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-b0b26610-71df-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"destination.geo.country_iso_code\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.country_iso_code\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Destination Country", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Country\",\"field\":\"destination.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Destination Country\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-b0b26610-71df-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-bc70e470-7209-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-bc70e470-7209-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index e157906e4e..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-bc70e470-7209-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user_agent.os.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.version\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by OS Version", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"user_agent.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by OS Version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-bc70e470-7209-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 054db583b4..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.device.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.device.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Distribution of Alerts by Device", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"netskope.alerts.device.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Device\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-bc859e60-71dc-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index fdc31c9ea6..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.quarantine.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.quarantine.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Top 10 Quarantine Applications", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Quarantine Application\",\"field\":\"netskope.alerts.quarantine.app\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":true,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Quarantine Applications\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-bd2879d0-71f7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-c01026d0-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-c01026d0-72af-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 875f0b687c..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-c01026d0-72af-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Severity Over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":13},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Severity Over Time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-c01026d0-72af-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 48b1e7a670..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.app.category\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.app.category\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by App Category", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"App Category\",\"field\":\"netskope.events.app.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by App Category\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-c1e088c0-72a9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 44b8effcdb..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"application\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"application\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.email\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user.email\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Users doing Activities ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Users doing Activities \",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-c6540e80-72b4-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index b108b09856..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.app.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.app.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\" \"}}" - }, - "title": "[Netskope] Top 10 Apps", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Applications\",\"field\":\"netskope.alerts.app.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Apps\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-ca5610d0-71da-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 39f63b6634..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"netskope.alerts.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Type\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-cab84db0-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-d1189e60-71df-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-d1189e60-71df-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index ff38d96f8b..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-d1189e60-71df-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"destination.geo.city_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"destination.geo.city_name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Destination Location", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Location\",\"field\":\"destination.geo.city_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Destination Location\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-d1189e60-71df-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-d9596770-72a8-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-d9596770-72a8-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index cfa47a672b..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-d9596770-72a8-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.traffic.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.traffic.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Traffic Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Traffic Type\",\"field\":\"netskope.events.traffic.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Traffic Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-d9596770-72a8-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index bbac81c480..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"page\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"page\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.response.count\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.response.count\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"netskope.events.page\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.page\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Top 10 Response Count for Page", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Count\",\"field\":\"netskope.events.response.count\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Page\",\"field\":\"netskope.events.page\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Response Count for Page\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-dbcca900-72b6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 3de7dd6294..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"user_agent.os.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.name\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user_agent.os.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"user_agent.os.version\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by OS, OS Version", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"user_agent.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by OS, OS Version\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-dbdd48a0-72a7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index eba12a9f4e..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"DLP\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"DLP\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.policy.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.policy.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Top 10 Policy ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Top 10 DLP Policy\",\"field\":\"netskope.alerts.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Netskope] Top 10 Policy \",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-dd1de560-71eb-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-de309310-71d9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-de309310-71d9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 354947d7c5..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-de309310-71d9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Netskope][Alerts] Select Alert Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"netskope.alerts.type\",\"id\":\"1641794009450\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Alert Type Selection\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"[Netskope][Alerts] Select Alert Type\",\"type\":\"input_control_vis\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-de309310-71d9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "control_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index de6dadfd9d..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.event_type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Event Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"netskope.events.event_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Events by Event Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e15f2790-72a6-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 1dde9bccd5..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"infrastructure\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"infrastructure\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.alarm.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.alarm.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Infrastructure Events by Alarm Name ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alarm Name\",\"field\":\"netskope.events.alarm.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Infrastructure Events by Alarm Name \",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e2e46e60-72ae-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 74969e6a5d..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Events by Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"netskope.events.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Events by Type\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e8cecff0-72a9-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 414d3d6f30..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.device.classification\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.device.classification\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Device Classification", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Classification\",\"field\":\"netskope.alerts.device.classification\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of UBA Alerts by Device Classification\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-e9bc9d80-7208-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-f1c99420-7207-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-f1c99420-7207-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index fc285b9b3f..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-f1c99420-7207-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"uba\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"uba\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.alert.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.alert.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of UBA Alerts by Alert Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Name\",\"field\":\"netskope.alerts.alert.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of UBA Alerts by Alert Name\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-f1c99420-7207-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 6dbf820574..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.category.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.category.name\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Category ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"netskope.alerts.category.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Netskope] Distribution of Alerts by Category \",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-f4fb96d0-71de-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-f9097160-71f3-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-f9097160-71f3-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index e32e00549f..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-f9097160-71f3-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"Security Assessment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"Security Assessment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.sa.rule.severity\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.sa.rule.severity\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of SA Alerts by SA Rule Severity", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"SA Rule Severity\",\"field\":\"netskope.alerts.sa.rule.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of SA Alerts by SA Rule Severity\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-f9097160-71f3-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 5cb3c8d1e5..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"params\":{\"query\":\"quarantine\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.alerts.type\":\"quarantine\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.alerts.quarantine.app\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.quarantine.app\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Total Number of Apps Quarantined", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Quarantined Applications\",\"field\":\"netskope.alerts.quarantine.app\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Netskope] Total Number of Apps Quarantined\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-f96d6680-71f7-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index d8d371bba7..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.alerts.type\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.alerts.type\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.alerts\\\"\"}}" - }, - "title": "[Netskope] Distribution of Alerts by Alert Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"netskope.alerts.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":11},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-fceec3e0-71dd-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/kibana/visualization/netskope-feb43930-72af-11ec-8c4b-cb281099ee02.json b/packages/netskope/1.0.0/kibana/visualization/netskope-feb43930-72af-11ec-8c4b-cb281099ee02.json deleted file mode 100755 index 9ed3fc8eca..0000000000 --- a/packages/netskope/1.0.0/kibana/visualization/netskope-feb43930-72af-11ec-8c4b-cb281099ee02.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"netskope.events.event_type\",\"negate\":false,\"params\":{\"query\":\"audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"netskope.events.event_type\":\"audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"netskope.events.severity.level\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"netskope.events.severity.level\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"netskope.events\\\" \"}}" - }, - "title": "[Netskope] Distribution of Audit Events by Severity Level", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity Level\",\"field\":\"netskope.events.severity.level\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Netskope] Distribution of Audit Events by Severity Level\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.2", - "id": "netskope-feb43930-72af-11ec-8c4b-cb281099ee02", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/netskope/1.0.0/manifest.yml b/packages/netskope/1.0.0/manifest.yml deleted file mode 100755 index 1bab472bb7..0000000000 --- a/packages/netskope/1.0.0/manifest.yml +++ /dev/null @@ -1,74 +0,0 @@ -format_version: 1.0.0 -name: netskope -title: "Netskope" -version: 1.0.0 -license: basic -description: Collect logs from Netskope with Elastic Agent. -type: integration -categories: - - security -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/netskope-alerts-screenshot.png - title: Netskope Alert logs screenshot - size: 600x600 - type: image/png - - src: /img/netskope-events-screenshot.png - title: Netskope Event logs screenshot - size: 600x600 - type: image/png -icons: - - src: /img/netskope-logo.svg - title: Netskope logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: netskope - title: Netskope logs - description: Collect Netskope logs - inputs: - - type: tcp - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - title: Collect Netskope logs via TCP input - description: Collecting Netskope logs via TCP input -owner: - github: elastic/security-external-integrations diff --git a/packages/network_traffic/0.10.0/changelog.yml b/packages/network_traffic/0.10.0/changelog.yml deleted file mode 100755 index f392764ebf..0000000000 --- a/packages/network_traffic/0.10.0/changelog.yml +++ /dev/null @@ -1,114 +0,0 @@ -# newer versions go on top -- version: "0.10.0" - changes: - - description: Add configuration options for each protocol. - type: enhancement - link: https://github.com/elastic/integrations/pull/3157 -- version: "0.9.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.8.2" - changes: - - description: Add missing field mappings to DNS and TLS data streams. - type: bugfix - link: https://github.com/elastic/integrations/pull/3078 -- version: "0.8.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.8.0" - changes: - - description: Change release stability to beta. - type: enhancement - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.1" - changes: - - description: Fix mapping for tls.detailed.client_certificate_chain. - type: bugfix - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.0" - changes: - - description: Add dashboards. Update the Kibana constraint to require 7.17.0 or 8.0.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/2762 -- version: "0.6.3" - changes: - - description: Add license note to README. - type: bugfix - link: https://github.com/elastic/integrations/pull/2809 -- version: "0.6.2" - changes: - - description: Add fields for TLS random data and OCSP status. - type: enhancement - link: https://github.com/elastic/integrations/pull/2703 -- version: "0.6.1" - changes: - - description: Remove unused field metadata. - type: enhancement - link: https://github.com/elastic/integrations/pull/2648 -- version: "0.6.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2426 -- version: "0.5.1" - changes: - - description: Fix mapping for tls.detailed.server_certificate_chain - type: bugfix - link: https://github.com/elastic/integrations/pull/2517 -- version: "0.5.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2224 -- version: "0.4.2" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2097 -- version: "0.4.1" - changes: - - description: Update Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1975 -- version: "0.4.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1669 -- version: "0.3.0" - changes: - - description: Change title to Network Packet Capture. Added timeout/period config to flows data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1764 -- version: "0.2.2" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.2.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/21 diff --git a/packages/network_traffic/0.10.0/data_stream/amqp/agent/stream/amqp.yml.hbs b/packages/network_traffic/0.10.0/data_stream/amqp/agent/stream/amqp.yml.hbs deleted file mode 100755 index 22fb1883a0..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/amqp/agent/stream/amqp.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: amqp -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_body_length}} -max_body_length: {{max_body_length}} -{{/if}} -{{#if parse_headers}} -parse_headers: {{parse_headers}} -{{/if}} -{{#if parse_arguments}} -parse_arguments: {{parse_arguments}} -{{/if}} -{{#if hide_connection_information}} -hide_connection_information: {{hide_connection_information}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e1896257e1..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing amqp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/amqp/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/amqp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/amqp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/amqp/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/amqp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/amqp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/amqp/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/amqp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/amqp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/amqp/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/amqp/fields/ecs.yml deleted file mode 100755 index da1822dec9..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/amqp/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/amqp/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/amqp/fields/protocol.yml deleted file mode 100755 index 4b87cf176c..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/amqp/fields/protocol.yml +++ /dev/null @@ -1,202 +0,0 @@ -- name: amqp - type: group - fields: - - name: reply-code - type: long - description: > - AMQP reply code to an error, similar to http reply-code - - example: 404 - - name: reply-text - type: keyword - description: > - Text explaining the error. - - - name: class-id - type: long - description: > - Failing method class. - - - name: method-id - type: long - description: > - Failing method ID. - - - name: exchange - type: keyword - description: > - Name of the exchange. - - - name: exchange-type - type: keyword - description: > - Exchange type. - - example: fanout - - name: passive - type: boolean - description: > - If set, do not create exchange/queue. - - - name: durable - type: boolean - description: > - If set, request a durable exchange/queue. - - - name: exclusive - type: boolean - description: > - If set, request an exclusive queue. - - - name: auto-delete - type: boolean - description: > - If set, auto-delete queue when unused. - - - name: no-wait - type: boolean - description: > - If set, the server will not respond to the method. - - - name: consumer-tag - type: keyword - description: > - Identifier for the consumer, valid within the current channel. - - - name: delivery-tag - type: long - description: > - The server-assigned and channel-specific delivery tag. - - - name: message-count - type: long - description: > - The number of messages in the queue, which will be zero for newly-declared queues. - - - name: consumer-count - type: long - description: > - The number of consumers of a queue. - - - name: routing-key - type: keyword - description: > - Message routing key. - - - name: no-ack - type: boolean - description: > - If set, the server does not expect acknowledgements for messages. - - - name: no-local - type: boolean - description: > - If set, the server will not send messages to the connection that published them. - - - name: if-unused - type: boolean - description: > - Delete only if unused. - - - name: if-empty - type: boolean - description: > - Delete only if empty. - - - name: queue - type: keyword - description: > - The queue name identifies the queue within the vhost. - - - name: redelivered - type: boolean - description: > - Indicates that the message has been previously delivered to this or another client. - - - name: multiple - type: boolean - description: > - Acknowledge multiple messages. - - - name: arguments - type: object - description: > - Optional additional arguments passed to some methods. Can be of various types. - - - name: mandatory - type: boolean - description: > - Indicates mandatory routing. - - - name: immediate - type: boolean - description: > - Request immediate delivery. - - - name: content-type - type: keyword - description: > - MIME content type. - - example: text/plain - - name: content-encoding - type: keyword - description: > - MIME content encoding. - - - name: headers - type: object - object_type: keyword - description: > - Message header field table. - - - name: delivery-mode - type: keyword - description: > - Non-persistent (1) or persistent (2). - - - name: priority - type: long - description: > - Message priority, 0 to 9. - - - name: correlation-id - type: keyword - description: > - Application correlation identifier. - - - name: reply-to - type: keyword - description: > - Address to reply to. - - - name: expiration - type: keyword - description: > - Message expiration specification. - - - name: message-id - type: keyword - description: > - Application message identifier. - - - name: timestamp - type: keyword - description: > - Message timestamp. - - - name: type - type: keyword - description: > - Message type name. - - - name: user-id - type: keyword - description: > - Creating user id. - - - name: app-id - type: keyword - description: > - Creating application id. - diff --git a/packages/network_traffic/0.10.0/data_stream/amqp/manifest.yml b/packages/network_traffic/0.10.0/data_stream/amqp/manifest.yml deleted file mode 100755 index 392448511a..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/amqp/manifest.yml +++ /dev/null @@ -1,105 +0,0 @@ -title: AMQP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5672] - - name: max_body_length - type: integer - title: Max Body Length - description: |- - Truncate messages that are published and avoid huge messages being - indexed. - Default: 1000 - show_user: false - multi: false - required: false - - name: parse_headers - type: bool - title: Parse Headers - description: |- - Hide the header fields in header frames. - Default: false - show_user: false - multi: false - required: false - - name: parse_arguments - type: bool - title: Parse Arguments - description: |- - Hide the additional arguments of method frames. - Default: false - show_user: false - multi: false - required: false - - name: hide_connection_information - type: bool - title: Hide Connection Information - description: |- - Hide all methods relative to connection negotiation between server and - client. - Default: true - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: AMQP - description: Capture AMQP Traffic - template_path: amqp.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/amqp/sample_event.json b/packages/network_traffic/0.10.0/data_stream/amqp/sample_event.json deleted file mode 100755 index 9ef02f389f..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/amqp/sample_event.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs b/packages/network_traffic/0.10.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs deleted file mode 100755 index 9c4ec167d1..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: cassandra -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_request_header}} -send_request_header: {{send_request_header}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if send_response_header}} -send_response_header: {{send_response_header}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if compressor}} -compressor: {{compressor}} -{{/if}} -{{#if ignored_ops}} -ignored_ops: -{{#each ignored_ops as |ignored_op|}} - - {{ignored_op}} -{{/each}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index db4451530a..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing cassandra traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/cassandra/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/cassandra/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/cassandra/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/cassandra/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/cassandra/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/cassandra/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/cassandra/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/cassandra/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/cassandra/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/cassandra/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/cassandra/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/cassandra/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/cassandra/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/cassandra/fields/protocol.yml deleted file mode 100755 index 58a2f6c12d..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/cassandra/fields/protocol.yml +++ /dev/null @@ -1,283 +0,0 @@ -- name: cassandra - type: group - description: Information about the Cassandra request and response. - fields: - - name: no_request - type: boolean - description: > - Indicates that there is no request because this is a PUSH message. - - - name: request - type: group - description: Cassandra request. - fields: - - name: headers - type: group - description: Cassandra request headers. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: query - type: keyword - description: The CQL query which client send to cassandra. - - name: response - type: group - description: Cassandra response. - fields: - - name: headers - type: group - description: Cassandra response headers, the structure is as same as request's header. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: result - type: group - description: Details about the returned result. - fields: - - name: type - type: keyword - description: Cassandra result type. - - name: rows - type: group - description: Details about the rows. - fields: - - name: num_rows - type: long - description: Representing the number of rows present in this result. - - name: meta - type: group - description: Composed of result metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: keyspace - type: keyword - description: Indicating the name of the keyspace that has been set. - - name: schema_change - type: group - description: The result to a schema_change message. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: prepared - type: group - description: The result to a PREPARE message. - fields: - - name: prepared_id - type: keyword - description: Representing the prepared query ID. - - name: req_meta - type: group - description: This describes the request metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: resp_meta - type: group - description: This describes the metadata for the result set. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: supported - type: flattened - description: Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. - - name: authentication - type: group - description: Indicates that the server requires authentication, and which authentication mechanism to use. - fields: - - name: class - type: keyword - description: Indicates the full class name of the IAuthenticator in use - - name: warnings - type: keyword - description: The text of the warnings, only occur when Warning flag was set. - - name: event - type: group - description: Event pushed by the server. A client will only receive events for the types it has REGISTERed to. - fields: - - name: type - type: keyword - description: Representing the event type. - - name: change - type: keyword - description: The message corresponding respectively to the type of change followed by the address of the new/removed node. - - name: host - type: keyword - description: Representing the node ip. - - name: port - type: long - description: Representing the node port. - - name: schema_change - type: group - description: The events details related to schema change. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: error - type: group - description: Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. - fields: - - name: code - type: long - description: The error code of the Cassandra response. - - name: msg - type: keyword - description: The error message of the Cassandra response. - - name: type - type: keyword - description: The error type of the Cassandra response. - - name: details - type: group - description: The details of the error. - fields: - - name: read_consistency - type: keyword - description: Representing the consistency level of the query that triggered the exception. - - name: required - type: long - description: Representing the number of nodes that should be alive to respect consistency level. - - name: alive - type: long - description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). - - name: received - type: long - description: Representing the number of nodes having acknowledged the request. - - name: blockfor - type: long - description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. - - name: write_type - type: keyword - description: Describe the type of the write that timed out. - - name: data_present - type: boolean - description: It means the replica that was asked for data had responded. - - name: keyspace - type: keyword - description: The keyspace of the failed function. - - name: table - type: keyword - description: The keyspace of the failed function. - - name: stmt_id - type: keyword - description: Representing the unknown ID. - - name: num_failures - type: keyword - description: Representing the number of nodes that experience a failure while executing the request. - - name: function - type: keyword - description: The name of the failed function. - - name: arg_types - type: keyword - description: One string for each argument type (as CQL type) of the failed function. diff --git a/packages/network_traffic/0.10.0/data_stream/cassandra/manifest.yml b/packages/network_traffic/0.10.0/data_stream/cassandra/manifest.yml deleted file mode 100755 index b05f2d1e4e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/cassandra/manifest.yml +++ /dev/null @@ -1,92 +0,0 @@ -title: Cassandra -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9042] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`cassandra_request` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_request_header - type: bool - title: Send Request Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field) - is included in published events. The default is true. enable `send_request` first before enable this option. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`cassandra_response` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_response_header - type: bool - title: Send Response Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field) - is included in published events. The default is true. enable `send_response` first before enable this option. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: compressor - type: text - title: Compressor - description: |- - Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured. - By default no compressor is configured. - show_user: false - multi: false - required: false - - name: ignored_ops - type: text - title: Ignored Ops - description: This option indicates which Operator/Operators will be ignored. - show_user: false - multi: true - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Cassandra - description: Capture Cassandra Traffic - template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/cassandra/sample_event.json b/packages/network_traffic/0.10.0/data_stream/cassandra/sample_event.json deleted file mode 100755 index aa2d587c11..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/cassandra/sample_event.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/0.10.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs deleted file mode 100755 index 2c56638255..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -type: dhcpv4 -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7c07281afb..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: dhcpv4.client_mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: dhcpv4.client_mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: dhcpv4.client_mac - ignore_missing: true -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/protocol.yml deleted file mode 100755 index 0180691a5b..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dhcpv4/fields/protocol.yml +++ /dev/null @@ -1,177 +0,0 @@ -- name: dhcpv4 - type: group - fields: - - name: transaction_id - type: keyword - description: | - Transaction ID, a random number chosen by the - client, used by the client and server to associate - messages and responses between a client and a - server. - - name: seconds - type: long - description: | - Number of seconds elapsed since client began address acquisition or - renewal process. - - name: flags - type: keyword - description: | - Flags are set by the client to indicate how the DHCP server should - its reply -- either unicast or broadcast. - - name: client_ip - type: ip - description: The current IP address of the client. - - name: assigned_ip - type: ip - description: | - The IP address that the DHCP server is assigning to the client. - This field is also known as "your" IP address. - - name: server_ip - type: ip - description: | - The IP address of the DHCP server that the client should use for the - next step in the bootstrap process. - - name: relay_ip - type: ip - description: | - The relay IP address used by the client to contact the server - (i.e. a DHCP relay server). - - name: client_mac - type: keyword - description: The client's MAC address (layer two). - - name: server_name - type: keyword - description: | - The name of the server sending the message. Optional. Used in - DHCPOFFER or DHCPACK messages. - - name: op_code - type: keyword - example: bootreply - description: | - The message op code (bootrequest or bootreply). - - name: hops - type: long - description: The number of hops the DHCP message went through. - - name: hardware_type - type: keyword - description: | - The type of hardware used for the local network (Ethernet, - LocalTalk, etc). - - name: option - type: group - fields: - - name: message_type - type: keyword - example: ack - description: | - The specific type of DHCP message being sent (e.g. discover, - offer, request, decline, ack, nak, release, inform). - - name: parameter_request_list - type: keyword - description: | - This option is used by a DHCP client to request values for - specified configuration parameters. - - name: requested_ip_address - type: ip - description: | - This option is used in a client request (DHCPDISCOVER) to allow - the client to request that a particular IP address be assigned. - - name: server_identifier - type: ip - description: | - IP address of the individual DHCP server which handled this - message. - - name: broadcast_address - type: ip - description: | - This option specifies the broadcast address in use on the - client's subnet. - - name: max_dhcp_message_size - type: long - description: | - This option specifies the maximum length DHCP message that the - client is willing to accept. - - name: class_identifier - type: keyword - description: | - This option is used by DHCP clients to optionally identify the - vendor type and configuration of a DHCP client. Vendors may - choose to define specific vendor class identifiers to convey - particular configuration or other identification information - about a client. For example, the identifier may encode the - client's hardware configuration. - - name: domain_name - type: keyword - description: | - This option specifies the domain name that client should use - when resolving hostnames via the Domain Name System. - - name: dns_servers - type: ip - description: | - The domain name server option specifies a list of Domain Name - System servers available to the client. - - name: vendor_identifying_options - type: object - description: | - A DHCP client may use this option to unambiguously identify the - vendor that manufactured the hardware on which the client is - running, the software in use, or an industry consortium to which - the vendor belongs. This field is described in RFC 3925. - - name: subnet_mask - type: ip - description: | - The subnet mask that the client should use on the currnet - network. - - name: utc_time_offset_sec - type: long - description: | - The time offset field specifies the offset of the client's - subnet in seconds from Coordinated Universal Time (UTC). - - name: router - type: ip - description: | - The router option specifies a list of IP addresses for routers - on the client's subnet. - - name: time_servers - type: ip - description: | - The time server option specifies a list of RFC 868 time servers - available to the client. - - name: ntp_servers - type: ip - description: | - This option specifies a list of IP addresses indicating NTP - servers available to the client. - - name: hostname - type: keyword - description: | - This option specifies the name of the client. - - name: ip_address_lease_time_sec - type: long - description: | - This option is used in a client request (DHCPDISCOVER or - DHCPREQUEST) to allow the client to request a lease time for the - IP address. In a server reply (DHCPOFFER), a DHCP server uses - this option to specify the lease time it is willing to offer. - - name: message - type: text - description: | - This option is used by a DHCP server to provide an error message - to a DHCP client in a DHCPNAK message in the event of a failure. - A client may use this option in a DHCPDECLINE message to - indicate the why the client declined the offered parameters. - - name: renewal_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the RENEWING state. - - name: rebinding_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the REBINDING state. - - name: boot_file_name - type: keyword - description: | - This option is used to identify a bootfile when the 'file' field - in the DHCP header has been used for DHCP options. diff --git a/packages/network_traffic/0.10.0/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/0.10.0/data_stream/dhcpv4/manifest.yml deleted file mode 100755 index fc09a92781..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dhcpv4/manifest.yml +++ /dev/null @@ -1,40 +0,0 @@ -title: DHCP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [67, 68] - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DHCP - description: Capture DHCP Traffic - template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/dhcpv4/sample_event.json b/packages/network_traffic/0.10.0/data_stream/dhcpv4/sample_event.json deleted file mode 100755 index 59ab870695..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dhcpv4/sample_event.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/dns/agent/stream/dns.yml.hbs b/packages/network_traffic/0.10.0/data_stream/dns/agent/stream/dns.yml.hbs deleted file mode 100755 index e68885b2f8..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dns/agent/stream/dns.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: dns -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if include_authorities}} -include_authorities: {{include_authorities}} -{{/if}} -{{#if include_additionals}} -include_additionals: {{include_additionals}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 012fede9d4..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/dns/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/dns/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/dns/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/dns/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dns/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/dns/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/dns/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dns/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/dns/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/dns/fields/ecs.yml deleted file mode 100755 index e2ea6f338f..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,200 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - Array of 2 letter DNS header flags. - Expected values are: AA, TC, RD, RA, AD, CD, DO. - name: dns.header_flags - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/dns/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/dns/fields/protocol.yml deleted file mode 100755 index 28d506b996..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dns/fields/protocol.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: dns - type: group - fields: - - name: flags.authoritative - type: boolean - description: > - A DNS flag specifying that the responding server is an authority for the domain name used in the question. - - - name: flags.recursion_available - type: boolean - description: > - A DNS flag specifying whether recursive query support is available in the name server. - - - name: flags.recursion_desired - type: boolean - description: > - A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. - - - name: flags.authentic_data - type: boolean - description: > - A DNS flag specifying that the recursive server considers the response authentic. - - - name: flags.checking_disabled - type: boolean - description: > - A DNS flag specifying that the client disables the server signature validation of the query. - - - name: flags.truncated_response - type: boolean - description: > - A DNS flag specifying that only the first 512 bytes of the reply were returned. - - - name: question.etld_plus_one - type: keyword - description: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. - example: amazon.co.uk. - - name: answers_count - type: long - description: > - The number of resource records contained in the `dns.answers` field. - - - name: authorities - type: object - description: > - An array containing a dictionary for each authority section from the answer. - - - name: authorities_count - type: long - description: > - The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. - - - name: authorities.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: authorities.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: authorities.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals - type: object - description: > - An array containing a dictionary for each additional section from the answer. - - - name: additionals_count - type: long - description: > - The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. - - - name: additionals.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: additionals.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: additionals.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals.ttl - description: > - The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - type: long - - name: additionals.data - type: keyword - description: > - The data describing the resource. The meaning of this data depends on the type and class of the resource record. - - - name: opt.version - type: keyword - description: The EDNS version. - example: "0" - - name: opt.do - type: boolean - description: If set, the transaction uses DNSSEC. - - name: opt.ext_rcode - type: keyword - description: Extended response code field. - example: "BADVERS" - - name: opt.udp_size - type: long - description: Requestor's UDP payload size (in bytes). diff --git a/packages/network_traffic/0.10.0/data_stream/dns/manifest.yml b/packages/network_traffic/0.10.0/data_stream/dns/manifest.yml deleted file mode 100755 index cc5476bfad..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dns/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: DNS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [53] - - name: include_authorities - type: bool - title: Include Authorities - description: |- - include_authorities controls whether or not the dns.authorities field - (authority resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: include_additionals - type: bool - title: Include Additionals - description: |- - include_additionals controls whether or not the dns.additionals field - (additional resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - send_request controls whether or not the stringified DNS - request messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - send_response controls whether or not the stringified DNS - response messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DNS - description: Capture DNS Traffic - template_path: dns.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/dns/sample_event.json b/packages/network_traffic/0.10.0/data_stream/dns/sample_event.json deleted file mode 100755 index 476a880555..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/dns/sample_event.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/flow/agent/stream/flow.yml.hbs b/packages/network_traffic/0.10.0/data_stream/flow/agent/stream/flow.yml.hbs deleted file mode 100755 index 80f2a27460..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/flow/agent/stream/flow.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -type: flow -{{#if timeout}} -flows.timeout: '{{timeout}}' -{{/if}} -{{#if period}} -flows.period: '{{period}}' -{{/if}} -{{#if processes}} -procs: - enabled: true - monitored: - {{#each processes}} - - cmdline_grep: {{this}} - {{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8a45c554fd..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing traffic flows -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/flow/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/flow/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/flow/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/flow/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/flow/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/flow/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/flow/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/flow/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/flow/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/flow/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/flow/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/flow/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/flow/manifest.yml b/packages/network_traffic/0.10.0/data_stream/flow/manifest.yml deleted file mode 100755 index 4f455c6f25..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/flow/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Flows -release: beta -type: logs -streams: - - input: packet - title: Flows - description: Track Network Flows - template_path: flow.yml.hbs - vars: - - name: period - type: text - title: Period - required: false - show_user: false - description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1. If disabled, flows are still reported once being timed out. - default: '10s' - - name: timeout - type: text - title: Flow timeout - description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. - required: false - show_user: false - default: '30s' diff --git a/packages/network_traffic/0.10.0/data_stream/http/agent/stream/http.yml.hbs b/packages/network_traffic/0.10.0/data_stream/http/agent/stream/http.yml.hbs deleted file mode 100755 index 4c2aecad10..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/http/agent/stream/http.yml.hbs +++ /dev/null @@ -1,85 +0,0 @@ -type: http -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if hide_keywords}} -hide_keywords: -{{#each hide_keywords as |hide_keyword|}} - - {{hide_keyword}} -{{/each}} -{{/if}} -{{#if send_headers}} -send_headers: {{send_headers}} -{{/if}} -{{#if send_all_headers}} -send_all_headers: {{send_all_headers}} -{{/if}} -{{#if redact_headers}} -redact_headers: -{{#each redact_headers as |redact_header|}} - - {{redact_header}} -{{/each}} -{{/if}} -{{#if include_body_for}} -include_body_for: -{{#each include_body_for as |include_body_for_elem|}} - - {{include_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_request_body_for}} -include_request_body_for: -{{#each include_request_body_for as |include_request_body_for_elem|}} - - {{include_request_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_response_body_for}} -include_response_body_for: -{{#each include_response_body_for as |include_response_body_for_elem|}} - - {{include_response_body_for_elem}} -{{/each}} -{{/if}} -{{#if decode_body}} -decode_body: {{decode_body}} -{{/if}} -{{#if split_cookie}} -split_cookie: {{split_cookie}} -{{/if}} -{{#if real_ip_header}} -real_ip_header: {{real_ip_header}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if max_message_size}} -max_message_size: {{max_message_size}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 73b1d30401..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing http traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/http/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/http/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/http/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/http/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/http/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/http/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/http/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/http/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/http/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/http/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/http/fields/ecs.yml deleted file mode 100755 index d003c7093e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/http/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/network_traffic/0.10.0/data_stream/http/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/http/fields/protocol.yml deleted file mode 100755 index 51b73ae344..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/http/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: http - type: group - description: Information about the HTTP request and response. - fields: - - name: request - description: HTTP request - type: group - fields: - - name: headers - type: flattened - description: > - A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - - - name: response - description: HTTP response - type: group - fields: - - name: status_phrase - type: keyword - description: The HTTP status phrase. - example: Not Found - - name: headers - type: flattened - description: > - A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - diff --git a/packages/network_traffic/0.10.0/data_stream/http/manifest.yml b/packages/network_traffic/0.10.0/data_stream/http/manifest.yml deleted file mode 100755 index f16188331c..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/http/manifest.yml +++ /dev/null @@ -1,173 +0,0 @@ -title: HTTP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [80, 8080, 8000, 5000, 8002] - - name: hide_keywords - type: text - title: Hide Keywords - description: |- - Uncomment the following to hide certain parameters in URL or forms attached - to HTTP requests. The names of the parameters are case insensitive. - The value of the parameters will be replaced with the 'xxxxx' string. - This is generally useful for avoiding storing user passwords or other - sensitive information. - Only query parameters and top level form parameters are replaced. - show_user: false - multi: true - required: false - - name: send_headers - type: bool - title: Send Headers - description: |- - A list of header names to capture and send to Elasticsearch. These headers - are placed under the `headers` dictionary in the resulting JSON. - show_user: false - multi: false - required: false - - name: send_all_headers - type: bool - title: Send All Headers - description: |- - Instead of sending a white list of headers to Elasticsearch, you can send - all headers by setting this option to true. The default is false. - show_user: false - multi: false - required: false - - name: redact_headers - type: text - title: Redact Headers - description: |- - A list of headers to redact if present in the HTTP request. This will keep - the header field present, but will redact it's value to show the headers - presence. - show_user: false - multi: true - required: false - - name: include_body_for - type: text - title: Include Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - payload. If the request's or response's Content-Type matches any on this - list, the full body will be included under the request or response field. - show_user: false - multi: true - required: false - - name: include_request_body_for - type: text - title: Include Request Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - request payload. - show_user: false - multi: true - required: false - - name: include_response_body_for - type: text - title: Include Response Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - response payload. - show_user: false - multi: true - required: false - - name: decode_body - type: bool - title: Decode Body - description: |- - Whether the body of a request must be decoded when a content-encoding - or transfer-encoding has been applied. - show_user: false - multi: false - required: false - - name: split_cookie - type: bool - title: Split Cookie - description: |- - If the Cookie or Set-Cookie headers are sent, this option controls whether - they are split into individual values. - show_user: false - multi: false - required: false - - name: real_ip_header - type: bool - title: Real Ip Header - description: |- - The header field to extract the real IP from. This setting is useful when - you want to capture traffic behind a reverse proxy, but you want to get the - geo-location information. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: max_message_size - type: integer - title: Max Message Size - description: |- - Maximum message size. If an HTTP message is larger than this, it will - be trimmed to this size. Default is 10 MB. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: HTTP - description: Capture HTTP Traffic - template_path: http.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/http/sample_event.json b/packages/network_traffic/0.10.0/data_stream/http/sample_event.json deleted file mode 100755 index f07301394b..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/http/sample_event.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/icmp/agent/stream/icmp.yml.hbs b/packages/network_traffic/0.10.0/data_stream/icmp/agent/stream/icmp.yml.hbs deleted file mode 100755 index f550ca79fa..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/icmp/agent/stream/icmp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -type: icmp -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8cd8d555f7..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing icmp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/icmp/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/icmp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/icmp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/icmp/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/icmp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/icmp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/icmp/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/icmp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/icmp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/icmp/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/icmp/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/icmp/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/icmp/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/icmp/fields/protocol.yml deleted file mode 100755 index 5aef1deaf4..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/icmp/fields/protocol.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: icmp - type: group - fields: - - name: version - type: long - description: The version of the ICMP protocol. - possible_values: - - 4 - - 6 - - name: request.message - type: keyword - description: A human readable form of the request. - - name: request.type - type: long - description: The request type. - - name: request.code - type: long - description: The request code. - - name: response.message - type: keyword - description: A human readable form of the response. - - name: response.type - type: long - description: The response type. - - name: response.code - type: long - description: The response code. diff --git a/packages/network_traffic/0.10.0/data_stream/icmp/manifest.yml b/packages/network_traffic/0.10.0/data_stream/icmp/manifest.yml deleted file mode 100755 index ca911dc8e0..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/icmp/manifest.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: ICMP -release: beta -type: logs -streams: - - input: packet - title: ICMP - description: Capture ICMP Traffic - template_path: icmp.yml.hbs - vars: - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false diff --git a/packages/network_traffic/0.10.0/data_stream/icmp/sample_event.json b/packages/network_traffic/0.10.0/data_stream/icmp/sample_event.json deleted file mode 100755 index 6dfd5d97d4..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/icmp/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/memcached/agent/stream/memcached.yml.hbs b/packages/network_traffic/0.10.0/data_stream/memcached/agent/stream/memcached.yml.hbs deleted file mode 100755 index 136c8ad877..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/memcached/agent/stream/memcached.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: memcache -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parseunknown}} -parseunknown: {{parseunknown}} -{{/if}} -{{#if maxvalues}} -maxvalues: {{maxvalues}} -{{/if}} -{{#if maxbytespervalue}} -maxbytespervalue: {{maxbytespervalue}} -{{/if}} -{{#if udptransactiontimeout}} -udptransactiontimeout: {{udptransactiontimeout}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8eb49dc336..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing memcached traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/memcached/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/memcached/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/memcached/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/memcached/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/memcached/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/memcached/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/memcached/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/memcached/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/memcached/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/memcached/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/memcached/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/memcached/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/memcached/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/memcached/fields/protocol.yml deleted file mode 100755 index 4d1c281dde..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/memcached/fields/protocol.yml +++ /dev/null @@ -1,215 +0,0 @@ -- name: memcache - type: group - fields: - - name: protocol_type - type: keyword - description: > - The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. - - - name: request.line - type: keyword - description: > - The raw command line for unknown commands ONLY. - - - name: request.command - type: keyword - description: > - The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. - - - name: response.command - type: keyword - description: > - Either the text based protocol response message type or the name of the originating request if binary protocol is used. - - - name: request.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". - - - name: response.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). - - - name: response.error_msg - type: keyword - description: > - The optional error message in the memcache response (text based protocol only). - - - name: request.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: response.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: request.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: response.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: request.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: response.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: request.vbucket - type: long - description: > - The vbucket index sent in the binary message. - - - name: response.status - type: keyword - description: > - The textual representation of the response error code (binary protocol only). - - - name: response.status_code - type: long - description: > - The status code value returned in the response (binary protocol only). - - - name: request.keys - type: array - description: > - The list of keys sent in the store or load commands. - - - name: response.keys - type: array - description: > - The list of keys returned for the load command (if present). - - - name: request.count_values - type: long - description: > - The number of values found in the memcache request message. If the command does not send any data, this field is missing. - - - name: response.count_values - type: long - description: > - The number of values found in the memcache response message. If the command does not send any data, this field is missing. - - - name: request.values - type: array - description: > - The list of base64 encoded values sent with the request (if present). - - - name: response.values - type: array - description: > - The list of base64 encoded values sent with the response (if present). - - - name: request.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: response.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: request.delta - type: long - description: > - The counter increment/decrement delta value. - - - name: request.initial - type: long - description: > - The counter increment/decrement initial value parameter (binary protocol only). - - - name: request.verbosity - type: long - description: > - The value of the memcache "verbosity" command. - - - name: request.raw_args - type: keyword - description: > - The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. - - - name: request.source_class - type: long - description: > - The source class id in 'slab reassign' command. - - - name: request.dest_class - type: long - description: > - The destination class id in 'slab reassign' command. - - - name: request.automove - type: keyword - description: > - The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. - - - name: request.flags - type: long - description: > - The memcache command flags sent in the request (if present). - - - name: response.flags - type: long - description: > - The memcache message flags sent in the response (if present). - - - name: request.exptime - type: long - description: > - The data expiry time in seconds sent with the memcache command (if present). If the value is `< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). - - - name: request.sleep_us - type: long - description: > - The sleep setting in microseconds for the 'lru_crawler sleep' command. - - - name: response.value - type: long - description: > - The counter value returned by a counter operation. - - - name: request.noreply - type: boolean - description: > - Set to true if noreply was set in the request. The `memcache.response` field will be missing. - - - name: request.quiet - type: boolean - description: > - Set to true if the binary protocol message is to be treated as a quiet message. - - - name: request.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier if present. - - - name: response.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). - - - name: response.stats - type: array - description: > - The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". - - - name: response.version - type: keyword - description: > - The returned memcache version string. - diff --git a/packages/network_traffic/0.10.0/data_stream/memcached/manifest.yml b/packages/network_traffic/0.10.0/data_stream/memcached/manifest.yml deleted file mode 100755 index 9120331b9d..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/memcached/manifest.yml +++ /dev/null @@ -1,116 +0,0 @@ -title: Memcached -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [11211] - - name: parseunknown - type: bool - title: Parseunknown - description: |- - Uncomment the parseunknown option to force the memcache text protocol parser - to accept unknown commands. - Note: All unknown commands MUST not contain any data parts! - Default: false - show_user: false - multi: false - required: false - - name: maxvalues - type: integer - title: Maxvalues - description: |- - Update the maxvalue option to store the values - base64 encoded - in the - json output. - possible values: - maxvalue: -1 store all values (text based protocol multi-get) - maxvalue: 0 store no values at all - maxvalue: N store up to N values - Default: 0 - show_user: false - multi: false - required: false - - name: maxbytespervalue - type: integer - title: Maxbytespervalue - description: |- - Use maxbytespervalue to limit the number of bytes to be copied per value element. - Note: Values will be base64 encoded, so actual size in json document - will be 4 times maxbytespervalue. - Default: unlimited - show_user: false - multi: false - required: false - - name: udptransactiontimeout - type: integer - title: Udptransactiontimeout - description: |- - UDP transaction timeout in milliseconds. - Note: Quiet messages in UDP binary protocol will get response only in error case. - The memcached analyzer will wait for udptransactiontimeout milliseconds - before publishing quiet messages. Non quiet messages or quiet requests with - error response will not have to wait for the timeout. - Default: 200 - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Memcached - description: Capture Memcached Traffic - template_path: memcached.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/memcached/sample_event.json b/packages/network_traffic/0.10.0/data_stream/memcached/sample_event.json deleted file mode 100755 index 4b4dc284f8..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/memcached/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs b/packages/network_traffic/0.10.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs deleted file mode 100755 index fe92042bcc..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: mongodb -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_docs}} -max_docs: {{max_docs}} -{{/if}} -{{#if max_doc_length}} -max_doc_length: {{max_doc_length}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b5bf6df8f6..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing mongodb traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/mongodb/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/mongodb/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mongodb/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/mongodb/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/mongodb/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mongodb/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/mongodb/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/mongodb/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mongodb/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/mongodb/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/mongodb/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mongodb/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/mongodb/fields/protocol.yml deleted file mode 100755 index a84465c61e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mongodb/fields/protocol.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: mongodb - type: group - fields: - - name: error - type: keyword - description: > - If the MongoDB request has resulted in an error, this field contains the error message returned by the server. - - - name: fullCollectionName - type: keyword - description: > - The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. - - - name: numberToSkip - type: long - description: > - Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. - - - name: numberToReturn - type: long - description: > - The requested maximum number of documents to be returned. - - - name: numberReturned - type: long - description: > - The number of documents in the reply. - - - name: startingFrom - type: keyword - description: > - Where in the cursor this reply is starting. - - - name: query - type: keyword - description: > - A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. - - - name: returnFieldsSelector - type: keyword - description: > - A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. - - - name: selector - type: keyword - description: > - A BSON document that specifies the query for selecting the document to update or delete. - - - name: update - type: keyword - description: > - A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - - - name: cursorId - type: keyword - description: > - The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. - diff --git a/packages/network_traffic/0.10.0/data_stream/mongodb/manifest.yml b/packages/network_traffic/0.10.0/data_stream/mongodb/manifest.yml deleted file mode 100755 index 0ff11578a2..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mongodb/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: MongoDB -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [27017] - - name: max_docs - type: integer - title: Max Docs - description: |- - The maximum number of documents from the response to index in the `response` - field. The default is 10. - show_user: false - multi: false - required: false - - name: max_doc_length - type: integer - title: Max Doc Length - description: |- - The maximum number of characters in a single document indexed in the - `response` field. The default is 5000. You can set this to 0 to index an - unlimited number of characters per document. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MongoDB - description: Capture MongoDB Traffic - template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/mongodb/sample_event.json b/packages/network_traffic/0.10.0/data_stream/mongodb/sample_event.json deleted file mode 100755 index 4cfd576e4c..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mongodb/sample_event.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/mysql/agent/stream/mysql.yml.hbs b/packages/network_traffic/0.10.0/data_stream/mysql/agent/stream/mysql.yml.hbs deleted file mode 100755 index 85b82a47b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mysql/agent/stream/mysql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: mysql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 633b576c87..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing mysql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/mysql/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/mysql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mysql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/mysql/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/mysql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mysql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/mysql/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/mysql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mysql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/mysql/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/mysql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mysql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/mysql/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/mysql/fields/protocol.yml deleted file mode 100755 index 64675f8d8e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mysql/fields/protocol.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: mysql - type: group - fields: - - name: affected_rows - type: long - description: > - If the MySQL command is successful, this field contains the affected number of rows of the last statement. - - - name: insert_id - type: keyword - description: > - If the INSERT query is successful, this field contains the id of the newly inserted row. - - - name: num_fields - type: long - description: > - If the SELECT query is successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query is successful, this field is set to the number of rows returned. - - - name: query - type: keyword - description: > - The row mysql query as read from the transaction's request. - - - name: error_code - type: long - description: > - The error code returned by MySQL. - - - name: error_message - type: keyword - description: > - The error info message returned by MySQL. - diff --git a/packages/network_traffic/0.10.0/data_stream/mysql/manifest.yml b/packages/network_traffic/0.10.0/data_stream/mysql/manifest.yml deleted file mode 100755 index c4655854f0..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mysql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: MySQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [3306, 3307] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MySQL - description: Capture MySQL Traffic - template_path: mysql.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/mysql/sample_event.json b/packages/network_traffic/0.10.0/data_stream/mysql/sample_event.json deleted file mode 100755 index 2c33116053..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/mysql/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/nfs/agent/stream/nfs.yml.hbs b/packages/network_traffic/0.10.0/data_stream/nfs/agent/stream/nfs.yml.hbs deleted file mode 100755 index c8349a7bcb..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/nfs/agent/stream/nfs.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: nfs -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2dcc37d830..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing nfs traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/nfs/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/nfs/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/nfs/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/nfs/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/nfs/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/nfs/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/nfs/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/nfs/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/nfs/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/nfs/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/nfs/fields/ecs.yml deleted file mode 100755 index 2b26a193f9..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/nfs/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/network_traffic/0.10.0/data_stream/nfs/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/nfs/fields/protocol.yml deleted file mode 100755 index 4bcf6fecec..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/nfs/fields/protocol.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: nfs - type: group - fields: - - name: version - type: long - description: NFS protocol version number. - - name: minor_version - type: long - description: NFS protocol minor version number. - - name: tag - type: keyword - description: NFS v4 COMPOUND operation tag. - - name: opcode - type: keyword - description: > - NFS operation name, or main operation name, in case of COMPOUND calls. - - - name: status - type: keyword - description: NFS operation reply status. -- name: rpc - type: group - description: ONC RPC specific event fields. - fields: - - name: xid - type: keyword - description: RPC message transaction identifier. - - name: status - type: keyword - description: RPC message reply status. - - name: auth_flavor - type: keyword - description: RPC authentication flavor. - - name: cred.uid - type: long - description: RPC caller's user id, in case of auth-unix. - - name: cred.gid - type: long - description: RPC caller's group id, in case of auth-unix. - - name: cred.gids - type: long - description: RPC caller's secondary group ids, in case of auth-unix. - - name: cred.stamp - type: long - description: Arbitrary ID which the caller machine may generate. - - name: cred.machinename - type: keyword - description: The name of the caller's machine. diff --git a/packages/network_traffic/0.10.0/data_stream/nfs/manifest.yml b/packages/network_traffic/0.10.0/data_stream/nfs/manifest.yml deleted file mode 100755 index 4e5323fa1e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/nfs/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: NFS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [2049] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: NFS - description: Capture NFS Traffic - template_path: nfs.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/nfs/sample_event.json b/packages/network_traffic/0.10.0/data_stream/nfs/sample_event.json deleted file mode 100755 index de4b4525e0..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/nfs/sample_event.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs b/packages/network_traffic/0.10.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs deleted file mode 100755 index 8680c36b1a..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: pgsql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index aa5fa721a5..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing pgsql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/pgsql/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/pgsql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/pgsql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/pgsql/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/pgsql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/pgsql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/pgsql/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/pgsql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/pgsql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/pgsql/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/pgsql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/pgsql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/pgsql/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/pgsql/fields/protocol.yml deleted file mode 100755 index 4fd03e12cb..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/pgsql/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: pgsql - type: group - fields: - - name: error_code - description: The PostgreSQL error code. - type: keyword - - name: error_message - type: keyword - description: The PostgreSQL error message. - - name: error_severity - type: keyword - description: The PostgreSQL error severity. - possible_values: - - ERROR - - FATAL - - PANIC - - name: num_fields - type: long - description: > - If the SELECT query if successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query if successful, this field is set to the number of rows returned. - diff --git a/packages/network_traffic/0.10.0/data_stream/pgsql/manifest.yml b/packages/network_traffic/0.10.0/data_stream/pgsql/manifest.yml deleted file mode 100755 index eb205cd837..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/pgsql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: PostgreSQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5432] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: PostgreSQL - description: Capture PostgreSQL Traffic - template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/pgsql/sample_event.json b/packages/network_traffic/0.10.0/data_stream/pgsql/sample_event.json deleted file mode 100755 index 462f734f42..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/pgsql/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/redis/agent/stream/redis.yml.hbs b/packages/network_traffic/0.10.0/data_stream/redis/agent/stream/redis.yml.hbs deleted file mode 100755 index f357ca3a6d..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/redis/agent/stream/redis.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: redis -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if queue_max_bytes}} -queue_max_bytes: {{queue_max_bytes}} -{{/if}} -{{#if queue_max_messages}} -queue_max_messages: {{queue_max_messages}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d84f8b24b8..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing redis traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/redis/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/redis/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/redis/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/redis/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/redis/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/redis/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/redis/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/redis/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/redis/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/redis/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/redis/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/redis/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/redis/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/redis/fields/protocol.yml deleted file mode 100755 index 4982b2c2d3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/redis/fields/protocol.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: redis - type: group - fields: - - name: return_value - type: keyword - description: > - The return value of the Redis command in a human readable format. - - - name: error - type: keyword - description: > - If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. - diff --git a/packages/network_traffic/0.10.0/data_stream/redis/manifest.yml b/packages/network_traffic/0.10.0/data_stream/redis/manifest.yml deleted file mode 100755 index 9fe0ce4e18..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/redis/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: Redis -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [6379] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: queue_max_bytes - type: integer - title: Queue Max Bytes - description: |- - Max size for per-session message queue. This places a limit on the memory - that can be used to buffer requests and responses for correlation. - show_user: false - multi: false - required: false - - name: queue_max_messages - type: integer - title: Queue Max Messages - description: |- - Max number of messages for per-session message queue. This limits the number - of requests or responses that can be buffered for correlation. Set a value - large enough to allow for pipelining. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Redis - description: Capture Redis Traffic - template_path: redis.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/redis/sample_event.json b/packages/network_traffic/0.10.0/data_stream/redis/sample_event.json deleted file mode 100755 index 7ce644c935..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/redis/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/sip/agent/stream/sip.yml.hbs b/packages/network_traffic/0.10.0/data_stream/sip/agent/stream/sip.yml.hbs deleted file mode 100755 index 935ea011ee..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/sip/agent/stream/sip.yml.hbs +++ /dev/null @@ -1,34 +0,0 @@ -type: sip -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parse_authorization}} -parse_authorization: {{parse_authorization}} -{{/if}} -{{#if parse_body}} -parse_body: {{parse_body}} -{{/if}} -{{#if keep_original}} -keep_original: {{keep_original}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c0b0ad76be..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing sip traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/sip/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/sip/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/sip/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/sip/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/sip/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/sip/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/sip/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/sip/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/sip/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/sip/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/sip/fields/ecs.yml deleted file mode 100755 index c2a147238b..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/sip/fields/ecs.yml +++ /dev/null @@ -1,174 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/network_traffic/0.10.0/data_stream/sip/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/sip/fields/protocol.yml deleted file mode 100755 index 5b25d9df6d..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/sip/fields/protocol.yml +++ /dev/null @@ -1,231 +0,0 @@ -- name: sip - type: group - description: Information about SIP traffic. - fields: - - name: code - type: long - description: Response status code. - - name: method - type: keyword - description: Request method. - - name: status - type: keyword - description: Response status phrase. - - name: type - type: keyword - description: Either request or response. - - name: version - type: keyword - description: SIP protocol version. - - name: uri.original - type: keyword - description: The original URI. - multi_fields: - - name: text - type: text - norms: false - - name: uri.scheme - type: keyword - description: The URI scheme. - - name: uri.username - type: keyword - description: The URI user name. - - name: uri.host - type: keyword - description: The URI host. - - name: uri.port - type: long - description: The URI port. - - name: accept - type: keyword - description: Accept header value. - - name: allow - type: keyword - description: Allowed methods. - - name: call_id - type: keyword - description: Call ID. - - name: content_length - type: long - - name: content_type - type: keyword - - name: max_forwards - type: long - - name: supported - type: keyword - description: Supported methods. - - name: user_agent.original - type: keyword - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.original - type: keyword - description: Private original URI. - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.scheme - type: keyword - description: Private URI scheme. - - name: private.uri.username - type: keyword - description: Private URI user name. - - name: private.uri.host - type: keyword - description: Private URI host. - - name: private.uri.port - type: long - description: Private URI port. - - name: cseq.code - type: long - description: Sequence code. - - name: cseq.method - type: keyword - description: Sequence method. - - name: via.original - type: keyword - description: The original Via value. - multi_fields: - - name: text - type: text - norms: false - - name: to.display_info - type: keyword - description: "To display info" - - name: to.uri.original - type: keyword - description: "To original URI" - multi_fields: - - name: text - type: text - norms: false - - name: to.uri.scheme - type: keyword - description: "To URI scheme" - - name: to.uri.username - type: keyword - description: "To URI user name" - - name: to.uri.host - type: keyword - description: "To URI host" - - name: to.uri.port - type: long - description: "To URI port" - - name: to.tag - type: keyword - description: "To tag" - - name: from.display_info - type: keyword - description: "From display info" - - name: from.uri.original - type: keyword - description: "From original URI" - multi_fields: - - name: text - type: text - norms: false - - name: from.uri.scheme - type: keyword - description: "From URI scheme" - - name: from.uri.username - type: keyword - description: "From URI user name" - - name: from.uri.host - type: keyword - description: "From URI host" - - name: from.uri.port - type: long - description: "From URI port" - - name: from.tag - type: keyword - description: "From tag" - - name: contact.display_info - type: keyword - description: "Contact display info" - - name: contact.uri.original - type: keyword - description: "Contact original URI" - multi_fields: - - name: text - type: text - norms: false - - name: contact.uri.scheme - type: keyword - description: "Contat URI scheme" - - name: contact.uri.username - type: keyword - description: "Contact URI user name" - - name: contact.uri.host - type: keyword - description: "Contact URI host" - - name: contact.uri.port - type: long - description: "Contact URI port" - - name: contact.transport - type: keyword - description: "Contact transport" - - name: contact.line - type: keyword - description: "Contact line" - - name: contact.expires - type: keyword - description: "Contact expires" - - name: contact.q - type: keyword - description: "Contact Q" - - name: auth.scheme - type: keyword - description: "Auth scheme" - - name: auth.realm - type: keyword - description: "Auth realm" - - name: auth.uri.original - type: keyword - description: "Auth original URI" - multi_fields: - - name: text - type: text - norms: false - - name: auth.uri.scheme - type: keyword - description: "Auth URI scheme" - - name: auth.uri.host - type: keyword - description: "Auth URI host" - - name: auth.uri.port - type: long - description: "Auth URI port" - - name: sdp.version - type: keyword - description: "SDP version" - - name: sdp.owner.username - type: keyword - description: "SDP owner user name" - - name: sdp.owner.session_id - type: keyword - description: "SDP owner session ID" - - name: sdp.owner.version - type: keyword - description: "SDP owner version" - - name: sdp.owner.ip - type: ip - description: "SDP owner IP" - - name: sdp.session.name - type: keyword - description: "SDP session name" - - name: sdp.connection.info - type: keyword - description: "SDP connection info" - - name: sdp.connection.address - type: keyword - description: "SDP connection address" - - name: sdp.body.original - type: keyword - description: "SDP original body" - multi_fields: - - name: text - type: text - norms: false diff --git a/packages/network_traffic/0.10.0/data_stream/sip/manifest.yml b/packages/network_traffic/0.10.0/data_stream/sip/manifest.yml deleted file mode 100755 index 79dd27ea52..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/sip/manifest.yml +++ /dev/null @@ -1,54 +0,0 @@ -title: SIP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5060] - - name: parse_authorization - type: bool - title: Parse Authorization - description: Parse the authorization headers - show_user: false - multi: false - required: false - - name: parse_body - type: bool - title: Parse Body - description: Parse body contents (only when body is SDP) - show_user: false - multi: false - required: false - - name: keep_original - type: bool - title: Keep Original - description: Preserve original contents in event.original - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: SIP - description: Capture SIP Traffic - template_path: sip.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/sip/sample_event.json b/packages/network_traffic/0.10.0/data_stream/sip/sample_event.json deleted file mode 100755 index 0915adca44..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/sip/sample_event.json +++ /dev/null @@ -1,175 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:32:14.536Z", - "agent": { - "ephemeral_id": "ee3aeba6-2bd9-4a89-840a-32af72217a7a", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network", - "protocol" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-03-09T08:32:14.536Z", - "ingested": "2022-03-09T08:32:15Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-03-09T08:32:14.536Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/thrift/agent/stream/thrift.yml.hbs b/packages/network_traffic/0.10.0/data_stream/thrift/agent/stream/thrift.yml.hbs deleted file mode 100755 index d6d9604253..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/thrift/agent/stream/thrift.yml.hbs +++ /dev/null @@ -1,64 +0,0 @@ -type: thrift -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if transport_type}} -transport_type: {{transport_type}} -{{/if}} -{{#if protocol_type}} -protocol_type: {{protocol_type}} -{{/if}} -{{#if idl_files}} -idl_files: -{{#each idl_files as |idl_file|}} - - {{idl_file}} -{{/each}} -{{/if}} -{{#if string_max_size}} -string_max_size: {{string_max_size}} -{{/if}} -{{#if collection_max_size}} -collection_max_size: {{collection_max_size}} -{{/if}} -{{#if capture_reply}} -capture_reply: {{capture_reply}} -{{/if}} -{{#if obfuscate_strings}} -obfuscate_strings: {{obfuscate_strings}} -{{/if}} -{{#if drop_after_n_struct_fields}} -drop_after_n_struct_fields: {{drop_after_n_struct_fields}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 608bb7e6a5..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing thrift traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/thrift/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/thrift/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/thrift/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/thrift/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/thrift/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/thrift/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/thrift/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/thrift/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/thrift/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/thrift/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/thrift/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/thrift/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.0/data_stream/thrift/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/thrift/fields/protocol.yml deleted file mode 100755 index dd097f61ee..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/thrift/fields/protocol.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: thrift - type: group - fields: - - name: params - type: keyword - description: > - The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. - - - name: service - type: keyword - description: > - The name of the Thrift-RPC service as defined in the IDL files. - - - name: return_value - type: keyword - description: > - The value returned by the Thrift-RPC call. This is encoded in a human readable format. - - - name: exceptions - type: keyword - description: > - If the call resulted in exceptions, this field contains the exceptions in a human readable format. - diff --git a/packages/network_traffic/0.10.0/data_stream/thrift/manifest.yml b/packages/network_traffic/0.10.0/data_stream/thrift/manifest.yml deleted file mode 100755 index 29eabbeb19..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/thrift/manifest.yml +++ /dev/null @@ -1,141 +0,0 @@ -title: Thrift -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9090] - - name: transport_type - type: text - title: Transport Type - description: |- - The Thrift transport type. Currently this option accepts the values socket - for TSocket, which is the default Thrift transport, and framed for the - TFramed Thrift transport. The default is socket. - show_user: false - multi: false - required: false - - name: protocol_type - type: text - title: Protocol Type - description: |- - The Thrift protocol type. Currently the only accepted value is binary for - the TBinary protocol, which is the default Thrift protocol. - show_user: false - multi: false - required: false - - name: idl_files - type: text - title: Idl Files - description: |- - The Thrift interface description language (IDL) files for the service that - Packetbeat is monitoring. Providing the IDL enables Packetbeat to include - parameter and exception names. - show_user: false - multi: true - required: false - - name: string_max_size - type: integer - title: String Max Size - description: |- - The maximum length for strings in parameters or return values. If a string - is longer than this value, the string is automatically truncated to this - length. - show_user: false - multi: false - required: false - - name: collection_max_size - type: integer - title: Collection Max Size - description: The maximum number of elements in a Thrift list, set, map, or structure. - show_user: false - multi: false - required: false - - name: capture_reply - type: bool - title: Capture Reply - description: |- - If this option is set to false, Packetbeat decodes the method name from the - reply and simply skips the rest of the response message. - show_user: false - multi: false - required: false - - name: obfuscate_strings - type: bool - title: Obfuscate Strings - description: |- - If this option is set to true, Packetbeat replaces all strings found in - method parameters, return codes, or exception structures with the "*" - string. - show_user: false - multi: false - required: false - - name: drop_after_n_struct_fields - type: integer - title: Drop After N Struct Fields - description: |- - The maximum number of fields that a structure can have before Packetbeat - ignores the whole transaction. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Thrift - description: Capture Thrift Traffic - template_path: thrift.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/thrift/sample_event.json b/packages/network_traffic/0.10.0/data_stream/thrift/sample_event.json deleted file mode 100755 index 4c1640a50d..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/thrift/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:33:31.022Z", - "agent": { - "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1394000, - "end": "2022-03-09T08:33:31.023Z", - "ingested": "2022-03-09T08:33:32Z", - "kind": "event", - "start": "2022-03-09T08:33:31.022Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/data_stream/tls/agent/stream/tls.yml.hbs b/packages/network_traffic/0.10.0/data_stream/tls/agent/stream/tls.yml.hbs deleted file mode 100755 index 877a553bfd..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/tls/agent/stream/tls.yml.hbs +++ /dev/null @@ -1,40 +0,0 @@ -type: tls -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if fingerprints}} -fingerprints: -{{#each fingerprints as |fingerprint|}} - - {{fingerprint}} -{{/each}} -{{/if}} -{{#if send_certificates}} -send_certificates: {{send_certificates}} -{{/if}} -{{#if include_raw_certificates}} -include_raw_certificates: {{include_raw_certificates}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 788c1210ef..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,55 +0,0 @@ ---- -description: Pipeline for processing tls traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true - -## -# Make tls.{client,server}.x509.version_number a string as per ECS. -## -- convert: - field: tls.client.x509.version_number - type: string - ignore_missing: true -- convert: - field: tls.server.x509.version_number - type: string - ignore_missing: true - -## -# This handles legacy TLS fields from Packetbeat 7.17. -## -- remove: - description: Remove legacy fields from Packetbeat 7.17 that are duplicated. - field: - - tls.client.x509.issuer.province # Duplicated as tls.client.x509.issuer.state_or_province. - - tls.client.x509.subject.province # Duplicated as tls.client.x509.subject.state_or_province. - - tls.client.x509.version # Duplicated as tls.client.x509.version_number. - - tls.detailed.client_certificate # Duplicated as tls.client.x509. - - tls.detailed.server_certificate # Duplicated as tls.server.x509. - - tls.server.x509.issuer.province # Duplicated as tls.server.x509.issuer.state_or_province. - - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province. - - tls.server.x509.version # Duplicated as tls.server.x509.version_number. - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.0/data_stream/tls/fields/agent.yml b/packages/network_traffic/0.10.0/data_stream/tls/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/tls/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.0/data_stream/tls/fields/base.yml b/packages/network_traffic/0.10.0/data_stream/tls/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/tls/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.0/data_stream/tls/fields/beats.yml b/packages/network_traffic/0.10.0/data_stream/tls/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/tls/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.0/data_stream/tls/fields/ecs.yml b/packages/network_traffic/0.10.0/data_stream/tls/fields/ecs.yml deleted file mode 100755 index 49c713858d..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/tls/fields/ecs.yml +++ /dev/null @@ -1,368 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - name: tls.client.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - name: tls.client.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha256 - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: Array of ciphers offered by the client during the client hello. - name: tls.client.supported_ciphers - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.client.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.client.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.client.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.client.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.client.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.client.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.client.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.client.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.client.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.client.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.client.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.client.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.client.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.client.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.client.x509.version_number - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - name: tls.next_protocol - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - name: tls.server.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - name: tls.server.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha256 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.server.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.server.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.server.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.server.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.server.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.server.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.server.x509.version_number - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/network_traffic/0.10.0/data_stream/tls/fields/protocol.yml b/packages/network_traffic/0.10.0/data_stream/tls/fields/protocol.yml deleted file mode 100755 index d8264468d4..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/tls/fields/protocol.yml +++ /dev/null @@ -1,173 +0,0 @@ -- name: tls - type: group - fields: - - name: detailed - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol used. - - example: "TLS 1.3" - - name: resumption_method - type: keyword - description: > - If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. - - - name: client_certificate_requested - type: boolean - description: > - Whether the server has requested the client to authenticate itself using a client certificate. - - - name: ocsp_response - type: keyword - description: > - The result of an OCSP request. - - - name: client_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol by which the client wishes to communicate during this session. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: supported_compression_methods - type: keyword - description: > - The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml - - - name: extensions - type: group - description: The hello extensions provided by the client. - fields: - - name: server_name_indication - type: keyword - description: List of hostnames - - name: application_layer_protocol_negotiation - type: keyword - description: > - List of application-layer protocols the client is willing to use. - - - name: session_ticket - type: keyword - description: > - Length of the session ticket, if provided, or an empty string to advertise support for tickets. - - - name: supported_versions - type: keyword - description: > - List of TLS versions that the client is willing to use. - - - name: supported_groups - type: keyword - description: > - List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. - - - name: signature_algorithms - type: keyword - description: > - List of signature algorithms that may be use in digital signatures. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: type - type: keyword - description: The type of the status request. Always "ocsp" if present. - - name: responder_id_list_length - type: short - description: The length of the list of trusted responders. - - name: request_extensions - type: short - description: The number of certificate extensions for the request. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: selected_compression_method - type: keyword - description: > - The compression method selected by the server from the list provided in the client hello. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: extensions - type: group - description: The hello extensions provided by the server. - fields: - - name: application_layer_protocol_negotiation - type: keyword - description: Negotiated application layer protocol - - name: session_ticket - type: keyword - description: > - Used to announce that a session ticket will be provided by the server. Always an empty string. - - - name: supported_versions - type: keyword - description: > - Negotiated TLS version to be used. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: response - type: boolean - description: Whether a certificate status request response was made. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_certificate_chain - type: array - description: Chain of trust for the server certificate. - - name: client_certificate_chain - type: array - description: Chain of trust for the client certificate. - - name: alert_types - type: keyword - description: > - An array containing the TLS alert type for every alert received. - diff --git a/packages/network_traffic/0.10.0/data_stream/tls/manifest.yml b/packages/network_traffic/0.10.0/data_stream/tls/manifest.yml deleted file mode 100755 index d2b8f403da..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/tls/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: TLS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [443, 993, 995, 5223, 8443, 8883, 9243] - - name: fingerprints - type: text - title: Fingerprints - description: |- - List of hash algorithms to use to calculate certificates' fingerprints. - Valid values are `sha1`, `sha256` and `md5`. - show_user: false - multi: true - required: false - - name: send_certificates - type: bool - title: Send Certificates - description: |- - If this option is enabled, the client and server certificates and - certificate chains are sent to Elasticsearch. The default is true. - show_user: false - multi: false - required: false - - name: include_raw_certificates - type: bool - title: Include Raw Certificates - description: |- - If this option is enabled, the raw certificates will be stored - in PEM format under the `raw` key. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: TLS - description: Capture TLS Traffic - template_path: tls.yml.hbs diff --git a/packages/network_traffic/0.10.0/data_stream/tls/sample_event.json b/packages/network_traffic/0.10.0/data_stream/tls/sample_event.json deleted file mode 100755 index f325b87dbb..0000000000 --- a/packages/network_traffic/0.10.0/data_stream/tls/sample_event.json +++ /dev/null @@ -1,196 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:34:08.391Z", - "agent": { - "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.1.36", - "port": 60946 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 14861200, - "end": "2022-03-09T08:34:08.406Z", - "ingested": "2022-03-09T08:34:09Z", - "kind": "event", - "start": "2022-03-09T08:34:08.391Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.36", - "216.58.201.174" - ] - }, - "server": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "source": { - "ip": "192.168.1.36", - "port": 60946 - }, - "status": "OK", - "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", - "client": { - "ja3": "d470a3fa301d80227bc5650c75567d25", - "server_name": "play.google.com", - "supported_ciphers": [ - "TLS_AES_128_GCM_SHA256", - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "_unparsed_": [ - "23", - "renegotiation_info", - "status_request", - "51", - "45", - "28", - "41" - ], - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "play.google.com" - ], - "signature_algorithms": [ - "ecdsa_secp256r1_sha256", - "ecdsa_secp384r1_sha384", - "ecdsa_secp521r1_sha512", - "rsa_pss_sha256", - "rsa_pss_sha384", - "rsa_pss_sha512", - "rsa_pkcs1_sha256", - "rsa_pkcs1_sha384", - "rsa_pkcs1_sha512", - "ecdsa_sha1", - "rsa_pkcs1_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1", - "secp521r1", - "ffdhe2048", - "ffdhe3072" - ], - "supported_versions": [ - "TLS 1.3", - "TLS 1.2", - "TLS 1.1", - "TLS 1.0" - ] - }, - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "resumption_method": "id", - "server_hello": { - "extensions": { - "_unparsed_": [ - "41", - "51" - ], - "supported_versions": "TLS 1.3" - }, - "selected_compression_method": "NULL", - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "version": "3.3" - }, - "version": "TLS 1.3" - }, - "established": true, - "resumed": true, - "version": "1.3", - "version_protocol": "tls" - }, - "type": "tls" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/docs/README.md b/packages/network_traffic/0.10.0/docs/README.md deleted file mode 100755 index 947d820e0c..0000000000 --- a/packages/network_traffic/0.10.0/docs/README.md +++ /dev/null @@ -1,3961 +0,0 @@ -# Network Packet Capture Integration - -This integration sniffs network packets on a host and dissects -known protocols. - -## Network Flows - -Overall flow information about the network connections on a -host. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -## Protocols - -### AMQP - -Fields published for AMQP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| amqp.app-id | Creating application id. | keyword | -| amqp.arguments | Optional additional arguments passed to some methods. Can be of various types. | object | -| amqp.auto-delete | If set, auto-delete queue when unused. | boolean | -| amqp.class-id | Failing method class. | long | -| amqp.consumer-count | The number of consumers of a queue. | long | -| amqp.consumer-tag | Identifier for the consumer, valid within the current channel. | keyword | -| amqp.content-encoding | MIME content encoding. | keyword | -| amqp.content-type | MIME content type. | keyword | -| amqp.correlation-id | Application correlation identifier. | keyword | -| amqp.delivery-mode | Non-persistent (1) or persistent (2). | keyword | -| amqp.delivery-tag | The server-assigned and channel-specific delivery tag. | long | -| amqp.durable | If set, request a durable exchange/queue. | boolean | -| amqp.exchange | Name of the exchange. | keyword | -| amqp.exchange-type | Exchange type. | keyword | -| amqp.exclusive | If set, request an exclusive queue. | boolean | -| amqp.expiration | Message expiration specification. | keyword | -| amqp.headers | Message header field table. | object | -| amqp.if-empty | Delete only if empty. | boolean | -| amqp.if-unused | Delete only if unused. | boolean | -| amqp.immediate | Request immediate delivery. | boolean | -| amqp.mandatory | Indicates mandatory routing. | boolean | -| amqp.message-count | The number of messages in the queue, which will be zero for newly-declared queues. | long | -| amqp.message-id | Application message identifier. | keyword | -| amqp.method-id | Failing method ID. | long | -| amqp.multiple | Acknowledge multiple messages. | boolean | -| amqp.no-ack | If set, the server does not expect acknowledgements for messages. | boolean | -| amqp.no-local | If set, the server will not send messages to the connection that published them. | boolean | -| amqp.no-wait | If set, the server will not respond to the method. | boolean | -| amqp.passive | If set, do not create exchange/queue. | boolean | -| amqp.priority | Message priority, 0 to 9. | long | -| amqp.queue | The queue name identifies the queue within the vhost. | keyword | -| amqp.redelivered | Indicates that the message has been previously delivered to this or another client. | boolean | -| amqp.reply-code | AMQP reply code to an error, similar to http reply-code | long | -| amqp.reply-text | Text explaining the error. | keyword | -| amqp.reply-to | Address to reply to. | keyword | -| amqp.routing-key | Message routing key. | keyword | -| amqp.timestamp | Message timestamp. | keyword | -| amqp.type | Message type name. | keyword | -| amqp.user-id | Creating user id. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `amqp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} -``` - -### Cassandra - -Fields published for Apache Cassandra packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cassandra.no_request | Indicates that there is no request because this is a PUSH message. | boolean | -| cassandra.request.headers.flags | Flags applying to this frame. | keyword | -| cassandra.request.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.request.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.request.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.request.headers.version | The version of the protocol. | keyword | -| cassandra.request.query | The CQL query which client send to cassandra. | keyword | -| cassandra.response.authentication.class | Indicates the full class name of the IAuthenticator in use | keyword | -| cassandra.response.error.code | The error code of the Cassandra response. | long | -| cassandra.response.error.details.alive | Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). | long | -| cassandra.response.error.details.arg_types | One string for each argument type (as CQL type) of the failed function. | keyword | -| cassandra.response.error.details.blockfor | Representing the number of replicas whose acknowledgement is required to achieve consistency level. | long | -| cassandra.response.error.details.data_present | It means the replica that was asked for data had responded. | boolean | -| cassandra.response.error.details.function | The name of the failed function. | keyword | -| cassandra.response.error.details.keyspace | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.num_failures | Representing the number of nodes that experience a failure while executing the request. | keyword | -| cassandra.response.error.details.read_consistency | Representing the consistency level of the query that triggered the exception. | keyword | -| cassandra.response.error.details.received | Representing the number of nodes having acknowledged the request. | long | -| cassandra.response.error.details.required | Representing the number of nodes that should be alive to respect consistency level. | long | -| cassandra.response.error.details.stmt_id | Representing the unknown ID. | keyword | -| cassandra.response.error.details.table | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.write_type | Describe the type of the write that timed out. | keyword | -| cassandra.response.error.msg | The error message of the Cassandra response. | keyword | -| cassandra.response.error.type | The error type of the Cassandra response. | keyword | -| cassandra.response.event.change | The message corresponding respectively to the type of change followed by the address of the new/removed node. | keyword | -| cassandra.response.event.host | Representing the node ip. | keyword | -| cassandra.response.event.port | Representing the node port. | long | -| cassandra.response.event.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.event.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.event.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.event.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.event.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.event.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.event.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.event.type | Representing the event type. | keyword | -| cassandra.response.headers.flags | Flags applying to this frame. | keyword | -| cassandra.response.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.response.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.response.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.response.headers.version | The version of the protocol. | keyword | -| cassandra.response.result.keyspace | Indicating the name of the keyspace that has been set. | keyword | -| cassandra.response.result.prepared.prepared_id | Representing the prepared query ID. | keyword | -| cassandra.response.result.prepared.req_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.req_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.req_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.req_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.req_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.req_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.prepared.resp_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.resp_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.resp_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.resp_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.resp_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.resp_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.rows.meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.rows.meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.rows.meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.rows.meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.rows.meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.num_rows | Representing the number of rows present in this result. | long | -| cassandra.response.result.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.result.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.result.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.result.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.result.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.result.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.result.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.result.type | Cassandra result type. | keyword | -| cassandra.response.supported | Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. | flattened | -| cassandra.response.warnings | The text of the warnings, only occur when Warning flag was set. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `cassandra` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} -``` - -### DHCP - -Fields published for DHCPv4 packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dhcpv4.assigned_ip | The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. | ip | -| dhcpv4.client_ip | The current IP address of the client. | ip | -| dhcpv4.client_mac | The client's MAC address (layer two). | keyword | -| dhcpv4.flags | Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. | keyword | -| dhcpv4.hardware_type | The type of hardware used for the local network (Ethernet, LocalTalk, etc). | keyword | -| dhcpv4.hops | The number of hops the DHCP message went through. | long | -| dhcpv4.op_code | The message op code (bootrequest or bootreply). | keyword | -| dhcpv4.option.boot_file_name | This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. | keyword | -| dhcpv4.option.broadcast_address | This option specifies the broadcast address in use on the client's subnet. | ip | -| dhcpv4.option.class_identifier | This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. | keyword | -| dhcpv4.option.dns_servers | The domain name server option specifies a list of Domain Name System servers available to the client. | ip | -| dhcpv4.option.domain_name | This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. | keyword | -| dhcpv4.option.hostname | This option specifies the name of the client. | keyword | -| dhcpv4.option.ip_address_lease_time_sec | This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. | long | -| dhcpv4.option.max_dhcp_message_size | This option specifies the maximum length DHCP message that the client is willing to accept. | long | -| dhcpv4.option.message | This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. | text | -| dhcpv4.option.message_type | The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). | keyword | -| dhcpv4.option.ntp_servers | This option specifies a list of IP addresses indicating NTP servers available to the client. | ip | -| dhcpv4.option.parameter_request_list | This option is used by a DHCP client to request values for specified configuration parameters. | keyword | -| dhcpv4.option.rebinding_time_sec | This option specifies the time interval from address assignment until the client transitions to the REBINDING state. | long | -| dhcpv4.option.renewal_time_sec | This option specifies the time interval from address assignment until the client transitions to the RENEWING state. | long | -| dhcpv4.option.requested_ip_address | This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. | ip | -| dhcpv4.option.router | The router option specifies a list of IP addresses for routers on the client's subnet. | ip | -| dhcpv4.option.server_identifier | IP address of the individual DHCP server which handled this message. | ip | -| dhcpv4.option.subnet_mask | The subnet mask that the client should use on the currnet network. | ip | -| dhcpv4.option.time_servers | The time server option specifies a list of RFC 868 time servers available to the client. | ip | -| dhcpv4.option.utc_time_offset_sec | The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). | long | -| dhcpv4.option.vendor_identifying_options | A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. | object | -| dhcpv4.relay_ip | The relay IP address used by the client to contact the server (i.e. a DHCP relay server). | ip | -| dhcpv4.seconds | Number of seconds elapsed since client began address acquisition or renewal process. | long | -| dhcpv4.server_ip | The IP address of the DHCP server that the client should use for the next step in the bootstrap process. | ip | -| dhcpv4.server_name | The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. | keyword | -| dhcpv4.transaction_id | Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dhcpv4` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} -``` - -### DNS - -Fields published for DNS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.additionals | An array containing a dictionary for each additional section from the answer. | object | -| dns.additionals.class | The class of DNS data contained in this resource record. | keyword | -| dns.additionals.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.additionals.name | The domain name to which this resource record pertains. | keyword | -| dns.additionals.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.additionals.type | The type of data contained in this resource record. | keyword | -| dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | -| dns.authorities | An array containing a dictionary for each authority section from the answer. | object | -| dns.authorities.class | The class of DNS data contained in this resource record. | keyword | -| dns.authorities.name | The domain name to which this resource record pertains. | keyword | -| dns.authorities.type | The type of data contained in this resource record. | keyword | -| dns.authorities_count | The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.flags.authentic_data | A DNS flag specifying that the recursive server considers the response authentic. | boolean | -| dns.flags.authoritative | A DNS flag specifying that the responding server is an authority for the domain name used in the question. | boolean | -| dns.flags.checking_disabled | A DNS flag specifying that the client disables the server signature validation of the query. | boolean | -| dns.flags.recursion_available | A DNS flag specifying whether recursive query support is available in the name server. | boolean | -| dns.flags.recursion_desired | A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. | boolean | -| dns.flags.truncated_response | A DNS flag specifying that only the first 512 bytes of the reply were returned. | boolean | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.opt.do | If set, the transaction uses DNSSEC. | boolean | -| dns.opt.ext_rcode | Extended response code field. | keyword | -| dns.opt.udp_size | Requestor's UDP payload size (in bytes). | long | -| dns.opt.version | The EDNS version. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.etld_plus_one | The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} -``` - -### HTTP - -Fields published for HTTP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.headers | A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.headers | A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.response.status_code | HTTP response status code. | long | -| http.response.status_phrase | The HTTP status phrase. | keyword | -| http.version | HTTP version. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `http` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} -``` - -### ICMP - -Fields published for ICMP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| icmp.request.code | The request code. | long | -| icmp.request.message | A human readable form of the request. | keyword | -| icmp.request.type | The request type. | long | -| icmp.response.code | The response code. | long | -| icmp.response.message | A human readable form of the response. | keyword | -| icmp.response.type | The response type. | long | -| icmp.version | The version of the ICMP protocol. | long | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `icmp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} -``` - -### Memcached - -Fields published for Memcached packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| memcache.protocol_type | The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. | keyword | -| memcache.request.automove | The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. | keyword | -| memcache.request.bytes | The byte count of the values being transferred. | long | -| memcache.request.cas_unique | The CAS (compare-and-swap) identifier if present. | long | -| memcache.request.command | The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. | keyword | -| memcache.request.count_values | The number of values found in the memcache request message. If the command does not send any data, this field is missing. | long | -| memcache.request.delta | The counter increment/decrement delta value. | long | -| memcache.request.dest_class | The destination class id in 'slab reassign' command. | long | -| memcache.request.exptime | The data expiry time in seconds sent with the memcache command (if present). If the value is `\< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). | long | -| memcache.request.flags | The memcache command flags sent in the request (if present). | long | -| memcache.request.initial | The counter increment/decrement initial value parameter (binary protocol only). | long | -| memcache.request.keys | The list of keys sent in the store or load commands. | array | -| memcache.request.line | The raw command line for unknown commands ONLY. | keyword | -| memcache.request.noreply | Set to true if noreply was set in the request. The `memcache.response` field will be missing. | boolean | -| memcache.request.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.request.opcode | The binary protocol message opcode name. | keyword | -| memcache.request.opcode_value | The binary protocol message opcode value. | long | -| memcache.request.quiet | Set to true if the binary protocol message is to be treated as a quiet message. | boolean | -| memcache.request.raw_args | The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. | keyword | -| memcache.request.sleep_us | The sleep setting in microseconds for the 'lru_crawler sleep' command. | long | -| memcache.request.source_class | The source class id in 'slab reassign' command. | long | -| memcache.request.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". | keyword | -| memcache.request.values | The list of base64 encoded values sent with the request (if present). | array | -| memcache.request.vbucket | The vbucket index sent in the binary message. | long | -| memcache.request.verbosity | The value of the memcache "verbosity" command. | long | -| memcache.response.bytes | The byte count of the values being transferred. | long | -| memcache.response.cas_unique | The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). | long | -| memcache.response.command | Either the text based protocol response message type or the name of the originating request if binary protocol is used. | keyword | -| memcache.response.count_values | The number of values found in the memcache response message. If the command does not send any data, this field is missing. | long | -| memcache.response.error_msg | The optional error message in the memcache response (text based protocol only). | keyword | -| memcache.response.flags | The memcache message flags sent in the response (if present). | long | -| memcache.response.keys | The list of keys returned for the load command (if present). | array | -| memcache.response.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.response.opcode | The binary protocol message opcode name. | keyword | -| memcache.response.opcode_value | The binary protocol message opcode value. | long | -| memcache.response.stats | The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". | array | -| memcache.response.status | The textual representation of the response error code (binary protocol only). | keyword | -| memcache.response.status_code | The status code value returned in the response (binary protocol only). | long | -| memcache.response.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). | keyword | -| memcache.response.value | The counter value returned by a counter operation. | long | -| memcache.response.values | The list of base64 encoded values sent with the response (if present). | array | -| memcache.response.version | The returned memcache version string. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `memcached` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} -``` - -### MongoDB - -Fields published for MongoDB packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | -| mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | -| mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | -| mongodb.numberReturned | The number of documents in the reply. | long | -| mongodb.numberToReturn | The requested maximum number of documents to be returned. | long | -| mongodb.numberToSkip | Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. | long | -| mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | -| mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | -| mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | -| mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mongodb` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} -``` - -### MySQL - -Fields published for MySQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mysql.affected_rows | If the MySQL command is successful, this field contains the affected number of rows of the last statement. | long | -| mysql.error_code | The error code returned by MySQL. | long | -| mysql.error_message | The error info message returned by MySQL. | keyword | -| mysql.insert_id | If the INSERT query is successful, this field contains the id of the newly inserted row. | keyword | -| mysql.num_fields | If the SELECT query is successful, this field is set to the number of fields returned. | long | -| mysql.num_rows | If the SELECT query is successful, this field is set to the number of rows returned. | long | -| mysql.query | The row mysql query as read from the transaction's request. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mysql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} -``` - -### NFS - -Fields published for NFS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| nfs.minor_version | NFS protocol minor version number. | long | -| nfs.opcode | NFS operation name, or main operation name, in case of COMPOUND calls. | keyword | -| nfs.status | NFS operation reply status. | keyword | -| nfs.tag | NFS v4 COMPOUND operation tag. | keyword | -| nfs.version | NFS protocol version number. | long | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| rpc.auth_flavor | RPC authentication flavor. | keyword | -| rpc.cred.gid | RPC caller's group id, in case of auth-unix. | long | -| rpc.cred.gids | RPC caller's secondary group ids, in case of auth-unix. | long | -| rpc.cred.machinename | The name of the caller's machine. | keyword | -| rpc.cred.stamp | Arbitrary ID which the caller machine may generate. | long | -| rpc.cred.uid | RPC caller's user id, in case of auth-unix. | long | -| rpc.status | RPC message reply status. | keyword | -| rpc.xid | RPC message transaction identifier. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -An example event for `nfs` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} -``` - -### PostgreSQL - -Fields published for PostgreSQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| pgsql.error_code | The PostgreSQL error code. | keyword | -| pgsql.error_message | The PostgreSQL error message. | keyword | -| pgsql.error_severity | The PostgreSQL error severity. | keyword | -| pgsql.num_fields | If the SELECT query if successful, this field is set to the number of fields returned. | long | -| pgsql.num_rows | If the SELECT query if successful, this field is set to the number of rows returned. | long | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `pgsql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} -``` - -### Redis - -Fields published for Redis packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| redis.error | If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. | keyword | -| redis.return_value | The return value of the Redis command in a human readable format. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `redis` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} -``` - -### SIP - -Fields published for SIP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| sip.accept | Accept header value. | keyword | -| sip.allow | Allowed methods. | keyword | -| sip.auth.realm | Auth realm | keyword | -| sip.auth.scheme | Auth scheme | keyword | -| sip.auth.uri.host | Auth URI host | keyword | -| sip.auth.uri.original | Auth original URI | keyword | -| sip.auth.uri.original.text | Multi-field of `sip.auth.uri.original`. | text | -| sip.auth.uri.port | Auth URI port | long | -| sip.auth.uri.scheme | Auth URI scheme | keyword | -| sip.call_id | Call ID. | keyword | -| sip.code | Response status code. | long | -| sip.contact.display_info | Contact display info | keyword | -| sip.contact.expires | Contact expires | keyword | -| sip.contact.line | Contact line | keyword | -| sip.contact.q | Contact Q | keyword | -| sip.contact.transport | Contact transport | keyword | -| sip.contact.uri.host | Contact URI host | keyword | -| sip.contact.uri.original | Contact original URI | keyword | -| sip.contact.uri.original.text | Multi-field of `sip.contact.uri.original`. | text | -| sip.contact.uri.port | Contact URI port | long | -| sip.contact.uri.scheme | Contat URI scheme | keyword | -| sip.contact.uri.username | Contact URI user name | keyword | -| sip.content_length | | long | -| sip.content_type | | keyword | -| sip.cseq.code | Sequence code. | long | -| sip.cseq.method | Sequence method. | keyword | -| sip.from.display_info | From display info | keyword | -| sip.from.tag | From tag | keyword | -| sip.from.uri.host | From URI host | keyword | -| sip.from.uri.original | From original URI | keyword | -| sip.from.uri.original.text | Multi-field of `sip.from.uri.original`. | text | -| sip.from.uri.port | From URI port | long | -| sip.from.uri.scheme | From URI scheme | keyword | -| sip.from.uri.username | From URI user name | keyword | -| sip.max_forwards | | long | -| sip.method | Request method. | keyword | -| sip.private.uri.host | Private URI host. | keyword | -| sip.private.uri.original | Private original URI. | keyword | -| sip.private.uri.original.text | Multi-field of `sip.private.uri.original`. | text | -| sip.private.uri.port | Private URI port. | long | -| sip.private.uri.scheme | Private URI scheme. | keyword | -| sip.private.uri.username | Private URI user name. | keyword | -| sip.sdp.body.original | SDP original body | keyword | -| sip.sdp.body.original.text | Multi-field of `sip.sdp.body.original`. | text | -| sip.sdp.connection.address | SDP connection address | keyword | -| sip.sdp.connection.info | SDP connection info | keyword | -| sip.sdp.owner.ip | SDP owner IP | ip | -| sip.sdp.owner.session_id | SDP owner session ID | keyword | -| sip.sdp.owner.username | SDP owner user name | keyword | -| sip.sdp.owner.version | SDP owner version | keyword | -| sip.sdp.session.name | SDP session name | keyword | -| sip.sdp.version | SDP version | keyword | -| sip.status | Response status phrase. | keyword | -| sip.supported | Supported methods. | keyword | -| sip.to.display_info | To display info | keyword | -| sip.to.tag | To tag | keyword | -| sip.to.uri.host | To URI host | keyword | -| sip.to.uri.original | To original URI | keyword | -| sip.to.uri.original.text | Multi-field of `sip.to.uri.original`. | text | -| sip.to.uri.port | To URI port | long | -| sip.to.uri.scheme | To URI scheme | keyword | -| sip.to.uri.username | To URI user name | keyword | -| sip.type | Either request or response. | keyword | -| sip.uri.host | The URI host. | keyword | -| sip.uri.original | The original URI. | keyword | -| sip.uri.original.text | Multi-field of `sip.uri.original`. | text | -| sip.uri.port | The URI port. | long | -| sip.uri.scheme | The URI scheme. | keyword | -| sip.uri.username | The URI user name. | keyword | -| sip.user_agent.original | | keyword | -| sip.user_agent.original.text | Multi-field of `sip.user_agent.original`. | text | -| sip.version | SIP protocol version. | keyword | -| sip.via.original | The original Via value. | keyword | -| sip.via.original.text | Multi-field of `sip.via.original`. | text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `sip` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:32:14.536Z", - "agent": { - "ephemeral_id": "ee3aeba6-2bd9-4a89-840a-32af72217a7a", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network", - "protocol" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-03-09T08:32:14.536Z", - "ingested": "2022-03-09T08:32:15Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-03-09T08:32:14.536Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} -``` - -### Thrift - -Fields published for Thrift packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| thrift.exceptions | If the call resulted in exceptions, this field contains the exceptions in a human readable format. | keyword | -| thrift.params | The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. | keyword | -| thrift.return_value | The value returned by the Thrift-RPC call. This is encoded in a human readable format. | keyword | -| thrift.service | The name of the Thrift-RPC service as defined in the IDL files. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `thrift` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:33:31.022Z", - "agent": { - "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1394000, - "end": "2022-03-09T08:33:31.023Z", - "ingested": "2022-03-09T08:33:32Z", - "kind": "event", - "start": "2022-03-09T08:33:31.022Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} -``` - -### TLS - -Fields published for TLS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | -| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country (C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.detailed.alert_types | An array containing the TLS alert type for every alert received. | keyword | -| tls.detailed.client_certificate_chain | Chain of trust for the client certificate. | array | -| tls.detailed.client_certificate_requested | Whether the server has requested the client to authenticate itself using a client certificate. | boolean | -| tls.detailed.client_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.client_hello.extensions.application_layer_protocol_negotiation | List of application-layer protocols the client is willing to use. | keyword | -| tls.detailed.client_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. | keyword | -| tls.detailed.client_hello.extensions.server_name_indication | List of hostnames | keyword | -| tls.detailed.client_hello.extensions.session_ticket | Length of the session ticket, if provided, or an empty string to advertise support for tickets. | keyword | -| tls.detailed.client_hello.extensions.signature_algorithms | List of signature algorithms that may be use in digital signatures. | keyword | -| tls.detailed.client_hello.extensions.status_request.request_extensions | The number of certificate extensions for the request. | short | -| tls.detailed.client_hello.extensions.status_request.responder_id_list_length | The length of the list of trusted responders. | short | -| tls.detailed.client_hello.extensions.status_request.type | The type of the status request. Always "ocsp" if present. | keyword | -| tls.detailed.client_hello.extensions.supported_groups | List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. | keyword | -| tls.detailed.client_hello.extensions.supported_versions | List of TLS versions that the client is willing to use. | keyword | -| tls.detailed.client_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.client_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.client_hello.supported_compression_methods | The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml | keyword | -| tls.detailed.client_hello.version | The version of the TLS protocol by which the client wishes to communicate during this session. | keyword | -| tls.detailed.ocsp_response | The result of an OCSP request. | keyword | -| tls.detailed.resumption_method | If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. | keyword | -| tls.detailed.server_certificate_chain | Chain of trust for the server certificate. | array | -| tls.detailed.server_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.server_hello.extensions.application_layer_protocol_negotiation | Negotiated application layer protocol | keyword | -| tls.detailed.server_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. | keyword | -| tls.detailed.server_hello.extensions.session_ticket | Used to announce that a session ticket will be provided by the server. Always an empty string. | keyword | -| tls.detailed.server_hello.extensions.status_request.response | Whether a certificate status request response was made. | boolean | -| tls.detailed.server_hello.extensions.supported_versions | Negotiated TLS version to be used. | keyword | -| tls.detailed.server_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.server_hello.selected_compression_method | The compression method selected by the server from the list provided in the client hello. | keyword | -| tls.detailed.server_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.server_hello.version | The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. | keyword | -| tls.detailed.version | The version of the TLS protocol used. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | -| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `tls` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:34:08.391Z", - "agent": { - "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.1.36", - "port": 60946 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 14861200, - "end": "2022-03-09T08:34:08.406Z", - "ingested": "2022-03-09T08:34:09Z", - "kind": "event", - "start": "2022-03-09T08:34:08.391Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.36", - "216.58.201.174" - ] - }, - "server": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "source": { - "ip": "192.168.1.36", - "port": 60946 - }, - "status": "OK", - "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", - "client": { - "ja3": "d470a3fa301d80227bc5650c75567d25", - "server_name": "play.google.com", - "supported_ciphers": [ - "TLS_AES_128_GCM_SHA256", - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "_unparsed_": [ - "23", - "renegotiation_info", - "status_request", - "51", - "45", - "28", - "41" - ], - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "play.google.com" - ], - "signature_algorithms": [ - "ecdsa_secp256r1_sha256", - "ecdsa_secp384r1_sha384", - "ecdsa_secp521r1_sha512", - "rsa_pss_sha256", - "rsa_pss_sha384", - "rsa_pss_sha512", - "rsa_pkcs1_sha256", - "rsa_pkcs1_sha384", - "rsa_pkcs1_sha512", - "ecdsa_sha1", - "rsa_pkcs1_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1", - "secp521r1", - "ffdhe2048", - "ffdhe3072" - ], - "supported_versions": [ - "TLS 1.3", - "TLS 1.2", - "TLS 1.1", - "TLS 1.0" - ] - }, - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "resumption_method": "id", - "server_hello": { - "extensions": { - "_unparsed_": [ - "41", - "51" - ], - "supported_versions": "TLS 1.3" - }, - "selected_compression_method": "NULL", - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "version": "3.3" - }, - "version": "TLS 1.3" - }, - "established": true, - "resumed": true, - "version": "1.3", - "version_protocol": "tls" - }, - "type": "tls" -} -``` - -## Licensing for Windows Systems - -The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 16f534dd5e..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Overview of DNS request and response metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":13,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":11,\"x\":13,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-65120940-1454-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-dns-query-summary", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-dns-request-status-over-time", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-dns-question-types", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dns-top-10-questions", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-dns-response-codes", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 7562508a09..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "DHCPv4 Overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":13,\"x\":24,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "5:panel_5", - "type": "search" - }, - { - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-cassandra.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-cassandra.json deleted file mode 100755 index 489417c609..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-cassandra.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":36,\"y\":8},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":8},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":12,\"x\":12,\"y\":8},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"cassandra.request.query\",\"cassandra.response.result.rows.meta.keyspace\",\"cassandra.response.result.rows.meta.table\",\"cassandra.response.result.rows.num_rows\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"search\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Cassandra", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-cassandra-responsekeyspace", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetype", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetime", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcount", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-ops", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountstackbytype", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountstackbytype", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountbytype", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountbytype", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-queryview", - "name": "20:panel_20", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-dashboard.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-dashboard.json deleted file mode 100755 index c1dee3dfea..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-dashboard.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Network Packet Capture overview dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":12,\"x\":24,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"3f5bc195-da9d-4ec8-a68f-896db321a54b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9638dc3f-f85a-4e68-8e14-25654df43f8e\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"client.geo.location\\\",\\\"id\\\":\\\"220c104b-34a8-4aa7-a3d6-7b56ad4d3b9e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":2.4,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"agent.type:packetbeat\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"[Network Packet Capture] Map 2\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":90,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":2.4},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"title\":\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dashboard", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-db-transactions", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-errors-count-over-time", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-errors-vs-successful-transactions", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-latency-histogram", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-repartition", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "92e797bb-1975-4320-9d19-9b7f11e9e538:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-dns-unique-domains.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-dns-unique-domains.json deleted file mode 100755 index d6f50f2545..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-dns-unique-domains.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "Detecting tunneling over DNS.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"NOT dns.question.type:PTR\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique Subdomain Count\":\"#EF843C\",\"Unique count of dns.question.name\":\"#E0752D\"},\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Tunneling", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-unique-domains", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-unique-fqdns-per-etld-1", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-bytes-transferred-per-domain", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-flows.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-flows.json deleted file mode 100755 index 13b51d1106..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-flows.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"3\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":35,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Network Flows", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-top-hosts-creating-traffic", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-connections-over-time", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-top-hosts-receiving-traffic", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-network-traffic-between-your-hosts", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-http.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-http.json deleted file mode 100755 index 0699eb175a..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-http.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":36,\"x\":12,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] HTTP", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes-evolution", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-total-number-of-http-transactions", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-http-codes-for-the-top-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-10-http-requests", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-mongodb-performance.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-mongodb-performance.json deleted file mode 100755 index 76b41ed6ac..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-mongodb-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6\",\"w\":32,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":35},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MongoDB", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-commands", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors-per-collection", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-in-slash-out-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-response-times-by-collection", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-slowest-mongodb-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-mysql-performance.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-mysql-performance.json deleted file mode 100755 index 6e51b19d93..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-mysql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MySQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-methods", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-throughput", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-mysql-queries", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-mysql-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-response-times-percentiles", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-reads-vs-writes", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-nfs.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-nfs.json deleted file mode 100755 index 2b9bfc8b82..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-nfs.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "NFSv3 and NFSv4 transactions over TCP.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":25,\"i\":\"1\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":10},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":30,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"9\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"10\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_8\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] NFS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-clients-pie-chart", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operations-area-chart", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-group-pie-chart", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-users-pie-chart", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-response-times", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-errors", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operation-table", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-bytes-in-slash-out", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-pgsql-performance.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-pgsql-performance.json deleted file mode 100755 index 462ad7a8be..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-pgsql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Postgres database query performance.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] PgSQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-methods", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-response-times-percentiles", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-reads-vs-writes", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-pgsql-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-pgsql-queries", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-thrift-performance.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-thrift-performance.json deleted file mode 100755 index fe50a1efbd..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-thrift-performance.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Thrift performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-requests-per-minute", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-rpc-errors", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-thrift-rpc-methods", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-methods", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "name": "7:panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-tls-sessions.json b/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-tls-sessions.json deleted file mode 100755 index 876601f994..0000000000 --- a/packages/network_traffic/0.10.0/kibana/dashboard/network_traffic-tls-sessions.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "[Network Packet Capture] TLS Sessions", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"8\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":12,\"x\":12,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":12,\"x\":0,\"y\":16},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"12\",\"w\":12,\"x\":24,\"y\":28},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":12,\"x\":36,\"y\":28},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":28},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":36,\"x\":12,\"y\":16},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-tls-sessions", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index afb21d2457..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 67be55b24a..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.ja3\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.ja3\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Fingerprint", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index 6d16385a7d..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] HTTP Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 438de0c09a..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"event.duration\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Handshake Latency", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index b2320634bf..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.server.x509.public_key_size\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.server.x509.public_key_size\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Server Public Key Size", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json deleted file mode 100755 index 7851d8f875..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.server_name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.server_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Server Name Indication", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json deleted file mode 100755 index 44b4e814c2..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "dhcpv4.transaction_id", - "dhcpv4.op_code", - "dhcpv4.option.message_type", - "source.ip", - "destination.ip", - "dhcpv4.client_mac", - "dhcpv4.option.hostname", - "dhcpv4.option.class_identifier" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json deleted file mode 100755 index 48114ab869..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.detailed.version\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.detailed.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Version", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-cassandra-queryview.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-cassandra-queryview.json deleted file mode 100755 index 4da4785f32..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-cassandra-queryview.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "cassandra.request.query", - "cassandra.response.result.rows.meta.keyspace", - "cassandra.response.result.rows.meta.table", - "cassandra.response.result.rows.num_rows" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cassandra.request.headers.op\",\"negate\":false,\"params\":{\"query\":\"QUERY\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra.request.headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"cassandra.response.headers.op\",\"negate\":true,\"params\":{\"query\":\"ERROR\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR\"},\"query\":{\"match\":{\"cassandra.response.headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Query Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-queryview", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json deleted file mode 100755 index e042ed47b0..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "server.ip", - "destination.ip", - "dns.question.name", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"dns\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"dns\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"dns\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DNS Protocol", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json deleted file mode 100755 index adda40afe3..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json deleted file mode 100755 index 54ccb16243..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":\"TLS sessions\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-flows-search.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-flows-search.json deleted file mode 100755 index 94bf5f31c0..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-flows-search.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "type", - "event.start", - "event.end", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "source.bytes", - "destination.bytes" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.flow\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Flows Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json deleted file mode 100755 index f3f1e907c0..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb and request: \\\"writeConcern w 0\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB transactions with write concern 0", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-mongodb-transactions.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-mongodb-transactions.json deleted file mode 100755 index 71fb0f7d06..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-mongodb-transactions.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB Transaction Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-mysql-errors.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-mysql-errors.json deleted file mode 100755 index e6696d3dfe..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-mysql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-mysql-transactions.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-mysql-transactions.json deleted file mode 100755 index 035e4af69f..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-mysql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-nfs-errors-search.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-nfs-errors-search.json deleted file mode 100755 index 234a135c17..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-nfs-errors-search.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFSERR_NOENT\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFS_OK\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Error Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-nfs.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-nfs.json deleted file mode 100755 index 637ab8785a..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-nfs.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-pgsql-errors.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-pgsql-errors.json deleted file mode 100755 index e1e696c06b..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-pgsql-transactions.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-pgsql-transactions.json deleted file mode 100755 index 4cf83e438b..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-pgsql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-search.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-search.json deleted file mode 100755 index b8dcde28ff..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-search.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-thrift-errors.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-thrift-errors.json deleted file mode 100755 index 4ada45ff68..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-thrift-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-thrift-transactions.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-thrift-transactions.json deleted file mode 100755 index d561697995..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-thrift-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/search/network_traffic-transactions-errors.json b/packages/network_traffic/0.10.0/kibana/search/network_traffic-transactions-errors.json deleted file mode 100755 index 26f67d32a2..0000000000 --- a/packages/network_traffic/0.10.0/kibana/search/network_traffic-transactions-errors.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Transactions Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-transactions-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json deleted file mode 100755 index 72cce261f0..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Sessions", - "uiStateJSON": "{\"vis\":{\"colors\":{\"false\":\"#E24D42\",\"true\":\"#7EB26D\"},\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sessions per minute\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Handshake completed\",\"field\":\"tls.established\",\"json\":\"\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Sessions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index 428c808c1b..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] Total Number of TLS Sessions", - "uiStateJSON": "{\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total Number of TLS Sessions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 3d5fc5d68c..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.server.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Organization\",\"field\":\"tls.server.x509.subject.organization\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Server Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index a9a6b6d585..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Versions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TLS version\",\"field\":\"tls.detailed.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Versions\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json deleted file mode 100755 index 5c709d21ab..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Client Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique MACs\",\"field\":\"dhcpv4.client_mac\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Client Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 238ff5fe1b..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Session Resume", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"tls.detailed.resumption_method\",\"json\":\"{\\n\\\"missing\\\": \\\"none\\\"\\n}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Session Resume\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index 28758eb761..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Message Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Op Code\",\"field\":\"dhcpv4.op_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message Type\",\"field\":\"dhcpv4.option.message_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DHCPv4 Message Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json deleted file mode 100755 index dfd0b9c2df..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Cipher", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cipher\",\"field\":\"tls.cipher\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Cipher\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json deleted file mode 100755 index 69216a897d..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"dhcpv4.option.message_type:nak OR dhcpv4.option.message_type:decline\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 NAK and Decline Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":57,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 NAK and Decline Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index e347b89b8e..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Avg Response Time (ns)\":\"#629E51\",\"Max Response Time (ns)\":\"#E24D42\",\"Min Response Time (ns)\":\"#70DBED\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Max Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"4\",\"label\":\"Min Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Max Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Average event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 27390bc2a6..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"}}" - }, - "title": "[Network Packet Capture] DHCPv4 Message Types over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"c2cf4410-8ba8-11e8-ae15-bdcba81344e6\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"type:dhcpv4\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"ignore_global_filter\":0,\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"NOT dhcpv4.option.message_type:nak NOT dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"8abe6eb0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"Response\",\"line_width\":1,\"metrics\":[{\"id\":\"8abe6eb1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"dhcpv4.option.message_type\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:nak\"},\"formatter\":\"number\",\"id\":\"ae5610d0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"nak\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"ae5610d1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"cf7ba180-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"decline\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"cf7ba181-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"[Network Packet Capture] DHCPv4 Message Types over Time\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 23e4ad24db..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Client Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.client.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Signature Algorithm\",\"field\":\"tls.client.x509.signature_algorithm\",\"json\":\"{ \\\"missing\\\": \\\"N/A\\\" }\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Client Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index e100d4e38f..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Name Indication", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Name Indication\",\"field\":\"tls.client.server_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"hideLabel\":false,\"maxFontSize\":64,\"minFontSize\":14,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"[Network Packet Capture] TLS Server Name Indication\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 204f509a93..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Fingerprint", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"JA3 Fingerprint\",\"field\":\"tls.client.ja3\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Fingerprint\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index c8ca05e364..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Public Key Size", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Public Key Size\",\"field\":\"tls.server.x509.public_key_size\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] Server Public Key Size\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 7d805b99d1..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Client and Servers Pie Chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Client and Servers Pie Chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json deleted file mode 100755 index 6b89c0127d..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Bytes Transferred per Domain", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Bytes In\":\"#F2C96D\",\"Bytes Out\":\"#629E51\",\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Bytes Out\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Bytes In\"},\"mode\":\"normal\",\"show\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"grouped\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Bytes Transferred per Domain\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bytes-transferred-per-domain", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json deleted file mode 100755 index 1b5f21f993..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"exists\\\":{\\\"field\\\":\\\"tls\\\"}}\"},\"query\":{\"exists\":{\"field\":\"tls\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] TLS Alerts", - "uiStateJSON": "{\"vis\":{\"colors\":{\"None\":\"#7EB26D\",\"handshake_failure\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"tls.detailed.alert_types\",\"include\":\".*\",\"json\":\"{\\\"missing\\\": \\\"None\\\"}\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Alerts\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-ops.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-ops.json deleted file mode 100755 index fcdb742965..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-ops.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra Ops", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra Ops\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-ops", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-requestcount.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-requestcount.json deleted file mode 100755 index ac31b1fa2f..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-requestcount.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCount", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCount\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcount", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json deleted file mode 100755 index be3352be29..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":\"13\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json deleted file mode 100755 index 9e1ebf6056..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json deleted file mode 100755 index 17a71a0e30..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"radiusRatio\":\"15\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra: ResponseCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json deleted file mode 100755 index ee9d47e2f6..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json deleted file mode 100755 index 2f203d6dd9..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseKeyspace", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.keyspace\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.table\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseKeyspace\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsekeyspace", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsetime.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsetime.json deleted file mode 100755 index 152ebf53ef..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsetime.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseTime", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[5,25,50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseTime\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetime", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsetype.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsetype.json deleted file mode 100755 index 85c2b4d398..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-cassandra-responsetype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseType\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-connections-over-time.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-connections-over-time.json deleted file mode 100755 index 97d4affdf5..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-connections-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Connections over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Flows\",\"field\":\"flow.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique Flows\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Connections over time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-connections-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index d8cedfb7c3..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Transaction Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Transactions\",\"field\":\"dhcpv4.transaction_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Transaction Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 856211710f..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"params\":{\"gte\":0,\"lt\":1000000000},\"type\":\"range\",\"value\":\"0 to 1,000,000,000\"},\"range\":{\"event.duration\":{\"gte\":0,\"lt\":1000000000}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Handshake Latency", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Handshake Latency (ns)\",\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":2000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Handshake Latency\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-db-transactions.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-db-transactions.json deleted file mode 100755 index 475882f60d..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-db-transactions.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.type\",\"negate\":true,\"params\":{\"query\":\"flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"flow\"},\"query\":{\"match\":{\"event.type\":{\"query\":\"flow\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"}}" - }, - "title": "[Network Packet Capture] Transaction Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.dataset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Transaction Types\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-db-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json deleted file mode 100755 index 333052a373..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"}}" - }, - "title": "[Network Packet Capture] Top Domains by Data Volume", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top Domains by Data Volume\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-query-summary.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-query-summary.json deleted file mode 100755 index 1898c984d8..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-query-summary.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Query Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"17\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":28,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DNS Query Summary\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-query-summary", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-question-types.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-question-types.json deleted file mode 100755 index b2a975b430..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-question-types.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Question Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Question Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-question-types", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-request-status-over-time.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-request-status-over-time.json deleted file mode 100755 index 53c1b991c8..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-request-status-over-time.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Request Status Over Time", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#890F02\",\"OK\":\"#0A50A1\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] DNS Request Status Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-request-status-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-response-codes.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-response-codes.json deleted file mode 100755 index b9edd3cab4..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-response-codes.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Response Codes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"dns.response_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Response Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-response-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-top-10-questions.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-top-10-questions.json deleted file mode 100755 index d86db94a8d..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-dns-top-10-questions.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":false,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Top 10 Questions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Question\",\"field\":\"dns.question.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Top 10 Questions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-top-10-questions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json deleted file mode 100755 index b89d822540..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":3.5,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Avg Response Time\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Transactions\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-errors-count-over-time.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-errors-count-over-time.json deleted file mode 100755 index 5582bc6c67..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-errors-count-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors count over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"30s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] New Visualization\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-count-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-transactions-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json deleted file mode 100755 index c3ac23f5a7..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors vs successful transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"percentage\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"percentage\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Errors vs successful transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-vs-successful-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json deleted file mode 100755 index c0d680e520..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Data Transfer", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Requests\",\"field\":\"client.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Responses\",\"field\":\"server.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":24,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Data Transfer\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json deleted file mode 100755 index d8885cd43f..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP status codes for the top queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Query\",\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":false,\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] HTTP status codes for the top queries\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-codes-for-the-top-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-http-error-codes-evolution.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-http-error-codes-evolution.json deleted file mode 100755 index 479733a2af..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-http-error-codes-evolution.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"http.response.status_code\",\"negate\":true,\"params\":{\"gte\":200,\"lt\":299},\"type\":\"range\",\"value\":\"200 to 299\"},\"range\":{\"http.response.status_code\":{\"gte\":200,\"lte\":299}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes evolution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes evolution\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes-evolution", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-http-error-codes.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-http-error-codes.json deleted file mode 100755 index 1cb90080fc..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-http-error-codes.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"type\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http and http.response.status_code \\u003e= 300\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"type\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique count of type\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-latency-histogram.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-latency-histogram.json deleted file mode 100755 index 34aa0f3d11..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-latency-histogram.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Latency Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Latency Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-latency-histogram", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-commands.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-commands.json deleted file mode 100755 index 87474df326..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-commands.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB Commands", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"silhouette\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"silhouette\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB Commands\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-commands", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json deleted file mode 100755 index ea23f3560f..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors per collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors per collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors-per-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-errors.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-errors.json deleted file mode 100755 index 183ec66ef3..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"row\":true,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json deleted file mode 100755 index 74b8a6fd64..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB in/out throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of source.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Sum of destination.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB in/out throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-in-slash-out-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json deleted file mode 100755 index 0346b7b1cd..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB response times by collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":false,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB response times by collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-response-times-by-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json deleted file mode 100755 index 08c27fcecf..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent MySQL queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"query\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true},\"title\":\"[Network Packet Capture] Most frequent MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json deleted file mode 100755 index 6ddc08eafb..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent PgSQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Most frequent PgSQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-errors.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-errors.json deleted file mode 100755 index 25ded66860..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-methods.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-methods.json deleted file mode 100755 index 34e609f25b..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json deleted file mode 100755 index 4fece54090..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json deleted file mode 100755 index add1156167..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Mysql response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Mysql response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-throughput.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-throughput.json deleted file mode 100755 index fd67a3b714..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-mysql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] MySQL throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-navigation.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-navigation.json deleted file mode 100755 index 958a4a7a7c..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-navigation.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Network Packet Capture] Navigation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### Network Packet Capture:\\n\\n[Overview](#/dashboard/network_traffic-dashboard)\\n\\n[Network Flows](#/dashboard/network_traffic-flows)\\n\\n[DNS Overview](#/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e) | [Tunneling](#/dashboard/network_traffic-dns-unique-domains)\\n\\n[DHCPv4 Transactions](#/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb)\\n\\n[TLS Overview](#/dashboard/network_traffic-tls-sessions)\\n\\n[HTTP transactions](#/dashboard/network_traffic-http)\\n\\nDatabases: [MySQL](#/dashboard/network_traffic-mysql-performance) | [PostgreSQL](#/dashboard/network_traffic-pgsql-performance) | [MongoDB](#/dashboard/network_traffic-mongodb-performance) | [Cassandra](#/dashboard/network_traffic-cassandra)\\n\\nRPC: [Thrift](#/dashboard/network_traffic-thrift-performance)\\n\\nStorage: [NFS](#/dashboard/network_traffic-nfs)\",\"openLinksInNewTab\":false},\"title\":\"[Network Packet Capture] Navigation\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-navigation", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json deleted file mode 100755 index 292355bbdf..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Traffic Between Hosts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Traffic Between Hosts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-network-traffic-between-your-hosts", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json deleted file mode 100755 index 8b550d78cf..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS Request / Response Sizes", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Sum of rpc.reply_size\":\"#7EB26D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Request Size\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Size\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Request Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Response Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS Request / Response Sizes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-bytes-in-slash-out", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json deleted file mode 100755 index 4272f7571e..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS clients pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.machinename\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS clients pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-clients-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-errors.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-errors.json deleted file mode 100755 index f407f4153d..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"nfs.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":12},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-errors-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-operation-table.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-operation-table.json deleted file mode 100755 index 56e28320c1..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-operation-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operation table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Opcode\",\"field\":\"nfs.opcode\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] NFS operation table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operation-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json deleted file mode 100755 index 56cb538f8f..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operations area chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"nfs.opcode\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":16},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS operations area chart\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operations-area-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-response-times.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-response-times.json deleted file mode 100755 index 2ffaacd816..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-response-times.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS response times", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[50]},\"schema\":\"metric\",\"type\":\"median\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Median event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Median event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS response times\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-response-times", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json deleted file mode 100755 index c1b2816c13..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top group pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.gid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top group pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-group-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json deleted file mode 100755 index 543bfe7058..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top users pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.uid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top users pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-users-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json deleted file mode 100755 index 770c776e13..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-errors.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-errors.json deleted file mode 100755 index 88a19443ff..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-methods.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-methods.json deleted file mode 100755 index e49215022c..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json deleted file mode 100755 index 60be8776dd..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json deleted file mode 100755 index 66eb8b3b8b..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-throughput.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-throughput.json deleted file mode 100755 index aba4ebafd0..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-pgsql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL Throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-response-times-percentiles.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-response-times-percentiles.json deleted file mode 100755 index f43cfc0233..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,95,99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-response-times-repartition.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-response-times-repartition.json deleted file mode 100755 index 2271bdb9a7..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-response-times-repartition.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times repartition", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"group\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times repartition\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-repartition", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-slowest-mysql-queries.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-slowest-mysql-queries.json deleted file mode 100755 index 9194c62aaa..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-slowest-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest MySQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json deleted file mode 100755 index ce2d661459..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest PgSQL Queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Average Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest PgSQL Queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json deleted file mode 100755 index 777f4d7abe..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest Thrift RPC methods", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest Thrift RPC methods\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json deleted file mode 100755 index e9dee7461a..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift requests per minute", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift requests per minute\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-requests-per-minute", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json deleted file mode 100755 index 835ee06280..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Thrift response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-thrift-rpc-errors.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-thrift-rpc-errors.json deleted file mode 100755 index 37e3e901fc..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-thrift-rpc-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift RPC Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift RPC Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-rpc-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-10-http-requests.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-10-http-requests.json deleted file mode 100755 index bb5c71dbfe..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-10-http-requests.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top 10 HTTP requests", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top 10 HTTP requests\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-10-http-requests", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json deleted file mode 100755 index 842f9f29ec..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Creating Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Source Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Creating Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-creating-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json deleted file mode 100755 index 34f9d74be2..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Receiving Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Receiving Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-receiving-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json deleted file mode 100755 index e39b39b7f9..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top slowest MongoDB queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top slowest MongoDB queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-slowest-mongodb-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json deleted file mode 100755 index 3f7aee4851..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC calls with errors", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"shareYAxis\":true},\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json deleted file mode 100755 index 8add979f7b..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC methods ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Thrift-RPC methods\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json deleted file mode 100755 index 77e8f9b41a..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Total number of HTTP transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"37\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total number of HTTP transactions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-total-number-of-http-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json deleted file mode 100755 index 93a9d62de2..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1 Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Unique Domains\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1 Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json deleted file mode 100755 index e94d78a938..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Subdomain Count\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-web-transactions.json b/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-web-transactions.json deleted file mode 100755 index 354ec98cef..0000000000 --- a/packages/network_traffic/0.10.0/kibana/visualization/network_traffic-web-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP Transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-web-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.0/manifest.yml b/packages/network_traffic/0.10.0/manifest.yml deleted file mode 100755 index 3fa9e55cab..0000000000 --- a/packages/network_traffic/0.10.0/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -format_version: 1.0.0 -name: network_traffic -title: Network Packet Capture -version: 0.10.0 -license: basic -description: Capture and analyze network traffic from a host with Elastic Agent. -type: integration -categories: - - web -release: beta -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -policy_templates: - - name: network - title: Network Packet Capture - description: Capture network traffic - inputs: - - type: packet - title: Capture network traffic - description: Collecting network traffic - vars: - - name: interface - type: text - title: Interface - required: false - show_user: false - - name: processes - type: text - multi: true - title: Processes - description: Processes to monitor (this will act as a command line grep) - required: false - show_user: false -owner: - github: elastic/security-external-integrations diff --git a/packages/network_traffic/0.10.1/changelog.yml b/packages/network_traffic/0.10.1/changelog.yml deleted file mode 100755 index 3e3588e30e..0000000000 --- a/packages/network_traffic/0.10.1/changelog.yml +++ /dev/null @@ -1,119 +0,0 @@ -# newer versions go on top -- version: "0.10.1" - changes: - - description: Remove invalid value from `event.category` in SIP data set. - type: bugfix - link: https://github.com/elastic/integrations/pull/3343 -- version: "0.10.0" - changes: - - description: Add configuration options for each protocol. - type: enhancement - link: https://github.com/elastic/integrations/pull/3157 -- version: "0.9.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.8.2" - changes: - - description: Add missing field mappings to DNS and TLS data streams. - type: bugfix - link: https://github.com/elastic/integrations/pull/3078 -- version: "0.8.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.8.0" - changes: - - description: Change release stability to beta. - type: enhancement - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.1" - changes: - - description: Fix mapping for tls.detailed.client_certificate_chain. - type: bugfix - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.0" - changes: - - description: Add dashboards. Update the Kibana constraint to require 7.17.0 or 8.0.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/2762 -- version: "0.6.3" - changes: - - description: Add license note to README. - type: bugfix - link: https://github.com/elastic/integrations/pull/2809 -- version: "0.6.2" - changes: - - description: Add fields for TLS random data and OCSP status. - type: enhancement - link: https://github.com/elastic/integrations/pull/2703 -- version: "0.6.1" - changes: - - description: Remove unused field metadata. - type: enhancement - link: https://github.com/elastic/integrations/pull/2648 -- version: "0.6.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2426 -- version: "0.5.1" - changes: - - description: Fix mapping for tls.detailed.server_certificate_chain - type: bugfix - link: https://github.com/elastic/integrations/pull/2517 -- version: "0.5.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2224 -- version: "0.4.2" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2097 -- version: "0.4.1" - changes: - - description: Update Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1975 -- version: "0.4.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1669 -- version: "0.3.0" - changes: - - description: Change title to Network Packet Capture. Added timeout/period config to flows data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1764 -- version: "0.2.2" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.2.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/21 diff --git a/packages/network_traffic/0.10.1/data_stream/amqp/agent/stream/amqp.yml.hbs b/packages/network_traffic/0.10.1/data_stream/amqp/agent/stream/amqp.yml.hbs deleted file mode 100755 index 22fb1883a0..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/amqp/agent/stream/amqp.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: amqp -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_body_length}} -max_body_length: {{max_body_length}} -{{/if}} -{{#if parse_headers}} -parse_headers: {{parse_headers}} -{{/if}} -{{#if parse_arguments}} -parse_arguments: {{parse_arguments}} -{{/if}} -{{#if hide_connection_information}} -hide_connection_information: {{hide_connection_information}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e1896257e1..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing amqp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/amqp/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/amqp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/amqp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/amqp/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/amqp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/amqp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/amqp/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/amqp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/amqp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/amqp/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/amqp/fields/ecs.yml deleted file mode 100755 index da1822dec9..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/amqp/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/amqp/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/amqp/fields/protocol.yml deleted file mode 100755 index 4b87cf176c..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/amqp/fields/protocol.yml +++ /dev/null @@ -1,202 +0,0 @@ -- name: amqp - type: group - fields: - - name: reply-code - type: long - description: > - AMQP reply code to an error, similar to http reply-code - - example: 404 - - name: reply-text - type: keyword - description: > - Text explaining the error. - - - name: class-id - type: long - description: > - Failing method class. - - - name: method-id - type: long - description: > - Failing method ID. - - - name: exchange - type: keyword - description: > - Name of the exchange. - - - name: exchange-type - type: keyword - description: > - Exchange type. - - example: fanout - - name: passive - type: boolean - description: > - If set, do not create exchange/queue. - - - name: durable - type: boolean - description: > - If set, request a durable exchange/queue. - - - name: exclusive - type: boolean - description: > - If set, request an exclusive queue. - - - name: auto-delete - type: boolean - description: > - If set, auto-delete queue when unused. - - - name: no-wait - type: boolean - description: > - If set, the server will not respond to the method. - - - name: consumer-tag - type: keyword - description: > - Identifier for the consumer, valid within the current channel. - - - name: delivery-tag - type: long - description: > - The server-assigned and channel-specific delivery tag. - - - name: message-count - type: long - description: > - The number of messages in the queue, which will be zero for newly-declared queues. - - - name: consumer-count - type: long - description: > - The number of consumers of a queue. - - - name: routing-key - type: keyword - description: > - Message routing key. - - - name: no-ack - type: boolean - description: > - If set, the server does not expect acknowledgements for messages. - - - name: no-local - type: boolean - description: > - If set, the server will not send messages to the connection that published them. - - - name: if-unused - type: boolean - description: > - Delete only if unused. - - - name: if-empty - type: boolean - description: > - Delete only if empty. - - - name: queue - type: keyword - description: > - The queue name identifies the queue within the vhost. - - - name: redelivered - type: boolean - description: > - Indicates that the message has been previously delivered to this or another client. - - - name: multiple - type: boolean - description: > - Acknowledge multiple messages. - - - name: arguments - type: object - description: > - Optional additional arguments passed to some methods. Can be of various types. - - - name: mandatory - type: boolean - description: > - Indicates mandatory routing. - - - name: immediate - type: boolean - description: > - Request immediate delivery. - - - name: content-type - type: keyword - description: > - MIME content type. - - example: text/plain - - name: content-encoding - type: keyword - description: > - MIME content encoding. - - - name: headers - type: object - object_type: keyword - description: > - Message header field table. - - - name: delivery-mode - type: keyword - description: > - Non-persistent (1) or persistent (2). - - - name: priority - type: long - description: > - Message priority, 0 to 9. - - - name: correlation-id - type: keyword - description: > - Application correlation identifier. - - - name: reply-to - type: keyword - description: > - Address to reply to. - - - name: expiration - type: keyword - description: > - Message expiration specification. - - - name: message-id - type: keyword - description: > - Application message identifier. - - - name: timestamp - type: keyword - description: > - Message timestamp. - - - name: type - type: keyword - description: > - Message type name. - - - name: user-id - type: keyword - description: > - Creating user id. - - - name: app-id - type: keyword - description: > - Creating application id. - diff --git a/packages/network_traffic/0.10.1/data_stream/amqp/manifest.yml b/packages/network_traffic/0.10.1/data_stream/amqp/manifest.yml deleted file mode 100755 index 392448511a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/amqp/manifest.yml +++ /dev/null @@ -1,105 +0,0 @@ -title: AMQP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5672] - - name: max_body_length - type: integer - title: Max Body Length - description: |- - Truncate messages that are published and avoid huge messages being - indexed. - Default: 1000 - show_user: false - multi: false - required: false - - name: parse_headers - type: bool - title: Parse Headers - description: |- - Hide the header fields in header frames. - Default: false - show_user: false - multi: false - required: false - - name: parse_arguments - type: bool - title: Parse Arguments - description: |- - Hide the additional arguments of method frames. - Default: false - show_user: false - multi: false - required: false - - name: hide_connection_information - type: bool - title: Hide Connection Information - description: |- - Hide all methods relative to connection negotiation between server and - client. - Default: true - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: AMQP - description: Capture AMQP Traffic - template_path: amqp.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/amqp/sample_event.json b/packages/network_traffic/0.10.1/data_stream/amqp/sample_event.json deleted file mode 100755 index 9ef02f389f..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/amqp/sample_event.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs b/packages/network_traffic/0.10.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs deleted file mode 100755 index 9c4ec167d1..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: cassandra -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_request_header}} -send_request_header: {{send_request_header}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if send_response_header}} -send_response_header: {{send_response_header}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if compressor}} -compressor: {{compressor}} -{{/if}} -{{#if ignored_ops}} -ignored_ops: -{{#each ignored_ops as |ignored_op|}} - - {{ignored_op}} -{{/each}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index db4451530a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing cassandra traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/cassandra/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/cassandra/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/cassandra/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/cassandra/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/cassandra/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/cassandra/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/cassandra/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/cassandra/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/cassandra/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/cassandra/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/cassandra/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/cassandra/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/cassandra/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/cassandra/fields/protocol.yml deleted file mode 100755 index 58a2f6c12d..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/cassandra/fields/protocol.yml +++ /dev/null @@ -1,283 +0,0 @@ -- name: cassandra - type: group - description: Information about the Cassandra request and response. - fields: - - name: no_request - type: boolean - description: > - Indicates that there is no request because this is a PUSH message. - - - name: request - type: group - description: Cassandra request. - fields: - - name: headers - type: group - description: Cassandra request headers. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: query - type: keyword - description: The CQL query which client send to cassandra. - - name: response - type: group - description: Cassandra response. - fields: - - name: headers - type: group - description: Cassandra response headers, the structure is as same as request's header. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: result - type: group - description: Details about the returned result. - fields: - - name: type - type: keyword - description: Cassandra result type. - - name: rows - type: group - description: Details about the rows. - fields: - - name: num_rows - type: long - description: Representing the number of rows present in this result. - - name: meta - type: group - description: Composed of result metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: keyspace - type: keyword - description: Indicating the name of the keyspace that has been set. - - name: schema_change - type: group - description: The result to a schema_change message. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: prepared - type: group - description: The result to a PREPARE message. - fields: - - name: prepared_id - type: keyword - description: Representing the prepared query ID. - - name: req_meta - type: group - description: This describes the request metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: resp_meta - type: group - description: This describes the metadata for the result set. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: supported - type: flattened - description: Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. - - name: authentication - type: group - description: Indicates that the server requires authentication, and which authentication mechanism to use. - fields: - - name: class - type: keyword - description: Indicates the full class name of the IAuthenticator in use - - name: warnings - type: keyword - description: The text of the warnings, only occur when Warning flag was set. - - name: event - type: group - description: Event pushed by the server. A client will only receive events for the types it has REGISTERed to. - fields: - - name: type - type: keyword - description: Representing the event type. - - name: change - type: keyword - description: The message corresponding respectively to the type of change followed by the address of the new/removed node. - - name: host - type: keyword - description: Representing the node ip. - - name: port - type: long - description: Representing the node port. - - name: schema_change - type: group - description: The events details related to schema change. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: error - type: group - description: Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. - fields: - - name: code - type: long - description: The error code of the Cassandra response. - - name: msg - type: keyword - description: The error message of the Cassandra response. - - name: type - type: keyword - description: The error type of the Cassandra response. - - name: details - type: group - description: The details of the error. - fields: - - name: read_consistency - type: keyword - description: Representing the consistency level of the query that triggered the exception. - - name: required - type: long - description: Representing the number of nodes that should be alive to respect consistency level. - - name: alive - type: long - description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). - - name: received - type: long - description: Representing the number of nodes having acknowledged the request. - - name: blockfor - type: long - description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. - - name: write_type - type: keyword - description: Describe the type of the write that timed out. - - name: data_present - type: boolean - description: It means the replica that was asked for data had responded. - - name: keyspace - type: keyword - description: The keyspace of the failed function. - - name: table - type: keyword - description: The keyspace of the failed function. - - name: stmt_id - type: keyword - description: Representing the unknown ID. - - name: num_failures - type: keyword - description: Representing the number of nodes that experience a failure while executing the request. - - name: function - type: keyword - description: The name of the failed function. - - name: arg_types - type: keyword - description: One string for each argument type (as CQL type) of the failed function. diff --git a/packages/network_traffic/0.10.1/data_stream/cassandra/manifest.yml b/packages/network_traffic/0.10.1/data_stream/cassandra/manifest.yml deleted file mode 100755 index b05f2d1e4e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/cassandra/manifest.yml +++ /dev/null @@ -1,92 +0,0 @@ -title: Cassandra -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9042] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`cassandra_request` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_request_header - type: bool - title: Send Request Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field) - is included in published events. The default is true. enable `send_request` first before enable this option. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`cassandra_response` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_response_header - type: bool - title: Send Response Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field) - is included in published events. The default is true. enable `send_response` first before enable this option. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: compressor - type: text - title: Compressor - description: |- - Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured. - By default no compressor is configured. - show_user: false - multi: false - required: false - - name: ignored_ops - type: text - title: Ignored Ops - description: This option indicates which Operator/Operators will be ignored. - show_user: false - multi: true - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Cassandra - description: Capture Cassandra Traffic - template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/cassandra/sample_event.json b/packages/network_traffic/0.10.1/data_stream/cassandra/sample_event.json deleted file mode 100755 index aa2d587c11..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/cassandra/sample_event.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/0.10.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs deleted file mode 100755 index 2c56638255..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -type: dhcpv4 -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7c07281afb..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: dhcpv4.client_mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: dhcpv4.client_mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: dhcpv4.client_mac - ignore_missing: true -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/protocol.yml deleted file mode 100755 index 0180691a5b..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dhcpv4/fields/protocol.yml +++ /dev/null @@ -1,177 +0,0 @@ -- name: dhcpv4 - type: group - fields: - - name: transaction_id - type: keyword - description: | - Transaction ID, a random number chosen by the - client, used by the client and server to associate - messages and responses between a client and a - server. - - name: seconds - type: long - description: | - Number of seconds elapsed since client began address acquisition or - renewal process. - - name: flags - type: keyword - description: | - Flags are set by the client to indicate how the DHCP server should - its reply -- either unicast or broadcast. - - name: client_ip - type: ip - description: The current IP address of the client. - - name: assigned_ip - type: ip - description: | - The IP address that the DHCP server is assigning to the client. - This field is also known as "your" IP address. - - name: server_ip - type: ip - description: | - The IP address of the DHCP server that the client should use for the - next step in the bootstrap process. - - name: relay_ip - type: ip - description: | - The relay IP address used by the client to contact the server - (i.e. a DHCP relay server). - - name: client_mac - type: keyword - description: The client's MAC address (layer two). - - name: server_name - type: keyword - description: | - The name of the server sending the message. Optional. Used in - DHCPOFFER or DHCPACK messages. - - name: op_code - type: keyword - example: bootreply - description: | - The message op code (bootrequest or bootreply). - - name: hops - type: long - description: The number of hops the DHCP message went through. - - name: hardware_type - type: keyword - description: | - The type of hardware used for the local network (Ethernet, - LocalTalk, etc). - - name: option - type: group - fields: - - name: message_type - type: keyword - example: ack - description: | - The specific type of DHCP message being sent (e.g. discover, - offer, request, decline, ack, nak, release, inform). - - name: parameter_request_list - type: keyword - description: | - This option is used by a DHCP client to request values for - specified configuration parameters. - - name: requested_ip_address - type: ip - description: | - This option is used in a client request (DHCPDISCOVER) to allow - the client to request that a particular IP address be assigned. - - name: server_identifier - type: ip - description: | - IP address of the individual DHCP server which handled this - message. - - name: broadcast_address - type: ip - description: | - This option specifies the broadcast address in use on the - client's subnet. - - name: max_dhcp_message_size - type: long - description: | - This option specifies the maximum length DHCP message that the - client is willing to accept. - - name: class_identifier - type: keyword - description: | - This option is used by DHCP clients to optionally identify the - vendor type and configuration of a DHCP client. Vendors may - choose to define specific vendor class identifiers to convey - particular configuration or other identification information - about a client. For example, the identifier may encode the - client's hardware configuration. - - name: domain_name - type: keyword - description: | - This option specifies the domain name that client should use - when resolving hostnames via the Domain Name System. - - name: dns_servers - type: ip - description: | - The domain name server option specifies a list of Domain Name - System servers available to the client. - - name: vendor_identifying_options - type: object - description: | - A DHCP client may use this option to unambiguously identify the - vendor that manufactured the hardware on which the client is - running, the software in use, or an industry consortium to which - the vendor belongs. This field is described in RFC 3925. - - name: subnet_mask - type: ip - description: | - The subnet mask that the client should use on the currnet - network. - - name: utc_time_offset_sec - type: long - description: | - The time offset field specifies the offset of the client's - subnet in seconds from Coordinated Universal Time (UTC). - - name: router - type: ip - description: | - The router option specifies a list of IP addresses for routers - on the client's subnet. - - name: time_servers - type: ip - description: | - The time server option specifies a list of RFC 868 time servers - available to the client. - - name: ntp_servers - type: ip - description: | - This option specifies a list of IP addresses indicating NTP - servers available to the client. - - name: hostname - type: keyword - description: | - This option specifies the name of the client. - - name: ip_address_lease_time_sec - type: long - description: | - This option is used in a client request (DHCPDISCOVER or - DHCPREQUEST) to allow the client to request a lease time for the - IP address. In a server reply (DHCPOFFER), a DHCP server uses - this option to specify the lease time it is willing to offer. - - name: message - type: text - description: | - This option is used by a DHCP server to provide an error message - to a DHCP client in a DHCPNAK message in the event of a failure. - A client may use this option in a DHCPDECLINE message to - indicate the why the client declined the offered parameters. - - name: renewal_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the RENEWING state. - - name: rebinding_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the REBINDING state. - - name: boot_file_name - type: keyword - description: | - This option is used to identify a bootfile when the 'file' field - in the DHCP header has been used for DHCP options. diff --git a/packages/network_traffic/0.10.1/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/0.10.1/data_stream/dhcpv4/manifest.yml deleted file mode 100755 index fc09a92781..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dhcpv4/manifest.yml +++ /dev/null @@ -1,40 +0,0 @@ -title: DHCP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [67, 68] - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DHCP - description: Capture DHCP Traffic - template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/dhcpv4/sample_event.json b/packages/network_traffic/0.10.1/data_stream/dhcpv4/sample_event.json deleted file mode 100755 index 59ab870695..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dhcpv4/sample_event.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/dns/agent/stream/dns.yml.hbs b/packages/network_traffic/0.10.1/data_stream/dns/agent/stream/dns.yml.hbs deleted file mode 100755 index e68885b2f8..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dns/agent/stream/dns.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: dns -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if include_authorities}} -include_authorities: {{include_authorities}} -{{/if}} -{{#if include_additionals}} -include_additionals: {{include_additionals}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 012fede9d4..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/dns/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/dns/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/dns/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/dns/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dns/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/dns/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/dns/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dns/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/dns/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/dns/fields/ecs.yml deleted file mode 100755 index e2ea6f338f..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,200 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - Array of 2 letter DNS header flags. - Expected values are: AA, TC, RD, RA, AD, CD, DO. - name: dns.header_flags - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/dns/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/dns/fields/protocol.yml deleted file mode 100755 index 28d506b996..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dns/fields/protocol.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: dns - type: group - fields: - - name: flags.authoritative - type: boolean - description: > - A DNS flag specifying that the responding server is an authority for the domain name used in the question. - - - name: flags.recursion_available - type: boolean - description: > - A DNS flag specifying whether recursive query support is available in the name server. - - - name: flags.recursion_desired - type: boolean - description: > - A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. - - - name: flags.authentic_data - type: boolean - description: > - A DNS flag specifying that the recursive server considers the response authentic. - - - name: flags.checking_disabled - type: boolean - description: > - A DNS flag specifying that the client disables the server signature validation of the query. - - - name: flags.truncated_response - type: boolean - description: > - A DNS flag specifying that only the first 512 bytes of the reply were returned. - - - name: question.etld_plus_one - type: keyword - description: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. - example: amazon.co.uk. - - name: answers_count - type: long - description: > - The number of resource records contained in the `dns.answers` field. - - - name: authorities - type: object - description: > - An array containing a dictionary for each authority section from the answer. - - - name: authorities_count - type: long - description: > - The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. - - - name: authorities.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: authorities.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: authorities.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals - type: object - description: > - An array containing a dictionary for each additional section from the answer. - - - name: additionals_count - type: long - description: > - The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. - - - name: additionals.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: additionals.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: additionals.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals.ttl - description: > - The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - type: long - - name: additionals.data - type: keyword - description: > - The data describing the resource. The meaning of this data depends on the type and class of the resource record. - - - name: opt.version - type: keyword - description: The EDNS version. - example: "0" - - name: opt.do - type: boolean - description: If set, the transaction uses DNSSEC. - - name: opt.ext_rcode - type: keyword - description: Extended response code field. - example: "BADVERS" - - name: opt.udp_size - type: long - description: Requestor's UDP payload size (in bytes). diff --git a/packages/network_traffic/0.10.1/data_stream/dns/manifest.yml b/packages/network_traffic/0.10.1/data_stream/dns/manifest.yml deleted file mode 100755 index cc5476bfad..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dns/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: DNS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [53] - - name: include_authorities - type: bool - title: Include Authorities - description: |- - include_authorities controls whether or not the dns.authorities field - (authority resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: include_additionals - type: bool - title: Include Additionals - description: |- - include_additionals controls whether or not the dns.additionals field - (additional resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - send_request controls whether or not the stringified DNS - request messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - send_response controls whether or not the stringified DNS - response messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DNS - description: Capture DNS Traffic - template_path: dns.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/dns/sample_event.json b/packages/network_traffic/0.10.1/data_stream/dns/sample_event.json deleted file mode 100755 index 476a880555..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/dns/sample_event.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/flow/agent/stream/flow.yml.hbs b/packages/network_traffic/0.10.1/data_stream/flow/agent/stream/flow.yml.hbs deleted file mode 100755 index 80f2a27460..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/flow/agent/stream/flow.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -type: flow -{{#if timeout}} -flows.timeout: '{{timeout}}' -{{/if}} -{{#if period}} -flows.period: '{{period}}' -{{/if}} -{{#if processes}} -procs: - enabled: true - monitored: - {{#each processes}} - - cmdline_grep: {{this}} - {{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8a45c554fd..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing traffic flows -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/flow/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/flow/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/flow/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/flow/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/flow/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/flow/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/flow/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/flow/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/flow/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/flow/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/flow/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/flow/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/flow/manifest.yml b/packages/network_traffic/0.10.1/data_stream/flow/manifest.yml deleted file mode 100755 index 4f455c6f25..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/flow/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Flows -release: beta -type: logs -streams: - - input: packet - title: Flows - description: Track Network Flows - template_path: flow.yml.hbs - vars: - - name: period - type: text - title: Period - required: false - show_user: false - description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1. If disabled, flows are still reported once being timed out. - default: '10s' - - name: timeout - type: text - title: Flow timeout - description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. - required: false - show_user: false - default: '30s' diff --git a/packages/network_traffic/0.10.1/data_stream/http/agent/stream/http.yml.hbs b/packages/network_traffic/0.10.1/data_stream/http/agent/stream/http.yml.hbs deleted file mode 100755 index 4c2aecad10..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/http/agent/stream/http.yml.hbs +++ /dev/null @@ -1,85 +0,0 @@ -type: http -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if hide_keywords}} -hide_keywords: -{{#each hide_keywords as |hide_keyword|}} - - {{hide_keyword}} -{{/each}} -{{/if}} -{{#if send_headers}} -send_headers: {{send_headers}} -{{/if}} -{{#if send_all_headers}} -send_all_headers: {{send_all_headers}} -{{/if}} -{{#if redact_headers}} -redact_headers: -{{#each redact_headers as |redact_header|}} - - {{redact_header}} -{{/each}} -{{/if}} -{{#if include_body_for}} -include_body_for: -{{#each include_body_for as |include_body_for_elem|}} - - {{include_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_request_body_for}} -include_request_body_for: -{{#each include_request_body_for as |include_request_body_for_elem|}} - - {{include_request_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_response_body_for}} -include_response_body_for: -{{#each include_response_body_for as |include_response_body_for_elem|}} - - {{include_response_body_for_elem}} -{{/each}} -{{/if}} -{{#if decode_body}} -decode_body: {{decode_body}} -{{/if}} -{{#if split_cookie}} -split_cookie: {{split_cookie}} -{{/if}} -{{#if real_ip_header}} -real_ip_header: {{real_ip_header}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if max_message_size}} -max_message_size: {{max_message_size}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 73b1d30401..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing http traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/http/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/http/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/http/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/http/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/http/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/http/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/http/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/http/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/http/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/http/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/http/fields/ecs.yml deleted file mode 100755 index d003c7093e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/http/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/network_traffic/0.10.1/data_stream/http/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/http/fields/protocol.yml deleted file mode 100755 index 51b73ae344..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/http/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: http - type: group - description: Information about the HTTP request and response. - fields: - - name: request - description: HTTP request - type: group - fields: - - name: headers - type: flattened - description: > - A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - - - name: response - description: HTTP response - type: group - fields: - - name: status_phrase - type: keyword - description: The HTTP status phrase. - example: Not Found - - name: headers - type: flattened - description: > - A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - diff --git a/packages/network_traffic/0.10.1/data_stream/http/manifest.yml b/packages/network_traffic/0.10.1/data_stream/http/manifest.yml deleted file mode 100755 index f16188331c..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/http/manifest.yml +++ /dev/null @@ -1,173 +0,0 @@ -title: HTTP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [80, 8080, 8000, 5000, 8002] - - name: hide_keywords - type: text - title: Hide Keywords - description: |- - Uncomment the following to hide certain parameters in URL or forms attached - to HTTP requests. The names of the parameters are case insensitive. - The value of the parameters will be replaced with the 'xxxxx' string. - This is generally useful for avoiding storing user passwords or other - sensitive information. - Only query parameters and top level form parameters are replaced. - show_user: false - multi: true - required: false - - name: send_headers - type: bool - title: Send Headers - description: |- - A list of header names to capture and send to Elasticsearch. These headers - are placed under the `headers` dictionary in the resulting JSON. - show_user: false - multi: false - required: false - - name: send_all_headers - type: bool - title: Send All Headers - description: |- - Instead of sending a white list of headers to Elasticsearch, you can send - all headers by setting this option to true. The default is false. - show_user: false - multi: false - required: false - - name: redact_headers - type: text - title: Redact Headers - description: |- - A list of headers to redact if present in the HTTP request. This will keep - the header field present, but will redact it's value to show the headers - presence. - show_user: false - multi: true - required: false - - name: include_body_for - type: text - title: Include Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - payload. If the request's or response's Content-Type matches any on this - list, the full body will be included under the request or response field. - show_user: false - multi: true - required: false - - name: include_request_body_for - type: text - title: Include Request Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - request payload. - show_user: false - multi: true - required: false - - name: include_response_body_for - type: text - title: Include Response Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - response payload. - show_user: false - multi: true - required: false - - name: decode_body - type: bool - title: Decode Body - description: |- - Whether the body of a request must be decoded when a content-encoding - or transfer-encoding has been applied. - show_user: false - multi: false - required: false - - name: split_cookie - type: bool - title: Split Cookie - description: |- - If the Cookie or Set-Cookie headers are sent, this option controls whether - they are split into individual values. - show_user: false - multi: false - required: false - - name: real_ip_header - type: bool - title: Real Ip Header - description: |- - The header field to extract the real IP from. This setting is useful when - you want to capture traffic behind a reverse proxy, but you want to get the - geo-location information. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: max_message_size - type: integer - title: Max Message Size - description: |- - Maximum message size. If an HTTP message is larger than this, it will - be trimmed to this size. Default is 10 MB. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: HTTP - description: Capture HTTP Traffic - template_path: http.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/http/sample_event.json b/packages/network_traffic/0.10.1/data_stream/http/sample_event.json deleted file mode 100755 index f07301394b..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/http/sample_event.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/icmp/agent/stream/icmp.yml.hbs b/packages/network_traffic/0.10.1/data_stream/icmp/agent/stream/icmp.yml.hbs deleted file mode 100755 index f550ca79fa..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/icmp/agent/stream/icmp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -type: icmp -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8cd8d555f7..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing icmp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/icmp/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/icmp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/icmp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/icmp/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/icmp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/icmp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/icmp/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/icmp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/icmp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/icmp/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/icmp/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/icmp/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/icmp/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/icmp/fields/protocol.yml deleted file mode 100755 index 5aef1deaf4..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/icmp/fields/protocol.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: icmp - type: group - fields: - - name: version - type: long - description: The version of the ICMP protocol. - possible_values: - - 4 - - 6 - - name: request.message - type: keyword - description: A human readable form of the request. - - name: request.type - type: long - description: The request type. - - name: request.code - type: long - description: The request code. - - name: response.message - type: keyword - description: A human readable form of the response. - - name: response.type - type: long - description: The response type. - - name: response.code - type: long - description: The response code. diff --git a/packages/network_traffic/0.10.1/data_stream/icmp/manifest.yml b/packages/network_traffic/0.10.1/data_stream/icmp/manifest.yml deleted file mode 100755 index ca911dc8e0..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/icmp/manifest.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: ICMP -release: beta -type: logs -streams: - - input: packet - title: ICMP - description: Capture ICMP Traffic - template_path: icmp.yml.hbs - vars: - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false diff --git a/packages/network_traffic/0.10.1/data_stream/icmp/sample_event.json b/packages/network_traffic/0.10.1/data_stream/icmp/sample_event.json deleted file mode 100755 index 6dfd5d97d4..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/icmp/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/memcached/agent/stream/memcached.yml.hbs b/packages/network_traffic/0.10.1/data_stream/memcached/agent/stream/memcached.yml.hbs deleted file mode 100755 index 136c8ad877..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/memcached/agent/stream/memcached.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: memcache -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parseunknown}} -parseunknown: {{parseunknown}} -{{/if}} -{{#if maxvalues}} -maxvalues: {{maxvalues}} -{{/if}} -{{#if maxbytespervalue}} -maxbytespervalue: {{maxbytespervalue}} -{{/if}} -{{#if udptransactiontimeout}} -udptransactiontimeout: {{udptransactiontimeout}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8eb49dc336..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing memcached traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/memcached/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/memcached/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/memcached/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/memcached/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/memcached/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/memcached/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/memcached/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/memcached/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/memcached/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/memcached/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/memcached/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/memcached/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/memcached/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/memcached/fields/protocol.yml deleted file mode 100755 index 4d1c281dde..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/memcached/fields/protocol.yml +++ /dev/null @@ -1,215 +0,0 @@ -- name: memcache - type: group - fields: - - name: protocol_type - type: keyword - description: > - The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. - - - name: request.line - type: keyword - description: > - The raw command line for unknown commands ONLY. - - - name: request.command - type: keyword - description: > - The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. - - - name: response.command - type: keyword - description: > - Either the text based protocol response message type or the name of the originating request if binary protocol is used. - - - name: request.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". - - - name: response.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). - - - name: response.error_msg - type: keyword - description: > - The optional error message in the memcache response (text based protocol only). - - - name: request.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: response.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: request.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: response.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: request.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: response.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: request.vbucket - type: long - description: > - The vbucket index sent in the binary message. - - - name: response.status - type: keyword - description: > - The textual representation of the response error code (binary protocol only). - - - name: response.status_code - type: long - description: > - The status code value returned in the response (binary protocol only). - - - name: request.keys - type: array - description: > - The list of keys sent in the store or load commands. - - - name: response.keys - type: array - description: > - The list of keys returned for the load command (if present). - - - name: request.count_values - type: long - description: > - The number of values found in the memcache request message. If the command does not send any data, this field is missing. - - - name: response.count_values - type: long - description: > - The number of values found in the memcache response message. If the command does not send any data, this field is missing. - - - name: request.values - type: array - description: > - The list of base64 encoded values sent with the request (if present). - - - name: response.values - type: array - description: > - The list of base64 encoded values sent with the response (if present). - - - name: request.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: response.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: request.delta - type: long - description: > - The counter increment/decrement delta value. - - - name: request.initial - type: long - description: > - The counter increment/decrement initial value parameter (binary protocol only). - - - name: request.verbosity - type: long - description: > - The value of the memcache "verbosity" command. - - - name: request.raw_args - type: keyword - description: > - The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. - - - name: request.source_class - type: long - description: > - The source class id in 'slab reassign' command. - - - name: request.dest_class - type: long - description: > - The destination class id in 'slab reassign' command. - - - name: request.automove - type: keyword - description: > - The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. - - - name: request.flags - type: long - description: > - The memcache command flags sent in the request (if present). - - - name: response.flags - type: long - description: > - The memcache message flags sent in the response (if present). - - - name: request.exptime - type: long - description: > - The data expiry time in seconds sent with the memcache command (if present). If the value is `< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). - - - name: request.sleep_us - type: long - description: > - The sleep setting in microseconds for the 'lru_crawler sleep' command. - - - name: response.value - type: long - description: > - The counter value returned by a counter operation. - - - name: request.noreply - type: boolean - description: > - Set to true if noreply was set in the request. The `memcache.response` field will be missing. - - - name: request.quiet - type: boolean - description: > - Set to true if the binary protocol message is to be treated as a quiet message. - - - name: request.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier if present. - - - name: response.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). - - - name: response.stats - type: array - description: > - The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". - - - name: response.version - type: keyword - description: > - The returned memcache version string. - diff --git a/packages/network_traffic/0.10.1/data_stream/memcached/manifest.yml b/packages/network_traffic/0.10.1/data_stream/memcached/manifest.yml deleted file mode 100755 index 9120331b9d..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/memcached/manifest.yml +++ /dev/null @@ -1,116 +0,0 @@ -title: Memcached -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [11211] - - name: parseunknown - type: bool - title: Parseunknown - description: |- - Uncomment the parseunknown option to force the memcache text protocol parser - to accept unknown commands. - Note: All unknown commands MUST not contain any data parts! - Default: false - show_user: false - multi: false - required: false - - name: maxvalues - type: integer - title: Maxvalues - description: |- - Update the maxvalue option to store the values - base64 encoded - in the - json output. - possible values: - maxvalue: -1 store all values (text based protocol multi-get) - maxvalue: 0 store no values at all - maxvalue: N store up to N values - Default: 0 - show_user: false - multi: false - required: false - - name: maxbytespervalue - type: integer - title: Maxbytespervalue - description: |- - Use maxbytespervalue to limit the number of bytes to be copied per value element. - Note: Values will be base64 encoded, so actual size in json document - will be 4 times maxbytespervalue. - Default: unlimited - show_user: false - multi: false - required: false - - name: udptransactiontimeout - type: integer - title: Udptransactiontimeout - description: |- - UDP transaction timeout in milliseconds. - Note: Quiet messages in UDP binary protocol will get response only in error case. - The memcached analyzer will wait for udptransactiontimeout milliseconds - before publishing quiet messages. Non quiet messages or quiet requests with - error response will not have to wait for the timeout. - Default: 200 - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Memcached - description: Capture Memcached Traffic - template_path: memcached.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/memcached/sample_event.json b/packages/network_traffic/0.10.1/data_stream/memcached/sample_event.json deleted file mode 100755 index 4b4dc284f8..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/memcached/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs b/packages/network_traffic/0.10.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs deleted file mode 100755 index fe92042bcc..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: mongodb -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_docs}} -max_docs: {{max_docs}} -{{/if}} -{{#if max_doc_length}} -max_doc_length: {{max_doc_length}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b5bf6df8f6..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing mongodb traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/mongodb/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/mongodb/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mongodb/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/mongodb/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/mongodb/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mongodb/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/mongodb/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/mongodb/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mongodb/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/mongodb/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/mongodb/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mongodb/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/mongodb/fields/protocol.yml deleted file mode 100755 index a84465c61e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mongodb/fields/protocol.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: mongodb - type: group - fields: - - name: error - type: keyword - description: > - If the MongoDB request has resulted in an error, this field contains the error message returned by the server. - - - name: fullCollectionName - type: keyword - description: > - The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. - - - name: numberToSkip - type: long - description: > - Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. - - - name: numberToReturn - type: long - description: > - The requested maximum number of documents to be returned. - - - name: numberReturned - type: long - description: > - The number of documents in the reply. - - - name: startingFrom - type: keyword - description: > - Where in the cursor this reply is starting. - - - name: query - type: keyword - description: > - A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. - - - name: returnFieldsSelector - type: keyword - description: > - A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. - - - name: selector - type: keyword - description: > - A BSON document that specifies the query for selecting the document to update or delete. - - - name: update - type: keyword - description: > - A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - - - name: cursorId - type: keyword - description: > - The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. - diff --git a/packages/network_traffic/0.10.1/data_stream/mongodb/manifest.yml b/packages/network_traffic/0.10.1/data_stream/mongodb/manifest.yml deleted file mode 100755 index 0ff11578a2..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mongodb/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: MongoDB -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [27017] - - name: max_docs - type: integer - title: Max Docs - description: |- - The maximum number of documents from the response to index in the `response` - field. The default is 10. - show_user: false - multi: false - required: false - - name: max_doc_length - type: integer - title: Max Doc Length - description: |- - The maximum number of characters in a single document indexed in the - `response` field. The default is 5000. You can set this to 0 to index an - unlimited number of characters per document. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MongoDB - description: Capture MongoDB Traffic - template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/mongodb/sample_event.json b/packages/network_traffic/0.10.1/data_stream/mongodb/sample_event.json deleted file mode 100755 index 4cfd576e4c..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mongodb/sample_event.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/mysql/agent/stream/mysql.yml.hbs b/packages/network_traffic/0.10.1/data_stream/mysql/agent/stream/mysql.yml.hbs deleted file mode 100755 index 85b82a47b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mysql/agent/stream/mysql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: mysql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 633b576c87..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing mysql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/mysql/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/mysql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mysql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/mysql/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/mysql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mysql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/mysql/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/mysql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mysql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/mysql/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/mysql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mysql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/mysql/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/mysql/fields/protocol.yml deleted file mode 100755 index 64675f8d8e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mysql/fields/protocol.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: mysql - type: group - fields: - - name: affected_rows - type: long - description: > - If the MySQL command is successful, this field contains the affected number of rows of the last statement. - - - name: insert_id - type: keyword - description: > - If the INSERT query is successful, this field contains the id of the newly inserted row. - - - name: num_fields - type: long - description: > - If the SELECT query is successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query is successful, this field is set to the number of rows returned. - - - name: query - type: keyword - description: > - The row mysql query as read from the transaction's request. - - - name: error_code - type: long - description: > - The error code returned by MySQL. - - - name: error_message - type: keyword - description: > - The error info message returned by MySQL. - diff --git a/packages/network_traffic/0.10.1/data_stream/mysql/manifest.yml b/packages/network_traffic/0.10.1/data_stream/mysql/manifest.yml deleted file mode 100755 index c4655854f0..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mysql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: MySQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [3306, 3307] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MySQL - description: Capture MySQL Traffic - template_path: mysql.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/mysql/sample_event.json b/packages/network_traffic/0.10.1/data_stream/mysql/sample_event.json deleted file mode 100755 index 2c33116053..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/mysql/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/nfs/agent/stream/nfs.yml.hbs b/packages/network_traffic/0.10.1/data_stream/nfs/agent/stream/nfs.yml.hbs deleted file mode 100755 index c8349a7bcb..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/nfs/agent/stream/nfs.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: nfs -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2dcc37d830..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing nfs traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/nfs/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/nfs/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/nfs/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/nfs/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/nfs/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/nfs/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/nfs/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/nfs/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/nfs/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/nfs/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/nfs/fields/ecs.yml deleted file mode 100755 index 2b26a193f9..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/nfs/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/network_traffic/0.10.1/data_stream/nfs/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/nfs/fields/protocol.yml deleted file mode 100755 index 4bcf6fecec..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/nfs/fields/protocol.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: nfs - type: group - fields: - - name: version - type: long - description: NFS protocol version number. - - name: minor_version - type: long - description: NFS protocol minor version number. - - name: tag - type: keyword - description: NFS v4 COMPOUND operation tag. - - name: opcode - type: keyword - description: > - NFS operation name, or main operation name, in case of COMPOUND calls. - - - name: status - type: keyword - description: NFS operation reply status. -- name: rpc - type: group - description: ONC RPC specific event fields. - fields: - - name: xid - type: keyword - description: RPC message transaction identifier. - - name: status - type: keyword - description: RPC message reply status. - - name: auth_flavor - type: keyword - description: RPC authentication flavor. - - name: cred.uid - type: long - description: RPC caller's user id, in case of auth-unix. - - name: cred.gid - type: long - description: RPC caller's group id, in case of auth-unix. - - name: cred.gids - type: long - description: RPC caller's secondary group ids, in case of auth-unix. - - name: cred.stamp - type: long - description: Arbitrary ID which the caller machine may generate. - - name: cred.machinename - type: keyword - description: The name of the caller's machine. diff --git a/packages/network_traffic/0.10.1/data_stream/nfs/manifest.yml b/packages/network_traffic/0.10.1/data_stream/nfs/manifest.yml deleted file mode 100755 index 4e5323fa1e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/nfs/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: NFS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [2049] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: NFS - description: Capture NFS Traffic - template_path: nfs.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/nfs/sample_event.json b/packages/network_traffic/0.10.1/data_stream/nfs/sample_event.json deleted file mode 100755 index de4b4525e0..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/nfs/sample_event.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs b/packages/network_traffic/0.10.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs deleted file mode 100755 index 8680c36b1a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: pgsql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index aa5fa721a5..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing pgsql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/pgsql/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/pgsql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/pgsql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/pgsql/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/pgsql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/pgsql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/pgsql/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/pgsql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/pgsql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/pgsql/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/pgsql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/pgsql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/pgsql/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/pgsql/fields/protocol.yml deleted file mode 100755 index 4fd03e12cb..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/pgsql/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: pgsql - type: group - fields: - - name: error_code - description: The PostgreSQL error code. - type: keyword - - name: error_message - type: keyword - description: The PostgreSQL error message. - - name: error_severity - type: keyword - description: The PostgreSQL error severity. - possible_values: - - ERROR - - FATAL - - PANIC - - name: num_fields - type: long - description: > - If the SELECT query if successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query if successful, this field is set to the number of rows returned. - diff --git a/packages/network_traffic/0.10.1/data_stream/pgsql/manifest.yml b/packages/network_traffic/0.10.1/data_stream/pgsql/manifest.yml deleted file mode 100755 index eb205cd837..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/pgsql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: PostgreSQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5432] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: PostgreSQL - description: Capture PostgreSQL Traffic - template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/pgsql/sample_event.json b/packages/network_traffic/0.10.1/data_stream/pgsql/sample_event.json deleted file mode 100755 index 462f734f42..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/pgsql/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/redis/agent/stream/redis.yml.hbs b/packages/network_traffic/0.10.1/data_stream/redis/agent/stream/redis.yml.hbs deleted file mode 100755 index f357ca3a6d..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/redis/agent/stream/redis.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: redis -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if queue_max_bytes}} -queue_max_bytes: {{queue_max_bytes}} -{{/if}} -{{#if queue_max_messages}} -queue_max_messages: {{queue_max_messages}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d84f8b24b8..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing redis traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/redis/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/redis/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/redis/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/redis/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/redis/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/redis/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/redis/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/redis/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/redis/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/redis/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/redis/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/redis/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/redis/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/redis/fields/protocol.yml deleted file mode 100755 index 4982b2c2d3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/redis/fields/protocol.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: redis - type: group - fields: - - name: return_value - type: keyword - description: > - The return value of the Redis command in a human readable format. - - - name: error - type: keyword - description: > - If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. - diff --git a/packages/network_traffic/0.10.1/data_stream/redis/manifest.yml b/packages/network_traffic/0.10.1/data_stream/redis/manifest.yml deleted file mode 100755 index 9fe0ce4e18..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/redis/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: Redis -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [6379] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: queue_max_bytes - type: integer - title: Queue Max Bytes - description: |- - Max size for per-session message queue. This places a limit on the memory - that can be used to buffer requests and responses for correlation. - show_user: false - multi: false - required: false - - name: queue_max_messages - type: integer - title: Queue Max Messages - description: |- - Max number of messages for per-session message queue. This limits the number - of requests or responses that can be buffered for correlation. Set a value - large enough to allow for pipelining. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Redis - description: Capture Redis Traffic - template_path: redis.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/redis/sample_event.json b/packages/network_traffic/0.10.1/data_stream/redis/sample_event.json deleted file mode 100755 index 7ce644c935..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/redis/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/sip/agent/stream/sip.yml.hbs b/packages/network_traffic/0.10.1/data_stream/sip/agent/stream/sip.yml.hbs deleted file mode 100755 index 935ea011ee..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/sip/agent/stream/sip.yml.hbs +++ /dev/null @@ -1,34 +0,0 @@ -type: sip -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parse_authorization}} -parse_authorization: {{parse_authorization}} -{{/if}} -{{#if parse_body}} -parse_body: {{parse_body}} -{{/if}} -{{#if keep_original}} -keep_original: {{keep_original}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c20207afdd..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for processing sip traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -# Remove invalid "protocol" term added by packetbeat prior to v7.17.4/8.2.1. -- script: - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "protocol") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/sip/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/sip/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/sip/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/sip/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/sip/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/sip/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/sip/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/sip/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/sip/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/sip/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/sip/fields/ecs.yml deleted file mode 100755 index c2a147238b..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/sip/fields/ecs.yml +++ /dev/null @@ -1,174 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/network_traffic/0.10.1/data_stream/sip/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/sip/fields/protocol.yml deleted file mode 100755 index 5b25d9df6d..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/sip/fields/protocol.yml +++ /dev/null @@ -1,231 +0,0 @@ -- name: sip - type: group - description: Information about SIP traffic. - fields: - - name: code - type: long - description: Response status code. - - name: method - type: keyword - description: Request method. - - name: status - type: keyword - description: Response status phrase. - - name: type - type: keyword - description: Either request or response. - - name: version - type: keyword - description: SIP protocol version. - - name: uri.original - type: keyword - description: The original URI. - multi_fields: - - name: text - type: text - norms: false - - name: uri.scheme - type: keyword - description: The URI scheme. - - name: uri.username - type: keyword - description: The URI user name. - - name: uri.host - type: keyword - description: The URI host. - - name: uri.port - type: long - description: The URI port. - - name: accept - type: keyword - description: Accept header value. - - name: allow - type: keyword - description: Allowed methods. - - name: call_id - type: keyword - description: Call ID. - - name: content_length - type: long - - name: content_type - type: keyword - - name: max_forwards - type: long - - name: supported - type: keyword - description: Supported methods. - - name: user_agent.original - type: keyword - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.original - type: keyword - description: Private original URI. - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.scheme - type: keyword - description: Private URI scheme. - - name: private.uri.username - type: keyword - description: Private URI user name. - - name: private.uri.host - type: keyword - description: Private URI host. - - name: private.uri.port - type: long - description: Private URI port. - - name: cseq.code - type: long - description: Sequence code. - - name: cseq.method - type: keyword - description: Sequence method. - - name: via.original - type: keyword - description: The original Via value. - multi_fields: - - name: text - type: text - norms: false - - name: to.display_info - type: keyword - description: "To display info" - - name: to.uri.original - type: keyword - description: "To original URI" - multi_fields: - - name: text - type: text - norms: false - - name: to.uri.scheme - type: keyword - description: "To URI scheme" - - name: to.uri.username - type: keyword - description: "To URI user name" - - name: to.uri.host - type: keyword - description: "To URI host" - - name: to.uri.port - type: long - description: "To URI port" - - name: to.tag - type: keyword - description: "To tag" - - name: from.display_info - type: keyword - description: "From display info" - - name: from.uri.original - type: keyword - description: "From original URI" - multi_fields: - - name: text - type: text - norms: false - - name: from.uri.scheme - type: keyword - description: "From URI scheme" - - name: from.uri.username - type: keyword - description: "From URI user name" - - name: from.uri.host - type: keyword - description: "From URI host" - - name: from.uri.port - type: long - description: "From URI port" - - name: from.tag - type: keyword - description: "From tag" - - name: contact.display_info - type: keyword - description: "Contact display info" - - name: contact.uri.original - type: keyword - description: "Contact original URI" - multi_fields: - - name: text - type: text - norms: false - - name: contact.uri.scheme - type: keyword - description: "Contat URI scheme" - - name: contact.uri.username - type: keyword - description: "Contact URI user name" - - name: contact.uri.host - type: keyword - description: "Contact URI host" - - name: contact.uri.port - type: long - description: "Contact URI port" - - name: contact.transport - type: keyword - description: "Contact transport" - - name: contact.line - type: keyword - description: "Contact line" - - name: contact.expires - type: keyword - description: "Contact expires" - - name: contact.q - type: keyword - description: "Contact Q" - - name: auth.scheme - type: keyword - description: "Auth scheme" - - name: auth.realm - type: keyword - description: "Auth realm" - - name: auth.uri.original - type: keyword - description: "Auth original URI" - multi_fields: - - name: text - type: text - norms: false - - name: auth.uri.scheme - type: keyword - description: "Auth URI scheme" - - name: auth.uri.host - type: keyword - description: "Auth URI host" - - name: auth.uri.port - type: long - description: "Auth URI port" - - name: sdp.version - type: keyword - description: "SDP version" - - name: sdp.owner.username - type: keyword - description: "SDP owner user name" - - name: sdp.owner.session_id - type: keyword - description: "SDP owner session ID" - - name: sdp.owner.version - type: keyword - description: "SDP owner version" - - name: sdp.owner.ip - type: ip - description: "SDP owner IP" - - name: sdp.session.name - type: keyword - description: "SDP session name" - - name: sdp.connection.info - type: keyword - description: "SDP connection info" - - name: sdp.connection.address - type: keyword - description: "SDP connection address" - - name: sdp.body.original - type: keyword - description: "SDP original body" - multi_fields: - - name: text - type: text - norms: false diff --git a/packages/network_traffic/0.10.1/data_stream/sip/manifest.yml b/packages/network_traffic/0.10.1/data_stream/sip/manifest.yml deleted file mode 100755 index 79dd27ea52..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/sip/manifest.yml +++ /dev/null @@ -1,54 +0,0 @@ -title: SIP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5060] - - name: parse_authorization - type: bool - title: Parse Authorization - description: Parse the authorization headers - show_user: false - multi: false - required: false - - name: parse_body - type: bool - title: Parse Body - description: Parse body contents (only when body is SDP) - show_user: false - multi: false - required: false - - name: keep_original - type: bool - title: Keep Original - description: Preserve original contents in event.original - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: SIP - description: Capture SIP Traffic - template_path: sip.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/sip/sample_event.json b/packages/network_traffic/0.10.1/data_stream/sip/sample_event.json deleted file mode 100755 index 5a36041d5a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/sip/sample_event.json +++ /dev/null @@ -1,174 +0,0 @@ -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/thrift/agent/stream/thrift.yml.hbs b/packages/network_traffic/0.10.1/data_stream/thrift/agent/stream/thrift.yml.hbs deleted file mode 100755 index d6d9604253..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/thrift/agent/stream/thrift.yml.hbs +++ /dev/null @@ -1,64 +0,0 @@ -type: thrift -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if transport_type}} -transport_type: {{transport_type}} -{{/if}} -{{#if protocol_type}} -protocol_type: {{protocol_type}} -{{/if}} -{{#if idl_files}} -idl_files: -{{#each idl_files as |idl_file|}} - - {{idl_file}} -{{/each}} -{{/if}} -{{#if string_max_size}} -string_max_size: {{string_max_size}} -{{/if}} -{{#if collection_max_size}} -collection_max_size: {{collection_max_size}} -{{/if}} -{{#if capture_reply}} -capture_reply: {{capture_reply}} -{{/if}} -{{#if obfuscate_strings}} -obfuscate_strings: {{obfuscate_strings}} -{{/if}} -{{#if drop_after_n_struct_fields}} -drop_after_n_struct_fields: {{drop_after_n_struct_fields}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 608bb7e6a5..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing thrift traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/thrift/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/thrift/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/thrift/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/thrift/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/thrift/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/thrift/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/thrift/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/thrift/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/thrift/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/thrift/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/thrift/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/thrift/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/0.10.1/data_stream/thrift/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/thrift/fields/protocol.yml deleted file mode 100755 index dd097f61ee..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/thrift/fields/protocol.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: thrift - type: group - fields: - - name: params - type: keyword - description: > - The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. - - - name: service - type: keyword - description: > - The name of the Thrift-RPC service as defined in the IDL files. - - - name: return_value - type: keyword - description: > - The value returned by the Thrift-RPC call. This is encoded in a human readable format. - - - name: exceptions - type: keyword - description: > - If the call resulted in exceptions, this field contains the exceptions in a human readable format. - diff --git a/packages/network_traffic/0.10.1/data_stream/thrift/manifest.yml b/packages/network_traffic/0.10.1/data_stream/thrift/manifest.yml deleted file mode 100755 index 29eabbeb19..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/thrift/manifest.yml +++ /dev/null @@ -1,141 +0,0 @@ -title: Thrift -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9090] - - name: transport_type - type: text - title: Transport Type - description: |- - The Thrift transport type. Currently this option accepts the values socket - for TSocket, which is the default Thrift transport, and framed for the - TFramed Thrift transport. The default is socket. - show_user: false - multi: false - required: false - - name: protocol_type - type: text - title: Protocol Type - description: |- - The Thrift protocol type. Currently the only accepted value is binary for - the TBinary protocol, which is the default Thrift protocol. - show_user: false - multi: false - required: false - - name: idl_files - type: text - title: Idl Files - description: |- - The Thrift interface description language (IDL) files for the service that - Packetbeat is monitoring. Providing the IDL enables Packetbeat to include - parameter and exception names. - show_user: false - multi: true - required: false - - name: string_max_size - type: integer - title: String Max Size - description: |- - The maximum length for strings in parameters or return values. If a string - is longer than this value, the string is automatically truncated to this - length. - show_user: false - multi: false - required: false - - name: collection_max_size - type: integer - title: Collection Max Size - description: The maximum number of elements in a Thrift list, set, map, or structure. - show_user: false - multi: false - required: false - - name: capture_reply - type: bool - title: Capture Reply - description: |- - If this option is set to false, Packetbeat decodes the method name from the - reply and simply skips the rest of the response message. - show_user: false - multi: false - required: false - - name: obfuscate_strings - type: bool - title: Obfuscate Strings - description: |- - If this option is set to true, Packetbeat replaces all strings found in - method parameters, return codes, or exception structures with the "*" - string. - show_user: false - multi: false - required: false - - name: drop_after_n_struct_fields - type: integer - title: Drop After N Struct Fields - description: |- - The maximum number of fields that a structure can have before Packetbeat - ignores the whole transaction. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Thrift - description: Capture Thrift Traffic - template_path: thrift.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/thrift/sample_event.json b/packages/network_traffic/0.10.1/data_stream/thrift/sample_event.json deleted file mode 100755 index 4c1640a50d..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/thrift/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:33:31.022Z", - "agent": { - "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1394000, - "end": "2022-03-09T08:33:31.023Z", - "ingested": "2022-03-09T08:33:32Z", - "kind": "event", - "start": "2022-03-09T08:33:31.022Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/data_stream/tls/agent/stream/tls.yml.hbs b/packages/network_traffic/0.10.1/data_stream/tls/agent/stream/tls.yml.hbs deleted file mode 100755 index 877a553bfd..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/tls/agent/stream/tls.yml.hbs +++ /dev/null @@ -1,40 +0,0 @@ -type: tls -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if fingerprints}} -fingerprints: -{{#each fingerprints as |fingerprint|}} - - {{fingerprint}} -{{/each}} -{{/if}} -{{#if send_certificates}} -send_certificates: {{send_certificates}} -{{/if}} -{{#if include_raw_certificates}} -include_raw_certificates: {{include_raw_certificates}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/0.10.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/0.10.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 788c1210ef..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,55 +0,0 @@ ---- -description: Pipeline for processing tls traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true - -## -# Make tls.{client,server}.x509.version_number a string as per ECS. -## -- convert: - field: tls.client.x509.version_number - type: string - ignore_missing: true -- convert: - field: tls.server.x509.version_number - type: string - ignore_missing: true - -## -# This handles legacy TLS fields from Packetbeat 7.17. -## -- remove: - description: Remove legacy fields from Packetbeat 7.17 that are duplicated. - field: - - tls.client.x509.issuer.province # Duplicated as tls.client.x509.issuer.state_or_province. - - tls.client.x509.subject.province # Duplicated as tls.client.x509.subject.state_or_province. - - tls.client.x509.version # Duplicated as tls.client.x509.version_number. - - tls.detailed.client_certificate # Duplicated as tls.client.x509. - - tls.detailed.server_certificate # Duplicated as tls.server.x509. - - tls.server.x509.issuer.province # Duplicated as tls.server.x509.issuer.state_or_province. - - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province. - - tls.server.x509.version # Duplicated as tls.server.x509.version_number. - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/0.10.1/data_stream/tls/fields/agent.yml b/packages/network_traffic/0.10.1/data_stream/tls/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/tls/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/0.10.1/data_stream/tls/fields/base.yml b/packages/network_traffic/0.10.1/data_stream/tls/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/tls/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/0.10.1/data_stream/tls/fields/beats.yml b/packages/network_traffic/0.10.1/data_stream/tls/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/tls/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/0.10.1/data_stream/tls/fields/ecs.yml b/packages/network_traffic/0.10.1/data_stream/tls/fields/ecs.yml deleted file mode 100755 index 49c713858d..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/tls/fields/ecs.yml +++ /dev/null @@ -1,368 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - name: tls.client.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - name: tls.client.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha256 - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: Array of ciphers offered by the client during the client hello. - name: tls.client.supported_ciphers - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.client.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.client.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.client.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.client.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.client.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.client.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.client.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.client.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.client.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.client.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.client.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.client.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.client.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.client.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.client.x509.version_number - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - name: tls.next_protocol - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - name: tls.server.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - name: tls.server.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha256 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.server.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.server.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.server.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.server.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.server.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.server.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.server.x509.version_number - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/network_traffic/0.10.1/data_stream/tls/fields/protocol.yml b/packages/network_traffic/0.10.1/data_stream/tls/fields/protocol.yml deleted file mode 100755 index d8264468d4..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/tls/fields/protocol.yml +++ /dev/null @@ -1,173 +0,0 @@ -- name: tls - type: group - fields: - - name: detailed - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol used. - - example: "TLS 1.3" - - name: resumption_method - type: keyword - description: > - If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. - - - name: client_certificate_requested - type: boolean - description: > - Whether the server has requested the client to authenticate itself using a client certificate. - - - name: ocsp_response - type: keyword - description: > - The result of an OCSP request. - - - name: client_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol by which the client wishes to communicate during this session. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: supported_compression_methods - type: keyword - description: > - The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml - - - name: extensions - type: group - description: The hello extensions provided by the client. - fields: - - name: server_name_indication - type: keyword - description: List of hostnames - - name: application_layer_protocol_negotiation - type: keyword - description: > - List of application-layer protocols the client is willing to use. - - - name: session_ticket - type: keyword - description: > - Length of the session ticket, if provided, or an empty string to advertise support for tickets. - - - name: supported_versions - type: keyword - description: > - List of TLS versions that the client is willing to use. - - - name: supported_groups - type: keyword - description: > - List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. - - - name: signature_algorithms - type: keyword - description: > - List of signature algorithms that may be use in digital signatures. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: type - type: keyword - description: The type of the status request. Always "ocsp" if present. - - name: responder_id_list_length - type: short - description: The length of the list of trusted responders. - - name: request_extensions - type: short - description: The number of certificate extensions for the request. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: selected_compression_method - type: keyword - description: > - The compression method selected by the server from the list provided in the client hello. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: extensions - type: group - description: The hello extensions provided by the server. - fields: - - name: application_layer_protocol_negotiation - type: keyword - description: Negotiated application layer protocol - - name: session_ticket - type: keyword - description: > - Used to announce that a session ticket will be provided by the server. Always an empty string. - - - name: supported_versions - type: keyword - description: > - Negotiated TLS version to be used. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: response - type: boolean - description: Whether a certificate status request response was made. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_certificate_chain - type: array - description: Chain of trust for the server certificate. - - name: client_certificate_chain - type: array - description: Chain of trust for the client certificate. - - name: alert_types - type: keyword - description: > - An array containing the TLS alert type for every alert received. - diff --git a/packages/network_traffic/0.10.1/data_stream/tls/manifest.yml b/packages/network_traffic/0.10.1/data_stream/tls/manifest.yml deleted file mode 100755 index d2b8f403da..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/tls/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: TLS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [443, 993, 995, 5223, 8443, 8883, 9243] - - name: fingerprints - type: text - title: Fingerprints - description: |- - List of hash algorithms to use to calculate certificates' fingerprints. - Valid values are `sha1`, `sha256` and `md5`. - show_user: false - multi: true - required: false - - name: send_certificates - type: bool - title: Send Certificates - description: |- - If this option is enabled, the client and server certificates and - certificate chains are sent to Elasticsearch. The default is true. - show_user: false - multi: false - required: false - - name: include_raw_certificates - type: bool - title: Include Raw Certificates - description: |- - If this option is enabled, the raw certificates will be stored - in PEM format under the `raw` key. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: TLS - description: Capture TLS Traffic - template_path: tls.yml.hbs diff --git a/packages/network_traffic/0.10.1/data_stream/tls/sample_event.json b/packages/network_traffic/0.10.1/data_stream/tls/sample_event.json deleted file mode 100755 index f325b87dbb..0000000000 --- a/packages/network_traffic/0.10.1/data_stream/tls/sample_event.json +++ /dev/null @@ -1,196 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:34:08.391Z", - "agent": { - "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.1.36", - "port": 60946 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 14861200, - "end": "2022-03-09T08:34:08.406Z", - "ingested": "2022-03-09T08:34:09Z", - "kind": "event", - "start": "2022-03-09T08:34:08.391Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.36", - "216.58.201.174" - ] - }, - "server": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "source": { - "ip": "192.168.1.36", - "port": 60946 - }, - "status": "OK", - "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", - "client": { - "ja3": "d470a3fa301d80227bc5650c75567d25", - "server_name": "play.google.com", - "supported_ciphers": [ - "TLS_AES_128_GCM_SHA256", - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "_unparsed_": [ - "23", - "renegotiation_info", - "status_request", - "51", - "45", - "28", - "41" - ], - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "play.google.com" - ], - "signature_algorithms": [ - "ecdsa_secp256r1_sha256", - "ecdsa_secp384r1_sha384", - "ecdsa_secp521r1_sha512", - "rsa_pss_sha256", - "rsa_pss_sha384", - "rsa_pss_sha512", - "rsa_pkcs1_sha256", - "rsa_pkcs1_sha384", - "rsa_pkcs1_sha512", - "ecdsa_sha1", - "rsa_pkcs1_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1", - "secp521r1", - "ffdhe2048", - "ffdhe3072" - ], - "supported_versions": [ - "TLS 1.3", - "TLS 1.2", - "TLS 1.1", - "TLS 1.0" - ] - }, - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "resumption_method": "id", - "server_hello": { - "extensions": { - "_unparsed_": [ - "41", - "51" - ], - "supported_versions": "TLS 1.3" - }, - "selected_compression_method": "NULL", - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "version": "3.3" - }, - "version": "TLS 1.3" - }, - "established": true, - "resumed": true, - "version": "1.3", - "version_protocol": "tls" - }, - "type": "tls" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/docs/README.md b/packages/network_traffic/0.10.1/docs/README.md deleted file mode 100755 index adadb4cf1d..0000000000 --- a/packages/network_traffic/0.10.1/docs/README.md +++ /dev/null @@ -1,3960 +0,0 @@ -# Network Packet Capture Integration - -This integration sniffs network packets on a host and dissects -known protocols. - -## Network Flows - -Overall flow information about the network connections on a -host. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -## Protocols - -### AMQP - -Fields published for AMQP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| amqp.app-id | Creating application id. | keyword | -| amqp.arguments | Optional additional arguments passed to some methods. Can be of various types. | object | -| amqp.auto-delete | If set, auto-delete queue when unused. | boolean | -| amqp.class-id | Failing method class. | long | -| amqp.consumer-count | The number of consumers of a queue. | long | -| amqp.consumer-tag | Identifier for the consumer, valid within the current channel. | keyword | -| amqp.content-encoding | MIME content encoding. | keyword | -| amqp.content-type | MIME content type. | keyword | -| amqp.correlation-id | Application correlation identifier. | keyword | -| amqp.delivery-mode | Non-persistent (1) or persistent (2). | keyword | -| amqp.delivery-tag | The server-assigned and channel-specific delivery tag. | long | -| amqp.durable | If set, request a durable exchange/queue. | boolean | -| amqp.exchange | Name of the exchange. | keyword | -| amqp.exchange-type | Exchange type. | keyword | -| amqp.exclusive | If set, request an exclusive queue. | boolean | -| amqp.expiration | Message expiration specification. | keyword | -| amqp.headers | Message header field table. | object | -| amqp.if-empty | Delete only if empty. | boolean | -| amqp.if-unused | Delete only if unused. | boolean | -| amqp.immediate | Request immediate delivery. | boolean | -| amqp.mandatory | Indicates mandatory routing. | boolean | -| amqp.message-count | The number of messages in the queue, which will be zero for newly-declared queues. | long | -| amqp.message-id | Application message identifier. | keyword | -| amqp.method-id | Failing method ID. | long | -| amqp.multiple | Acknowledge multiple messages. | boolean | -| amqp.no-ack | If set, the server does not expect acknowledgements for messages. | boolean | -| amqp.no-local | If set, the server will not send messages to the connection that published them. | boolean | -| amqp.no-wait | If set, the server will not respond to the method. | boolean | -| amqp.passive | If set, do not create exchange/queue. | boolean | -| amqp.priority | Message priority, 0 to 9. | long | -| amqp.queue | The queue name identifies the queue within the vhost. | keyword | -| amqp.redelivered | Indicates that the message has been previously delivered to this or another client. | boolean | -| amqp.reply-code | AMQP reply code to an error, similar to http reply-code | long | -| amqp.reply-text | Text explaining the error. | keyword | -| amqp.reply-to | Address to reply to. | keyword | -| amqp.routing-key | Message routing key. | keyword | -| amqp.timestamp | Message timestamp. | keyword | -| amqp.type | Message type name. | keyword | -| amqp.user-id | Creating user id. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `amqp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} -``` - -### Cassandra - -Fields published for Apache Cassandra packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cassandra.no_request | Indicates that there is no request because this is a PUSH message. | boolean | -| cassandra.request.headers.flags | Flags applying to this frame. | keyword | -| cassandra.request.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.request.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.request.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.request.headers.version | The version of the protocol. | keyword | -| cassandra.request.query | The CQL query which client send to cassandra. | keyword | -| cassandra.response.authentication.class | Indicates the full class name of the IAuthenticator in use | keyword | -| cassandra.response.error.code | The error code of the Cassandra response. | long | -| cassandra.response.error.details.alive | Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). | long | -| cassandra.response.error.details.arg_types | One string for each argument type (as CQL type) of the failed function. | keyword | -| cassandra.response.error.details.blockfor | Representing the number of replicas whose acknowledgement is required to achieve consistency level. | long | -| cassandra.response.error.details.data_present | It means the replica that was asked for data had responded. | boolean | -| cassandra.response.error.details.function | The name of the failed function. | keyword | -| cassandra.response.error.details.keyspace | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.num_failures | Representing the number of nodes that experience a failure while executing the request. | keyword | -| cassandra.response.error.details.read_consistency | Representing the consistency level of the query that triggered the exception. | keyword | -| cassandra.response.error.details.received | Representing the number of nodes having acknowledged the request. | long | -| cassandra.response.error.details.required | Representing the number of nodes that should be alive to respect consistency level. | long | -| cassandra.response.error.details.stmt_id | Representing the unknown ID. | keyword | -| cassandra.response.error.details.table | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.write_type | Describe the type of the write that timed out. | keyword | -| cassandra.response.error.msg | The error message of the Cassandra response. | keyword | -| cassandra.response.error.type | The error type of the Cassandra response. | keyword | -| cassandra.response.event.change | The message corresponding respectively to the type of change followed by the address of the new/removed node. | keyword | -| cassandra.response.event.host | Representing the node ip. | keyword | -| cassandra.response.event.port | Representing the node port. | long | -| cassandra.response.event.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.event.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.event.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.event.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.event.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.event.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.event.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.event.type | Representing the event type. | keyword | -| cassandra.response.headers.flags | Flags applying to this frame. | keyword | -| cassandra.response.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.response.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.response.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.response.headers.version | The version of the protocol. | keyword | -| cassandra.response.result.keyspace | Indicating the name of the keyspace that has been set. | keyword | -| cassandra.response.result.prepared.prepared_id | Representing the prepared query ID. | keyword | -| cassandra.response.result.prepared.req_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.req_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.req_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.req_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.req_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.req_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.prepared.resp_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.resp_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.resp_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.resp_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.resp_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.resp_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.rows.meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.rows.meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.rows.meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.rows.meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.rows.meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.num_rows | Representing the number of rows present in this result. | long | -| cassandra.response.result.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.result.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.result.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.result.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.result.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.result.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.result.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.result.type | Cassandra result type. | keyword | -| cassandra.response.supported | Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. | flattened | -| cassandra.response.warnings | The text of the warnings, only occur when Warning flag was set. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `cassandra` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} -``` - -### DHCP - -Fields published for DHCPv4 packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dhcpv4.assigned_ip | The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. | ip | -| dhcpv4.client_ip | The current IP address of the client. | ip | -| dhcpv4.client_mac | The client's MAC address (layer two). | keyword | -| dhcpv4.flags | Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. | keyword | -| dhcpv4.hardware_type | The type of hardware used for the local network (Ethernet, LocalTalk, etc). | keyword | -| dhcpv4.hops | The number of hops the DHCP message went through. | long | -| dhcpv4.op_code | The message op code (bootrequest or bootreply). | keyword | -| dhcpv4.option.boot_file_name | This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. | keyword | -| dhcpv4.option.broadcast_address | This option specifies the broadcast address in use on the client's subnet. | ip | -| dhcpv4.option.class_identifier | This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. | keyword | -| dhcpv4.option.dns_servers | The domain name server option specifies a list of Domain Name System servers available to the client. | ip | -| dhcpv4.option.domain_name | This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. | keyword | -| dhcpv4.option.hostname | This option specifies the name of the client. | keyword | -| dhcpv4.option.ip_address_lease_time_sec | This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. | long | -| dhcpv4.option.max_dhcp_message_size | This option specifies the maximum length DHCP message that the client is willing to accept. | long | -| dhcpv4.option.message | This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. | text | -| dhcpv4.option.message_type | The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). | keyword | -| dhcpv4.option.ntp_servers | This option specifies a list of IP addresses indicating NTP servers available to the client. | ip | -| dhcpv4.option.parameter_request_list | This option is used by a DHCP client to request values for specified configuration parameters. | keyword | -| dhcpv4.option.rebinding_time_sec | This option specifies the time interval from address assignment until the client transitions to the REBINDING state. | long | -| dhcpv4.option.renewal_time_sec | This option specifies the time interval from address assignment until the client transitions to the RENEWING state. | long | -| dhcpv4.option.requested_ip_address | This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. | ip | -| dhcpv4.option.router | The router option specifies a list of IP addresses for routers on the client's subnet. | ip | -| dhcpv4.option.server_identifier | IP address of the individual DHCP server which handled this message. | ip | -| dhcpv4.option.subnet_mask | The subnet mask that the client should use on the currnet network. | ip | -| dhcpv4.option.time_servers | The time server option specifies a list of RFC 868 time servers available to the client. | ip | -| dhcpv4.option.utc_time_offset_sec | The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). | long | -| dhcpv4.option.vendor_identifying_options | A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. | object | -| dhcpv4.relay_ip | The relay IP address used by the client to contact the server (i.e. a DHCP relay server). | ip | -| dhcpv4.seconds | Number of seconds elapsed since client began address acquisition or renewal process. | long | -| dhcpv4.server_ip | The IP address of the DHCP server that the client should use for the next step in the bootstrap process. | ip | -| dhcpv4.server_name | The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. | keyword | -| dhcpv4.transaction_id | Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dhcpv4` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} -``` - -### DNS - -Fields published for DNS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.additionals | An array containing a dictionary for each additional section from the answer. | object | -| dns.additionals.class | The class of DNS data contained in this resource record. | keyword | -| dns.additionals.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.additionals.name | The domain name to which this resource record pertains. | keyword | -| dns.additionals.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.additionals.type | The type of data contained in this resource record. | keyword | -| dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | -| dns.authorities | An array containing a dictionary for each authority section from the answer. | object | -| dns.authorities.class | The class of DNS data contained in this resource record. | keyword | -| dns.authorities.name | The domain name to which this resource record pertains. | keyword | -| dns.authorities.type | The type of data contained in this resource record. | keyword | -| dns.authorities_count | The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.flags.authentic_data | A DNS flag specifying that the recursive server considers the response authentic. | boolean | -| dns.flags.authoritative | A DNS flag specifying that the responding server is an authority for the domain name used in the question. | boolean | -| dns.flags.checking_disabled | A DNS flag specifying that the client disables the server signature validation of the query. | boolean | -| dns.flags.recursion_available | A DNS flag specifying whether recursive query support is available in the name server. | boolean | -| dns.flags.recursion_desired | A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. | boolean | -| dns.flags.truncated_response | A DNS flag specifying that only the first 512 bytes of the reply were returned. | boolean | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.opt.do | If set, the transaction uses DNSSEC. | boolean | -| dns.opt.ext_rcode | Extended response code field. | keyword | -| dns.opt.udp_size | Requestor's UDP payload size (in bytes). | long | -| dns.opt.version | The EDNS version. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.etld_plus_one | The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} -``` - -### HTTP - -Fields published for HTTP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.headers | A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.headers | A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.response.status_code | HTTP response status code. | long | -| http.response.status_phrase | The HTTP status phrase. | keyword | -| http.version | HTTP version. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `http` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} -``` - -### ICMP - -Fields published for ICMP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| icmp.request.code | The request code. | long | -| icmp.request.message | A human readable form of the request. | keyword | -| icmp.request.type | The request type. | long | -| icmp.response.code | The response code. | long | -| icmp.response.message | A human readable form of the response. | keyword | -| icmp.response.type | The response type. | long | -| icmp.version | The version of the ICMP protocol. | long | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `icmp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} -``` - -### Memcached - -Fields published for Memcached packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| memcache.protocol_type | The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. | keyword | -| memcache.request.automove | The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. | keyword | -| memcache.request.bytes | The byte count of the values being transferred. | long | -| memcache.request.cas_unique | The CAS (compare-and-swap) identifier if present. | long | -| memcache.request.command | The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. | keyword | -| memcache.request.count_values | The number of values found in the memcache request message. If the command does not send any data, this field is missing. | long | -| memcache.request.delta | The counter increment/decrement delta value. | long | -| memcache.request.dest_class | The destination class id in 'slab reassign' command. | long | -| memcache.request.exptime | The data expiry time in seconds sent with the memcache command (if present). If the value is `\< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). | long | -| memcache.request.flags | The memcache command flags sent in the request (if present). | long | -| memcache.request.initial | The counter increment/decrement initial value parameter (binary protocol only). | long | -| memcache.request.keys | The list of keys sent in the store or load commands. | array | -| memcache.request.line | The raw command line for unknown commands ONLY. | keyword | -| memcache.request.noreply | Set to true if noreply was set in the request. The `memcache.response` field will be missing. | boolean | -| memcache.request.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.request.opcode | The binary protocol message opcode name. | keyword | -| memcache.request.opcode_value | The binary protocol message opcode value. | long | -| memcache.request.quiet | Set to true if the binary protocol message is to be treated as a quiet message. | boolean | -| memcache.request.raw_args | The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. | keyword | -| memcache.request.sleep_us | The sleep setting in microseconds for the 'lru_crawler sleep' command. | long | -| memcache.request.source_class | The source class id in 'slab reassign' command. | long | -| memcache.request.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". | keyword | -| memcache.request.values | The list of base64 encoded values sent with the request (if present). | array | -| memcache.request.vbucket | The vbucket index sent in the binary message. | long | -| memcache.request.verbosity | The value of the memcache "verbosity" command. | long | -| memcache.response.bytes | The byte count of the values being transferred. | long | -| memcache.response.cas_unique | The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). | long | -| memcache.response.command | Either the text based protocol response message type or the name of the originating request if binary protocol is used. | keyword | -| memcache.response.count_values | The number of values found in the memcache response message. If the command does not send any data, this field is missing. | long | -| memcache.response.error_msg | The optional error message in the memcache response (text based protocol only). | keyword | -| memcache.response.flags | The memcache message flags sent in the response (if present). | long | -| memcache.response.keys | The list of keys returned for the load command (if present). | array | -| memcache.response.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.response.opcode | The binary protocol message opcode name. | keyword | -| memcache.response.opcode_value | The binary protocol message opcode value. | long | -| memcache.response.stats | The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". | array | -| memcache.response.status | The textual representation of the response error code (binary protocol only). | keyword | -| memcache.response.status_code | The status code value returned in the response (binary protocol only). | long | -| memcache.response.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). | keyword | -| memcache.response.value | The counter value returned by a counter operation. | long | -| memcache.response.values | The list of base64 encoded values sent with the response (if present). | array | -| memcache.response.version | The returned memcache version string. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `memcached` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} -``` - -### MongoDB - -Fields published for MongoDB packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | -| mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | -| mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | -| mongodb.numberReturned | The number of documents in the reply. | long | -| mongodb.numberToReturn | The requested maximum number of documents to be returned. | long | -| mongodb.numberToSkip | Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. | long | -| mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | -| mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | -| mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | -| mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mongodb` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} -``` - -### MySQL - -Fields published for MySQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mysql.affected_rows | If the MySQL command is successful, this field contains the affected number of rows of the last statement. | long | -| mysql.error_code | The error code returned by MySQL. | long | -| mysql.error_message | The error info message returned by MySQL. | keyword | -| mysql.insert_id | If the INSERT query is successful, this field contains the id of the newly inserted row. | keyword | -| mysql.num_fields | If the SELECT query is successful, this field is set to the number of fields returned. | long | -| mysql.num_rows | If the SELECT query is successful, this field is set to the number of rows returned. | long | -| mysql.query | The row mysql query as read from the transaction's request. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mysql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} -``` - -### NFS - -Fields published for NFS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| nfs.minor_version | NFS protocol minor version number. | long | -| nfs.opcode | NFS operation name, or main operation name, in case of COMPOUND calls. | keyword | -| nfs.status | NFS operation reply status. | keyword | -| nfs.tag | NFS v4 COMPOUND operation tag. | keyword | -| nfs.version | NFS protocol version number. | long | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| rpc.auth_flavor | RPC authentication flavor. | keyword | -| rpc.cred.gid | RPC caller's group id, in case of auth-unix. | long | -| rpc.cred.gids | RPC caller's secondary group ids, in case of auth-unix. | long | -| rpc.cred.machinename | The name of the caller's machine. | keyword | -| rpc.cred.stamp | Arbitrary ID which the caller machine may generate. | long | -| rpc.cred.uid | RPC caller's user id, in case of auth-unix. | long | -| rpc.status | RPC message reply status. | keyword | -| rpc.xid | RPC message transaction identifier. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -An example event for `nfs` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} -``` - -### PostgreSQL - -Fields published for PostgreSQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| pgsql.error_code | The PostgreSQL error code. | keyword | -| pgsql.error_message | The PostgreSQL error message. | keyword | -| pgsql.error_severity | The PostgreSQL error severity. | keyword | -| pgsql.num_fields | If the SELECT query if successful, this field is set to the number of fields returned. | long | -| pgsql.num_rows | If the SELECT query if successful, this field is set to the number of rows returned. | long | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `pgsql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} -``` - -### Redis - -Fields published for Redis packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| redis.error | If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. | keyword | -| redis.return_value | The return value of the Redis command in a human readable format. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `redis` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} -``` - -### SIP - -Fields published for SIP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| sip.accept | Accept header value. | keyword | -| sip.allow | Allowed methods. | keyword | -| sip.auth.realm | Auth realm | keyword | -| sip.auth.scheme | Auth scheme | keyword | -| sip.auth.uri.host | Auth URI host | keyword | -| sip.auth.uri.original | Auth original URI | keyword | -| sip.auth.uri.original.text | Multi-field of `sip.auth.uri.original`. | text | -| sip.auth.uri.port | Auth URI port | long | -| sip.auth.uri.scheme | Auth URI scheme | keyword | -| sip.call_id | Call ID. | keyword | -| sip.code | Response status code. | long | -| sip.contact.display_info | Contact display info | keyword | -| sip.contact.expires | Contact expires | keyword | -| sip.contact.line | Contact line | keyword | -| sip.contact.q | Contact Q | keyword | -| sip.contact.transport | Contact transport | keyword | -| sip.contact.uri.host | Contact URI host | keyword | -| sip.contact.uri.original | Contact original URI | keyword | -| sip.contact.uri.original.text | Multi-field of `sip.contact.uri.original`. | text | -| sip.contact.uri.port | Contact URI port | long | -| sip.contact.uri.scheme | Contat URI scheme | keyword | -| sip.contact.uri.username | Contact URI user name | keyword | -| sip.content_length | | long | -| sip.content_type | | keyword | -| sip.cseq.code | Sequence code. | long | -| sip.cseq.method | Sequence method. | keyword | -| sip.from.display_info | From display info | keyword | -| sip.from.tag | From tag | keyword | -| sip.from.uri.host | From URI host | keyword | -| sip.from.uri.original | From original URI | keyword | -| sip.from.uri.original.text | Multi-field of `sip.from.uri.original`. | text | -| sip.from.uri.port | From URI port | long | -| sip.from.uri.scheme | From URI scheme | keyword | -| sip.from.uri.username | From URI user name | keyword | -| sip.max_forwards | | long | -| sip.method | Request method. | keyword | -| sip.private.uri.host | Private URI host. | keyword | -| sip.private.uri.original | Private original URI. | keyword | -| sip.private.uri.original.text | Multi-field of `sip.private.uri.original`. | text | -| sip.private.uri.port | Private URI port. | long | -| sip.private.uri.scheme | Private URI scheme. | keyword | -| sip.private.uri.username | Private URI user name. | keyword | -| sip.sdp.body.original | SDP original body | keyword | -| sip.sdp.body.original.text | Multi-field of `sip.sdp.body.original`. | text | -| sip.sdp.connection.address | SDP connection address | keyword | -| sip.sdp.connection.info | SDP connection info | keyword | -| sip.sdp.owner.ip | SDP owner IP | ip | -| sip.sdp.owner.session_id | SDP owner session ID | keyword | -| sip.sdp.owner.username | SDP owner user name | keyword | -| sip.sdp.owner.version | SDP owner version | keyword | -| sip.sdp.session.name | SDP session name | keyword | -| sip.sdp.version | SDP version | keyword | -| sip.status | Response status phrase. | keyword | -| sip.supported | Supported methods. | keyword | -| sip.to.display_info | To display info | keyword | -| sip.to.tag | To tag | keyword | -| sip.to.uri.host | To URI host | keyword | -| sip.to.uri.original | To original URI | keyword | -| sip.to.uri.original.text | Multi-field of `sip.to.uri.original`. | text | -| sip.to.uri.port | To URI port | long | -| sip.to.uri.scheme | To URI scheme | keyword | -| sip.to.uri.username | To URI user name | keyword | -| sip.type | Either request or response. | keyword | -| sip.uri.host | The URI host. | keyword | -| sip.uri.original | The original URI. | keyword | -| sip.uri.original.text | Multi-field of `sip.uri.original`. | text | -| sip.uri.port | The URI port. | long | -| sip.uri.scheme | The URI scheme. | keyword | -| sip.uri.username | The URI user name. | keyword | -| sip.user_agent.original | | keyword | -| sip.user_agent.original.text | Multi-field of `sip.user_agent.original`. | text | -| sip.version | SIP protocol version. | keyword | -| sip.via.original | The original Via value. | keyword | -| sip.via.original.text | Multi-field of `sip.via.original`. | text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `sip` looks as following: - -```json -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} -``` - -### Thrift - -Fields published for Thrift packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| thrift.exceptions | If the call resulted in exceptions, this field contains the exceptions in a human readable format. | keyword | -| thrift.params | The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. | keyword | -| thrift.return_value | The value returned by the Thrift-RPC call. This is encoded in a human readable format. | keyword | -| thrift.service | The name of the Thrift-RPC service as defined in the IDL files. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `thrift` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:33:31.022Z", - "agent": { - "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1394000, - "end": "2022-03-09T08:33:31.023Z", - "ingested": "2022-03-09T08:33:32Z", - "kind": "event", - "start": "2022-03-09T08:33:31.022Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} -``` - -### TLS - -Fields published for TLS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | -| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country (C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.detailed.alert_types | An array containing the TLS alert type for every alert received. | keyword | -| tls.detailed.client_certificate_chain | Chain of trust for the client certificate. | array | -| tls.detailed.client_certificate_requested | Whether the server has requested the client to authenticate itself using a client certificate. | boolean | -| tls.detailed.client_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.client_hello.extensions.application_layer_protocol_negotiation | List of application-layer protocols the client is willing to use. | keyword | -| tls.detailed.client_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. | keyword | -| tls.detailed.client_hello.extensions.server_name_indication | List of hostnames | keyword | -| tls.detailed.client_hello.extensions.session_ticket | Length of the session ticket, if provided, or an empty string to advertise support for tickets. | keyword | -| tls.detailed.client_hello.extensions.signature_algorithms | List of signature algorithms that may be use in digital signatures. | keyword | -| tls.detailed.client_hello.extensions.status_request.request_extensions | The number of certificate extensions for the request. | short | -| tls.detailed.client_hello.extensions.status_request.responder_id_list_length | The length of the list of trusted responders. | short | -| tls.detailed.client_hello.extensions.status_request.type | The type of the status request. Always "ocsp" if present. | keyword | -| tls.detailed.client_hello.extensions.supported_groups | List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. | keyword | -| tls.detailed.client_hello.extensions.supported_versions | List of TLS versions that the client is willing to use. | keyword | -| tls.detailed.client_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.client_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.client_hello.supported_compression_methods | The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml | keyword | -| tls.detailed.client_hello.version | The version of the TLS protocol by which the client wishes to communicate during this session. | keyword | -| tls.detailed.ocsp_response | The result of an OCSP request. | keyword | -| tls.detailed.resumption_method | If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. | keyword | -| tls.detailed.server_certificate_chain | Chain of trust for the server certificate. | array | -| tls.detailed.server_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.server_hello.extensions.application_layer_protocol_negotiation | Negotiated application layer protocol | keyword | -| tls.detailed.server_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. | keyword | -| tls.detailed.server_hello.extensions.session_ticket | Used to announce that a session ticket will be provided by the server. Always an empty string. | keyword | -| tls.detailed.server_hello.extensions.status_request.response | Whether a certificate status request response was made. | boolean | -| tls.detailed.server_hello.extensions.supported_versions | Negotiated TLS version to be used. | keyword | -| tls.detailed.server_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.server_hello.selected_compression_method | The compression method selected by the server from the list provided in the client hello. | keyword | -| tls.detailed.server_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.server_hello.version | The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. | keyword | -| tls.detailed.version | The version of the TLS protocol used. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | -| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `tls` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:34:08.391Z", - "agent": { - "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.1.36", - "port": 60946 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 14861200, - "end": "2022-03-09T08:34:08.406Z", - "ingested": "2022-03-09T08:34:09Z", - "kind": "event", - "start": "2022-03-09T08:34:08.391Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.36", - "216.58.201.174" - ] - }, - "server": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "source": { - "ip": "192.168.1.36", - "port": 60946 - }, - "status": "OK", - "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", - "client": { - "ja3": "d470a3fa301d80227bc5650c75567d25", - "server_name": "play.google.com", - "supported_ciphers": [ - "TLS_AES_128_GCM_SHA256", - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "_unparsed_": [ - "23", - "renegotiation_info", - "status_request", - "51", - "45", - "28", - "41" - ], - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "play.google.com" - ], - "signature_algorithms": [ - "ecdsa_secp256r1_sha256", - "ecdsa_secp384r1_sha384", - "ecdsa_secp521r1_sha512", - "rsa_pss_sha256", - "rsa_pss_sha384", - "rsa_pss_sha512", - "rsa_pkcs1_sha256", - "rsa_pkcs1_sha384", - "rsa_pkcs1_sha512", - "ecdsa_sha1", - "rsa_pkcs1_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1", - "secp521r1", - "ffdhe2048", - "ffdhe3072" - ], - "supported_versions": [ - "TLS 1.3", - "TLS 1.2", - "TLS 1.1", - "TLS 1.0" - ] - }, - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "resumption_method": "id", - "server_hello": { - "extensions": { - "_unparsed_": [ - "41", - "51" - ], - "supported_versions": "TLS 1.3" - }, - "selected_compression_method": "NULL", - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "version": "3.3" - }, - "version": "TLS 1.3" - }, - "established": true, - "resumed": true, - "version": "1.3", - "version_protocol": "tls" - }, - "type": "tls" -} -``` - -## Licensing for Windows Systems - -The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 16f534dd5e..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Overview of DNS request and response metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":13,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":11,\"x\":13,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-65120940-1454-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-dns-query-summary", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-dns-request-status-over-time", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-dns-question-types", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dns-top-10-questions", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-dns-response-codes", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 7562508a09..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "DHCPv4 Overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":13,\"x\":24,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "5:panel_5", - "type": "search" - }, - { - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-cassandra.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-cassandra.json deleted file mode 100755 index 489417c609..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-cassandra.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":36,\"y\":8},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":8},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":12,\"x\":12,\"y\":8},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"cassandra.request.query\",\"cassandra.response.result.rows.meta.keyspace\",\"cassandra.response.result.rows.meta.table\",\"cassandra.response.result.rows.num_rows\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"search\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Cassandra", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-cassandra-responsekeyspace", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetype", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetime", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcount", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-ops", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountstackbytype", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountstackbytype", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountbytype", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountbytype", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-queryview", - "name": "20:panel_20", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-dashboard.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-dashboard.json deleted file mode 100755 index c1dee3dfea..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-dashboard.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Network Packet Capture overview dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":12,\"x\":24,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"3f5bc195-da9d-4ec8-a68f-896db321a54b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9638dc3f-f85a-4e68-8e14-25654df43f8e\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"client.geo.location\\\",\\\"id\\\":\\\"220c104b-34a8-4aa7-a3d6-7b56ad4d3b9e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":2.4,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"agent.type:packetbeat\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"[Network Packet Capture] Map 2\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":90,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":2.4},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"title\":\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dashboard", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-db-transactions", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-errors-count-over-time", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-errors-vs-successful-transactions", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-latency-histogram", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-repartition", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "92e797bb-1975-4320-9d19-9b7f11e9e538:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-dns-unique-domains.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-dns-unique-domains.json deleted file mode 100755 index d6f50f2545..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-dns-unique-domains.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "Detecting tunneling over DNS.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"NOT dns.question.type:PTR\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique Subdomain Count\":\"#EF843C\",\"Unique count of dns.question.name\":\"#E0752D\"},\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Tunneling", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-unique-domains", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-unique-fqdns-per-etld-1", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-bytes-transferred-per-domain", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-flows.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-flows.json deleted file mode 100755 index 13b51d1106..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-flows.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"3\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":35,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Network Flows", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-top-hosts-creating-traffic", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-connections-over-time", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-top-hosts-receiving-traffic", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-network-traffic-between-your-hosts", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-http.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-http.json deleted file mode 100755 index 0699eb175a..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-http.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":36,\"x\":12,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] HTTP", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes-evolution", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-total-number-of-http-transactions", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-http-codes-for-the-top-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-10-http-requests", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-mongodb-performance.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-mongodb-performance.json deleted file mode 100755 index 76b41ed6ac..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-mongodb-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6\",\"w\":32,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":35},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MongoDB", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-commands", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors-per-collection", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-in-slash-out-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-response-times-by-collection", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-slowest-mongodb-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-mysql-performance.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-mysql-performance.json deleted file mode 100755 index 6e51b19d93..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-mysql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MySQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-methods", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-throughput", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-mysql-queries", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-mysql-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-response-times-percentiles", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-reads-vs-writes", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-nfs.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-nfs.json deleted file mode 100755 index 2b9bfc8b82..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-nfs.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "NFSv3 and NFSv4 transactions over TCP.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":25,\"i\":\"1\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":10},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":30,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"9\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"10\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_8\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] NFS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-clients-pie-chart", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operations-area-chart", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-group-pie-chart", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-users-pie-chart", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-response-times", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-errors", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operation-table", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-bytes-in-slash-out", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-pgsql-performance.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-pgsql-performance.json deleted file mode 100755 index 462ad7a8be..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-pgsql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Postgres database query performance.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] PgSQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-methods", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-response-times-percentiles", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-reads-vs-writes", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-pgsql-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-pgsql-queries", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-thrift-performance.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-thrift-performance.json deleted file mode 100755 index fe50a1efbd..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-thrift-performance.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Thrift performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-requests-per-minute", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-rpc-errors", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-thrift-rpc-methods", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-methods", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "name": "7:panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-tls-sessions.json b/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-tls-sessions.json deleted file mode 100755 index 876601f994..0000000000 --- a/packages/network_traffic/0.10.1/kibana/dashboard/network_traffic-tls-sessions.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "[Network Packet Capture] TLS Sessions", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"8\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":12,\"x\":12,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":12,\"x\":0,\"y\":16},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"12\",\"w\":12,\"x\":24,\"y\":28},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":12,\"x\":36,\"y\":28},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":28},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":36,\"x\":12,\"y\":16},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-tls-sessions", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index afb21d2457..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 67be55b24a..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.ja3\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.ja3\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Fingerprint", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index 6d16385a7d..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] HTTP Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 438de0c09a..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"event.duration\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Handshake Latency", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index b2320634bf..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.server.x509.public_key_size\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.server.x509.public_key_size\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Server Public Key Size", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json deleted file mode 100755 index 7851d8f875..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.server_name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.server_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Server Name Indication", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json deleted file mode 100755 index 44b4e814c2..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "dhcpv4.transaction_id", - "dhcpv4.op_code", - "dhcpv4.option.message_type", - "source.ip", - "destination.ip", - "dhcpv4.client_mac", - "dhcpv4.option.hostname", - "dhcpv4.option.class_identifier" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json deleted file mode 100755 index 48114ab869..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.detailed.version\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.detailed.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Version", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-cassandra-queryview.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-cassandra-queryview.json deleted file mode 100755 index 4da4785f32..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-cassandra-queryview.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "cassandra.request.query", - "cassandra.response.result.rows.meta.keyspace", - "cassandra.response.result.rows.meta.table", - "cassandra.response.result.rows.num_rows" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cassandra.request.headers.op\",\"negate\":false,\"params\":{\"query\":\"QUERY\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra.request.headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"cassandra.response.headers.op\",\"negate\":true,\"params\":{\"query\":\"ERROR\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR\"},\"query\":{\"match\":{\"cassandra.response.headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Query Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-queryview", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json deleted file mode 100755 index e042ed47b0..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "server.ip", - "destination.ip", - "dns.question.name", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"dns\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"dns\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"dns\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DNS Protocol", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json deleted file mode 100755 index adda40afe3..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json deleted file mode 100755 index 54ccb16243..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":\"TLS sessions\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-flows-search.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-flows-search.json deleted file mode 100755 index 94bf5f31c0..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-flows-search.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "type", - "event.start", - "event.end", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "source.bytes", - "destination.bytes" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.flow\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Flows Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json deleted file mode 100755 index f3f1e907c0..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb and request: \\\"writeConcern w 0\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB transactions with write concern 0", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-mongodb-transactions.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-mongodb-transactions.json deleted file mode 100755 index 71fb0f7d06..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-mongodb-transactions.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB Transaction Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-mysql-errors.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-mysql-errors.json deleted file mode 100755 index e6696d3dfe..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-mysql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-mysql-transactions.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-mysql-transactions.json deleted file mode 100755 index 035e4af69f..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-mysql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-nfs-errors-search.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-nfs-errors-search.json deleted file mode 100755 index 234a135c17..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-nfs-errors-search.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFSERR_NOENT\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFS_OK\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Error Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-nfs.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-nfs.json deleted file mode 100755 index 637ab8785a..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-nfs.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-pgsql-errors.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-pgsql-errors.json deleted file mode 100755 index e1e696c06b..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-pgsql-transactions.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-pgsql-transactions.json deleted file mode 100755 index 4cf83e438b..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-pgsql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-search.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-search.json deleted file mode 100755 index b8dcde28ff..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-search.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-thrift-errors.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-thrift-errors.json deleted file mode 100755 index 4ada45ff68..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-thrift-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-thrift-transactions.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-thrift-transactions.json deleted file mode 100755 index d561697995..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-thrift-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/search/network_traffic-transactions-errors.json b/packages/network_traffic/0.10.1/kibana/search/network_traffic-transactions-errors.json deleted file mode 100755 index 26f67d32a2..0000000000 --- a/packages/network_traffic/0.10.1/kibana/search/network_traffic-transactions-errors.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Transactions Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-transactions-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json deleted file mode 100755 index 72cce261f0..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Sessions", - "uiStateJSON": "{\"vis\":{\"colors\":{\"false\":\"#E24D42\",\"true\":\"#7EB26D\"},\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sessions per minute\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Handshake completed\",\"field\":\"tls.established\",\"json\":\"\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Sessions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index 428c808c1b..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] Total Number of TLS Sessions", - "uiStateJSON": "{\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total Number of TLS Sessions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 3d5fc5d68c..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.server.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Organization\",\"field\":\"tls.server.x509.subject.organization\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Server Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index a9a6b6d585..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Versions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TLS version\",\"field\":\"tls.detailed.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Versions\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json deleted file mode 100755 index 5c709d21ab..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Client Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique MACs\",\"field\":\"dhcpv4.client_mac\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Client Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 238ff5fe1b..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Session Resume", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"tls.detailed.resumption_method\",\"json\":\"{\\n\\\"missing\\\": \\\"none\\\"\\n}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Session Resume\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index 28758eb761..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Message Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Op Code\",\"field\":\"dhcpv4.op_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message Type\",\"field\":\"dhcpv4.option.message_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DHCPv4 Message Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json deleted file mode 100755 index dfd0b9c2df..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Cipher", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cipher\",\"field\":\"tls.cipher\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Cipher\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json deleted file mode 100755 index 69216a897d..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"dhcpv4.option.message_type:nak OR dhcpv4.option.message_type:decline\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 NAK and Decline Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":57,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 NAK and Decline Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index e347b89b8e..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Avg Response Time (ns)\":\"#629E51\",\"Max Response Time (ns)\":\"#E24D42\",\"Min Response Time (ns)\":\"#70DBED\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Max Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"4\",\"label\":\"Min Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Max Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Average event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 27390bc2a6..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"}}" - }, - "title": "[Network Packet Capture] DHCPv4 Message Types over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"c2cf4410-8ba8-11e8-ae15-bdcba81344e6\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"type:dhcpv4\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"ignore_global_filter\":0,\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"NOT dhcpv4.option.message_type:nak NOT dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"8abe6eb0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"Response\",\"line_width\":1,\"metrics\":[{\"id\":\"8abe6eb1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"dhcpv4.option.message_type\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:nak\"},\"formatter\":\"number\",\"id\":\"ae5610d0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"nak\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"ae5610d1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"cf7ba180-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"decline\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"cf7ba181-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"[Network Packet Capture] DHCPv4 Message Types over Time\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 23e4ad24db..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Client Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.client.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Signature Algorithm\",\"field\":\"tls.client.x509.signature_algorithm\",\"json\":\"{ \\\"missing\\\": \\\"N/A\\\" }\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Client Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index e100d4e38f..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Name Indication", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Name Indication\",\"field\":\"tls.client.server_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"hideLabel\":false,\"maxFontSize\":64,\"minFontSize\":14,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"[Network Packet Capture] TLS Server Name Indication\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 204f509a93..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Fingerprint", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"JA3 Fingerprint\",\"field\":\"tls.client.ja3\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Fingerprint\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index c8ca05e364..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Public Key Size", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Public Key Size\",\"field\":\"tls.server.x509.public_key_size\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] Server Public Key Size\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 7d805b99d1..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Client and Servers Pie Chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Client and Servers Pie Chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json deleted file mode 100755 index 6b89c0127d..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Bytes Transferred per Domain", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Bytes In\":\"#F2C96D\",\"Bytes Out\":\"#629E51\",\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Bytes Out\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Bytes In\"},\"mode\":\"normal\",\"show\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"grouped\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Bytes Transferred per Domain\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bytes-transferred-per-domain", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json deleted file mode 100755 index 1b5f21f993..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"exists\\\":{\\\"field\\\":\\\"tls\\\"}}\"},\"query\":{\"exists\":{\"field\":\"tls\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] TLS Alerts", - "uiStateJSON": "{\"vis\":{\"colors\":{\"None\":\"#7EB26D\",\"handshake_failure\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"tls.detailed.alert_types\",\"include\":\".*\",\"json\":\"{\\\"missing\\\": \\\"None\\\"}\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Alerts\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-ops.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-ops.json deleted file mode 100755 index fcdb742965..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-ops.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra Ops", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra Ops\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-ops", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-requestcount.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-requestcount.json deleted file mode 100755 index ac31b1fa2f..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-requestcount.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCount", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCount\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcount", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json deleted file mode 100755 index be3352be29..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":\"13\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json deleted file mode 100755 index 9e1ebf6056..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json deleted file mode 100755 index 17a71a0e30..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"radiusRatio\":\"15\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra: ResponseCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json deleted file mode 100755 index ee9d47e2f6..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json deleted file mode 100755 index 2f203d6dd9..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseKeyspace", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.keyspace\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.table\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseKeyspace\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsekeyspace", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsetime.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsetime.json deleted file mode 100755 index 152ebf53ef..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsetime.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseTime", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[5,25,50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseTime\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetime", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsetype.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsetype.json deleted file mode 100755 index 85c2b4d398..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-cassandra-responsetype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseType\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-connections-over-time.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-connections-over-time.json deleted file mode 100755 index 97d4affdf5..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-connections-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Connections over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Flows\",\"field\":\"flow.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique Flows\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Connections over time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-connections-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index d8cedfb7c3..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Transaction Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Transactions\",\"field\":\"dhcpv4.transaction_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Transaction Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 856211710f..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"params\":{\"gte\":0,\"lt\":1000000000},\"type\":\"range\",\"value\":\"0 to 1,000,000,000\"},\"range\":{\"event.duration\":{\"gte\":0,\"lt\":1000000000}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Handshake Latency", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Handshake Latency (ns)\",\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":2000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Handshake Latency\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-db-transactions.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-db-transactions.json deleted file mode 100755 index 475882f60d..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-db-transactions.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.type\",\"negate\":true,\"params\":{\"query\":\"flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"flow\"},\"query\":{\"match\":{\"event.type\":{\"query\":\"flow\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"}}" - }, - "title": "[Network Packet Capture] Transaction Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.dataset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Transaction Types\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-db-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json deleted file mode 100755 index 333052a373..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"}}" - }, - "title": "[Network Packet Capture] Top Domains by Data Volume", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top Domains by Data Volume\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-query-summary.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-query-summary.json deleted file mode 100755 index 1898c984d8..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-query-summary.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Query Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"17\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":28,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DNS Query Summary\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-query-summary", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-question-types.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-question-types.json deleted file mode 100755 index b2a975b430..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-question-types.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Question Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Question Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-question-types", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-request-status-over-time.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-request-status-over-time.json deleted file mode 100755 index 53c1b991c8..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-request-status-over-time.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Request Status Over Time", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#890F02\",\"OK\":\"#0A50A1\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] DNS Request Status Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-request-status-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-response-codes.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-response-codes.json deleted file mode 100755 index b9edd3cab4..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-response-codes.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Response Codes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"dns.response_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Response Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-response-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-top-10-questions.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-top-10-questions.json deleted file mode 100755 index d86db94a8d..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-dns-top-10-questions.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":false,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Top 10 Questions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Question\",\"field\":\"dns.question.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Top 10 Questions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-top-10-questions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json deleted file mode 100755 index b89d822540..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":3.5,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Avg Response Time\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Transactions\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-errors-count-over-time.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-errors-count-over-time.json deleted file mode 100755 index 5582bc6c67..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-errors-count-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors count over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"30s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] New Visualization\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-count-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-transactions-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json deleted file mode 100755 index c3ac23f5a7..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors vs successful transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"percentage\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"percentage\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Errors vs successful transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-vs-successful-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json deleted file mode 100755 index c0d680e520..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Data Transfer", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Requests\",\"field\":\"client.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Responses\",\"field\":\"server.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":24,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Data Transfer\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json deleted file mode 100755 index d8885cd43f..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP status codes for the top queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Query\",\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":false,\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] HTTP status codes for the top queries\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-codes-for-the-top-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-http-error-codes-evolution.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-http-error-codes-evolution.json deleted file mode 100755 index 479733a2af..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-http-error-codes-evolution.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"http.response.status_code\",\"negate\":true,\"params\":{\"gte\":200,\"lt\":299},\"type\":\"range\",\"value\":\"200 to 299\"},\"range\":{\"http.response.status_code\":{\"gte\":200,\"lte\":299}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes evolution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes evolution\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes-evolution", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-http-error-codes.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-http-error-codes.json deleted file mode 100755 index 1cb90080fc..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-http-error-codes.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"type\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http and http.response.status_code \\u003e= 300\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"type\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique count of type\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-latency-histogram.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-latency-histogram.json deleted file mode 100755 index 34aa0f3d11..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-latency-histogram.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Latency Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Latency Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-latency-histogram", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-commands.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-commands.json deleted file mode 100755 index 87474df326..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-commands.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB Commands", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"silhouette\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"silhouette\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB Commands\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-commands", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json deleted file mode 100755 index ea23f3560f..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors per collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors per collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors-per-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-errors.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-errors.json deleted file mode 100755 index 183ec66ef3..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"row\":true,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json deleted file mode 100755 index 74b8a6fd64..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB in/out throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of source.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Sum of destination.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB in/out throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-in-slash-out-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json deleted file mode 100755 index 0346b7b1cd..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB response times by collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":false,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB response times by collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-response-times-by-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json deleted file mode 100755 index 08c27fcecf..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent MySQL queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"query\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true},\"title\":\"[Network Packet Capture] Most frequent MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json deleted file mode 100755 index 6ddc08eafb..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent PgSQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Most frequent PgSQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-errors.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-errors.json deleted file mode 100755 index 25ded66860..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-methods.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-methods.json deleted file mode 100755 index 34e609f25b..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json deleted file mode 100755 index 4fece54090..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json deleted file mode 100755 index add1156167..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Mysql response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Mysql response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-throughput.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-throughput.json deleted file mode 100755 index fd67a3b714..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-mysql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] MySQL throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-navigation.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-navigation.json deleted file mode 100755 index 958a4a7a7c..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-navigation.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Network Packet Capture] Navigation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### Network Packet Capture:\\n\\n[Overview](#/dashboard/network_traffic-dashboard)\\n\\n[Network Flows](#/dashboard/network_traffic-flows)\\n\\n[DNS Overview](#/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e) | [Tunneling](#/dashboard/network_traffic-dns-unique-domains)\\n\\n[DHCPv4 Transactions](#/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb)\\n\\n[TLS Overview](#/dashboard/network_traffic-tls-sessions)\\n\\n[HTTP transactions](#/dashboard/network_traffic-http)\\n\\nDatabases: [MySQL](#/dashboard/network_traffic-mysql-performance) | [PostgreSQL](#/dashboard/network_traffic-pgsql-performance) | [MongoDB](#/dashboard/network_traffic-mongodb-performance) | [Cassandra](#/dashboard/network_traffic-cassandra)\\n\\nRPC: [Thrift](#/dashboard/network_traffic-thrift-performance)\\n\\nStorage: [NFS](#/dashboard/network_traffic-nfs)\",\"openLinksInNewTab\":false},\"title\":\"[Network Packet Capture] Navigation\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-navigation", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json deleted file mode 100755 index 292355bbdf..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Traffic Between Hosts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Traffic Between Hosts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-network-traffic-between-your-hosts", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json deleted file mode 100755 index 8b550d78cf..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS Request / Response Sizes", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Sum of rpc.reply_size\":\"#7EB26D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Request Size\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Size\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Request Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Response Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS Request / Response Sizes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-bytes-in-slash-out", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json deleted file mode 100755 index 4272f7571e..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS clients pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.machinename\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS clients pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-clients-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-errors.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-errors.json deleted file mode 100755 index f407f4153d..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"nfs.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":12},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-errors-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-operation-table.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-operation-table.json deleted file mode 100755 index 56e28320c1..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-operation-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operation table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Opcode\",\"field\":\"nfs.opcode\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] NFS operation table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operation-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json deleted file mode 100755 index 56cb538f8f..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operations area chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"nfs.opcode\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":16},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS operations area chart\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operations-area-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-response-times.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-response-times.json deleted file mode 100755 index 2ffaacd816..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-response-times.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS response times", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[50]},\"schema\":\"metric\",\"type\":\"median\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Median event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Median event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS response times\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-response-times", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json deleted file mode 100755 index c1b2816c13..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top group pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.gid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top group pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-group-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json deleted file mode 100755 index 543bfe7058..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top users pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.uid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top users pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-users-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json deleted file mode 100755 index 770c776e13..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-errors.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-errors.json deleted file mode 100755 index 88a19443ff..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-methods.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-methods.json deleted file mode 100755 index e49215022c..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json deleted file mode 100755 index 60be8776dd..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json deleted file mode 100755 index 66eb8b3b8b..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-throughput.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-throughput.json deleted file mode 100755 index aba4ebafd0..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-pgsql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL Throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-response-times-percentiles.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-response-times-percentiles.json deleted file mode 100755 index f43cfc0233..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,95,99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-response-times-repartition.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-response-times-repartition.json deleted file mode 100755 index 2271bdb9a7..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-response-times-repartition.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times repartition", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"group\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times repartition\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-repartition", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-slowest-mysql-queries.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-slowest-mysql-queries.json deleted file mode 100755 index 9194c62aaa..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-slowest-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest MySQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json deleted file mode 100755 index ce2d661459..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest PgSQL Queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Average Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest PgSQL Queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json deleted file mode 100755 index 777f4d7abe..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest Thrift RPC methods", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest Thrift RPC methods\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json deleted file mode 100755 index e9dee7461a..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift requests per minute", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift requests per minute\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-requests-per-minute", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json deleted file mode 100755 index 835ee06280..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Thrift response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-thrift-rpc-errors.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-thrift-rpc-errors.json deleted file mode 100755 index 37e3e901fc..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-thrift-rpc-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift RPC Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift RPC Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-rpc-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-10-http-requests.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-10-http-requests.json deleted file mode 100755 index bb5c71dbfe..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-10-http-requests.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top 10 HTTP requests", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top 10 HTTP requests\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-10-http-requests", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json deleted file mode 100755 index 842f9f29ec..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Creating Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Source Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Creating Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-creating-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json deleted file mode 100755 index 34f9d74be2..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Receiving Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Receiving Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-receiving-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json deleted file mode 100755 index e39b39b7f9..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top slowest MongoDB queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top slowest MongoDB queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-slowest-mongodb-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json deleted file mode 100755 index 3f7aee4851..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC calls with errors", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"shareYAxis\":true},\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json deleted file mode 100755 index 8add979f7b..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC methods ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Thrift-RPC methods\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json deleted file mode 100755 index 77e8f9b41a..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Total number of HTTP transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"37\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total number of HTTP transactions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-total-number-of-http-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json deleted file mode 100755 index 93a9d62de2..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1 Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Unique Domains\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1 Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json deleted file mode 100755 index e94d78a938..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Subdomain Count\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-web-transactions.json b/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-web-transactions.json deleted file mode 100755 index 354ec98cef..0000000000 --- a/packages/network_traffic/0.10.1/kibana/visualization/network_traffic-web-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP Transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-web-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/0.10.1/manifest.yml b/packages/network_traffic/0.10.1/manifest.yml deleted file mode 100755 index 8545fbad76..0000000000 --- a/packages/network_traffic/0.10.1/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -format_version: 1.0.0 -name: network_traffic -title: Network Packet Capture -version: 0.10.1 -license: basic -description: Capture and analyze network traffic from a host with Elastic Agent. -type: integration -categories: - - web -release: beta -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -policy_templates: - - name: network - title: Network Packet Capture - description: Capture network traffic - inputs: - - type: packet - title: Capture network traffic - description: Collecting network traffic - vars: - - name: interface - type: text - title: Interface - required: false - show_user: false - - name: processes - type: text - multi: true - title: Processes - description: Processes to monitor (this will act as a command line grep) - required: false - show_user: false -owner: - github: elastic/security-external-integrations diff --git a/packages/network_traffic/1.0.0/changelog.yml b/packages/network_traffic/1.0.0/changelog.yml deleted file mode 100755 index 7e0aa0689d..0000000000 --- a/packages/network_traffic/1.0.0/changelog.yml +++ /dev/null @@ -1,124 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Release as GA. - type: enhancement - link: https://github.com/elastic/integrations/pull/3355 -- version: "0.10.1" - changes: - - description: Remove invalid value from `event.category` in SIP data set. - type: bugfix - link: https://github.com/elastic/integrations/pull/3343 -- version: "0.10.0" - changes: - - description: Add configuration options for each protocol. - type: enhancement - link: https://github.com/elastic/integrations/pull/3157 -- version: "0.9.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.8.2" - changes: - - description: Add missing field mappings to DNS and TLS data streams. - type: bugfix - link: https://github.com/elastic/integrations/pull/3078 -- version: "0.8.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.8.0" - changes: - - description: Change release stability to beta. - type: enhancement - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.1" - changes: - - description: Fix mapping for tls.detailed.client_certificate_chain. - type: bugfix - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.0" - changes: - - description: Add dashboards. Update the Kibana constraint to require 7.17.0 or 8.0.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/2762 -- version: "0.6.3" - changes: - - description: Add license note to README. - type: bugfix - link: https://github.com/elastic/integrations/pull/2809 -- version: "0.6.2" - changes: - - description: Add fields for TLS random data and OCSP status. - type: enhancement - link: https://github.com/elastic/integrations/pull/2703 -- version: "0.6.1" - changes: - - description: Remove unused field metadata. - type: enhancement - link: https://github.com/elastic/integrations/pull/2648 -- version: "0.6.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2426 -- version: "0.5.1" - changes: - - description: Fix mapping for tls.detailed.server_certificate_chain - type: bugfix - link: https://github.com/elastic/integrations/pull/2517 -- version: "0.5.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2224 -- version: "0.4.2" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2097 -- version: "0.4.1" - changes: - - description: Update Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1975 -- version: "0.4.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1669 -- version: "0.3.0" - changes: - - description: Change title to Network Packet Capture. Added timeout/period config to flows data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1764 -- version: "0.2.2" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.2.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/21 diff --git a/packages/network_traffic/1.0.0/data_stream/amqp/agent/stream/amqp.yml.hbs b/packages/network_traffic/1.0.0/data_stream/amqp/agent/stream/amqp.yml.hbs deleted file mode 100755 index 22fb1883a0..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/amqp/agent/stream/amqp.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: amqp -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_body_length}} -max_body_length: {{max_body_length}} -{{/if}} -{{#if parse_headers}} -parse_headers: {{parse_headers}} -{{/if}} -{{#if parse_arguments}} -parse_arguments: {{parse_arguments}} -{{/if}} -{{#if hide_connection_information}} -hide_connection_information: {{hide_connection_information}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e1896257e1..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing amqp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/amqp/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/amqp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/amqp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/amqp/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/amqp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/amqp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/amqp/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/amqp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/amqp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/amqp/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/amqp/fields/ecs.yml deleted file mode 100755 index da1822dec9..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/amqp/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/amqp/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/amqp/fields/protocol.yml deleted file mode 100755 index 4b87cf176c..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/amqp/fields/protocol.yml +++ /dev/null @@ -1,202 +0,0 @@ -- name: amqp - type: group - fields: - - name: reply-code - type: long - description: > - AMQP reply code to an error, similar to http reply-code - - example: 404 - - name: reply-text - type: keyword - description: > - Text explaining the error. - - - name: class-id - type: long - description: > - Failing method class. - - - name: method-id - type: long - description: > - Failing method ID. - - - name: exchange - type: keyword - description: > - Name of the exchange. - - - name: exchange-type - type: keyword - description: > - Exchange type. - - example: fanout - - name: passive - type: boolean - description: > - If set, do not create exchange/queue. - - - name: durable - type: boolean - description: > - If set, request a durable exchange/queue. - - - name: exclusive - type: boolean - description: > - If set, request an exclusive queue. - - - name: auto-delete - type: boolean - description: > - If set, auto-delete queue when unused. - - - name: no-wait - type: boolean - description: > - If set, the server will not respond to the method. - - - name: consumer-tag - type: keyword - description: > - Identifier for the consumer, valid within the current channel. - - - name: delivery-tag - type: long - description: > - The server-assigned and channel-specific delivery tag. - - - name: message-count - type: long - description: > - The number of messages in the queue, which will be zero for newly-declared queues. - - - name: consumer-count - type: long - description: > - The number of consumers of a queue. - - - name: routing-key - type: keyword - description: > - Message routing key. - - - name: no-ack - type: boolean - description: > - If set, the server does not expect acknowledgements for messages. - - - name: no-local - type: boolean - description: > - If set, the server will not send messages to the connection that published them. - - - name: if-unused - type: boolean - description: > - Delete only if unused. - - - name: if-empty - type: boolean - description: > - Delete only if empty. - - - name: queue - type: keyword - description: > - The queue name identifies the queue within the vhost. - - - name: redelivered - type: boolean - description: > - Indicates that the message has been previously delivered to this or another client. - - - name: multiple - type: boolean - description: > - Acknowledge multiple messages. - - - name: arguments - type: object - description: > - Optional additional arguments passed to some methods. Can be of various types. - - - name: mandatory - type: boolean - description: > - Indicates mandatory routing. - - - name: immediate - type: boolean - description: > - Request immediate delivery. - - - name: content-type - type: keyword - description: > - MIME content type. - - example: text/plain - - name: content-encoding - type: keyword - description: > - MIME content encoding. - - - name: headers - type: object - object_type: keyword - description: > - Message header field table. - - - name: delivery-mode - type: keyword - description: > - Non-persistent (1) or persistent (2). - - - name: priority - type: long - description: > - Message priority, 0 to 9. - - - name: correlation-id - type: keyword - description: > - Application correlation identifier. - - - name: reply-to - type: keyword - description: > - Address to reply to. - - - name: expiration - type: keyword - description: > - Message expiration specification. - - - name: message-id - type: keyword - description: > - Application message identifier. - - - name: timestamp - type: keyword - description: > - Message timestamp. - - - name: type - type: keyword - description: > - Message type name. - - - name: user-id - type: keyword - description: > - Creating user id. - - - name: app-id - type: keyword - description: > - Creating application id. - diff --git a/packages/network_traffic/1.0.0/data_stream/amqp/manifest.yml b/packages/network_traffic/1.0.0/data_stream/amqp/manifest.yml deleted file mode 100755 index 392448511a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/amqp/manifest.yml +++ /dev/null @@ -1,105 +0,0 @@ -title: AMQP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5672] - - name: max_body_length - type: integer - title: Max Body Length - description: |- - Truncate messages that are published and avoid huge messages being - indexed. - Default: 1000 - show_user: false - multi: false - required: false - - name: parse_headers - type: bool - title: Parse Headers - description: |- - Hide the header fields in header frames. - Default: false - show_user: false - multi: false - required: false - - name: parse_arguments - type: bool - title: Parse Arguments - description: |- - Hide the additional arguments of method frames. - Default: false - show_user: false - multi: false - required: false - - name: hide_connection_information - type: bool - title: Hide Connection Information - description: |- - Hide all methods relative to connection negotiation between server and - client. - Default: true - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: AMQP - description: Capture AMQP Traffic - template_path: amqp.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/amqp/sample_event.json b/packages/network_traffic/1.0.0/data_stream/amqp/sample_event.json deleted file mode 100755 index 9ef02f389f..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/amqp/sample_event.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs b/packages/network_traffic/1.0.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs deleted file mode 100755 index 9c4ec167d1..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: cassandra -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_request_header}} -send_request_header: {{send_request_header}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if send_response_header}} -send_response_header: {{send_response_header}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if compressor}} -compressor: {{compressor}} -{{/if}} -{{#if ignored_ops}} -ignored_ops: -{{#each ignored_ops as |ignored_op|}} - - {{ignored_op}} -{{/each}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index db4451530a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing cassandra traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/cassandra/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/cassandra/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/cassandra/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/cassandra/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/cassandra/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/cassandra/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/cassandra/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/cassandra/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/cassandra/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/cassandra/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/cassandra/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/cassandra/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/cassandra/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/cassandra/fields/protocol.yml deleted file mode 100755 index 58a2f6c12d..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/cassandra/fields/protocol.yml +++ /dev/null @@ -1,283 +0,0 @@ -- name: cassandra - type: group - description: Information about the Cassandra request and response. - fields: - - name: no_request - type: boolean - description: > - Indicates that there is no request because this is a PUSH message. - - - name: request - type: group - description: Cassandra request. - fields: - - name: headers - type: group - description: Cassandra request headers. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: query - type: keyword - description: The CQL query which client send to cassandra. - - name: response - type: group - description: Cassandra response. - fields: - - name: headers - type: group - description: Cassandra response headers, the structure is as same as request's header. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: result - type: group - description: Details about the returned result. - fields: - - name: type - type: keyword - description: Cassandra result type. - - name: rows - type: group - description: Details about the rows. - fields: - - name: num_rows - type: long - description: Representing the number of rows present in this result. - - name: meta - type: group - description: Composed of result metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: keyspace - type: keyword - description: Indicating the name of the keyspace that has been set. - - name: schema_change - type: group - description: The result to a schema_change message. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: prepared - type: group - description: The result to a PREPARE message. - fields: - - name: prepared_id - type: keyword - description: Representing the prepared query ID. - - name: req_meta - type: group - description: This describes the request metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: resp_meta - type: group - description: This describes the metadata for the result set. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: supported - type: flattened - description: Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. - - name: authentication - type: group - description: Indicates that the server requires authentication, and which authentication mechanism to use. - fields: - - name: class - type: keyword - description: Indicates the full class name of the IAuthenticator in use - - name: warnings - type: keyword - description: The text of the warnings, only occur when Warning flag was set. - - name: event - type: group - description: Event pushed by the server. A client will only receive events for the types it has REGISTERed to. - fields: - - name: type - type: keyword - description: Representing the event type. - - name: change - type: keyword - description: The message corresponding respectively to the type of change followed by the address of the new/removed node. - - name: host - type: keyword - description: Representing the node ip. - - name: port - type: long - description: Representing the node port. - - name: schema_change - type: group - description: The events details related to schema change. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: error - type: group - description: Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. - fields: - - name: code - type: long - description: The error code of the Cassandra response. - - name: msg - type: keyword - description: The error message of the Cassandra response. - - name: type - type: keyword - description: The error type of the Cassandra response. - - name: details - type: group - description: The details of the error. - fields: - - name: read_consistency - type: keyword - description: Representing the consistency level of the query that triggered the exception. - - name: required - type: long - description: Representing the number of nodes that should be alive to respect consistency level. - - name: alive - type: long - description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). - - name: received - type: long - description: Representing the number of nodes having acknowledged the request. - - name: blockfor - type: long - description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. - - name: write_type - type: keyword - description: Describe the type of the write that timed out. - - name: data_present - type: boolean - description: It means the replica that was asked for data had responded. - - name: keyspace - type: keyword - description: The keyspace of the failed function. - - name: table - type: keyword - description: The keyspace of the failed function. - - name: stmt_id - type: keyword - description: Representing the unknown ID. - - name: num_failures - type: keyword - description: Representing the number of nodes that experience a failure while executing the request. - - name: function - type: keyword - description: The name of the failed function. - - name: arg_types - type: keyword - description: One string for each argument type (as CQL type) of the failed function. diff --git a/packages/network_traffic/1.0.0/data_stream/cassandra/manifest.yml b/packages/network_traffic/1.0.0/data_stream/cassandra/manifest.yml deleted file mode 100755 index b05f2d1e4e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/cassandra/manifest.yml +++ /dev/null @@ -1,92 +0,0 @@ -title: Cassandra -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9042] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`cassandra_request` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_request_header - type: bool - title: Send Request Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field) - is included in published events. The default is true. enable `send_request` first before enable this option. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`cassandra_response` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_response_header - type: bool - title: Send Response Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field) - is included in published events. The default is true. enable `send_response` first before enable this option. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: compressor - type: text - title: Compressor - description: |- - Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured. - By default no compressor is configured. - show_user: false - multi: false - required: false - - name: ignored_ops - type: text - title: Ignored Ops - description: This option indicates which Operator/Operators will be ignored. - show_user: false - multi: true - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Cassandra - description: Capture Cassandra Traffic - template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/cassandra/sample_event.json b/packages/network_traffic/1.0.0/data_stream/cassandra/sample_event.json deleted file mode 100755 index aa2d587c11..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/cassandra/sample_event.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/1.0.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs deleted file mode 100755 index 2c56638255..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -type: dhcpv4 -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7c07281afb..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: dhcpv4.client_mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: dhcpv4.client_mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: dhcpv4.client_mac - ignore_missing: true -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/protocol.yml deleted file mode 100755 index 0180691a5b..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dhcpv4/fields/protocol.yml +++ /dev/null @@ -1,177 +0,0 @@ -- name: dhcpv4 - type: group - fields: - - name: transaction_id - type: keyword - description: | - Transaction ID, a random number chosen by the - client, used by the client and server to associate - messages and responses between a client and a - server. - - name: seconds - type: long - description: | - Number of seconds elapsed since client began address acquisition or - renewal process. - - name: flags - type: keyword - description: | - Flags are set by the client to indicate how the DHCP server should - its reply -- either unicast or broadcast. - - name: client_ip - type: ip - description: The current IP address of the client. - - name: assigned_ip - type: ip - description: | - The IP address that the DHCP server is assigning to the client. - This field is also known as "your" IP address. - - name: server_ip - type: ip - description: | - The IP address of the DHCP server that the client should use for the - next step in the bootstrap process. - - name: relay_ip - type: ip - description: | - The relay IP address used by the client to contact the server - (i.e. a DHCP relay server). - - name: client_mac - type: keyword - description: The client's MAC address (layer two). - - name: server_name - type: keyword - description: | - The name of the server sending the message. Optional. Used in - DHCPOFFER or DHCPACK messages. - - name: op_code - type: keyword - example: bootreply - description: | - The message op code (bootrequest or bootreply). - - name: hops - type: long - description: The number of hops the DHCP message went through. - - name: hardware_type - type: keyword - description: | - The type of hardware used for the local network (Ethernet, - LocalTalk, etc). - - name: option - type: group - fields: - - name: message_type - type: keyword - example: ack - description: | - The specific type of DHCP message being sent (e.g. discover, - offer, request, decline, ack, nak, release, inform). - - name: parameter_request_list - type: keyword - description: | - This option is used by a DHCP client to request values for - specified configuration parameters. - - name: requested_ip_address - type: ip - description: | - This option is used in a client request (DHCPDISCOVER) to allow - the client to request that a particular IP address be assigned. - - name: server_identifier - type: ip - description: | - IP address of the individual DHCP server which handled this - message. - - name: broadcast_address - type: ip - description: | - This option specifies the broadcast address in use on the - client's subnet. - - name: max_dhcp_message_size - type: long - description: | - This option specifies the maximum length DHCP message that the - client is willing to accept. - - name: class_identifier - type: keyword - description: | - This option is used by DHCP clients to optionally identify the - vendor type and configuration of a DHCP client. Vendors may - choose to define specific vendor class identifiers to convey - particular configuration or other identification information - about a client. For example, the identifier may encode the - client's hardware configuration. - - name: domain_name - type: keyword - description: | - This option specifies the domain name that client should use - when resolving hostnames via the Domain Name System. - - name: dns_servers - type: ip - description: | - The domain name server option specifies a list of Domain Name - System servers available to the client. - - name: vendor_identifying_options - type: object - description: | - A DHCP client may use this option to unambiguously identify the - vendor that manufactured the hardware on which the client is - running, the software in use, or an industry consortium to which - the vendor belongs. This field is described in RFC 3925. - - name: subnet_mask - type: ip - description: | - The subnet mask that the client should use on the currnet - network. - - name: utc_time_offset_sec - type: long - description: | - The time offset field specifies the offset of the client's - subnet in seconds from Coordinated Universal Time (UTC). - - name: router - type: ip - description: | - The router option specifies a list of IP addresses for routers - on the client's subnet. - - name: time_servers - type: ip - description: | - The time server option specifies a list of RFC 868 time servers - available to the client. - - name: ntp_servers - type: ip - description: | - This option specifies a list of IP addresses indicating NTP - servers available to the client. - - name: hostname - type: keyword - description: | - This option specifies the name of the client. - - name: ip_address_lease_time_sec - type: long - description: | - This option is used in a client request (DHCPDISCOVER or - DHCPREQUEST) to allow the client to request a lease time for the - IP address. In a server reply (DHCPOFFER), a DHCP server uses - this option to specify the lease time it is willing to offer. - - name: message - type: text - description: | - This option is used by a DHCP server to provide an error message - to a DHCP client in a DHCPNAK message in the event of a failure. - A client may use this option in a DHCPDECLINE message to - indicate the why the client declined the offered parameters. - - name: renewal_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the RENEWING state. - - name: rebinding_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the REBINDING state. - - name: boot_file_name - type: keyword - description: | - This option is used to identify a bootfile when the 'file' field - in the DHCP header has been used for DHCP options. diff --git a/packages/network_traffic/1.0.0/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/1.0.0/data_stream/dhcpv4/manifest.yml deleted file mode 100755 index fc09a92781..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dhcpv4/manifest.yml +++ /dev/null @@ -1,40 +0,0 @@ -title: DHCP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [67, 68] - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DHCP - description: Capture DHCP Traffic - template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/dhcpv4/sample_event.json b/packages/network_traffic/1.0.0/data_stream/dhcpv4/sample_event.json deleted file mode 100755 index 59ab870695..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dhcpv4/sample_event.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/dns/agent/stream/dns.yml.hbs b/packages/network_traffic/1.0.0/data_stream/dns/agent/stream/dns.yml.hbs deleted file mode 100755 index e68885b2f8..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dns/agent/stream/dns.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: dns -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if include_authorities}} -include_authorities: {{include_authorities}} -{{/if}} -{{#if include_additionals}} -include_additionals: {{include_additionals}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 012fede9d4..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/dns/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/dns/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/dns/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/dns/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dns/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/dns/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/dns/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dns/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/dns/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/dns/fields/ecs.yml deleted file mode 100755 index e2ea6f338f..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,200 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - Array of 2 letter DNS header flags. - Expected values are: AA, TC, RD, RA, AD, CD, DO. - name: dns.header_flags - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/dns/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/dns/fields/protocol.yml deleted file mode 100755 index 28d506b996..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dns/fields/protocol.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: dns - type: group - fields: - - name: flags.authoritative - type: boolean - description: > - A DNS flag specifying that the responding server is an authority for the domain name used in the question. - - - name: flags.recursion_available - type: boolean - description: > - A DNS flag specifying whether recursive query support is available in the name server. - - - name: flags.recursion_desired - type: boolean - description: > - A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. - - - name: flags.authentic_data - type: boolean - description: > - A DNS flag specifying that the recursive server considers the response authentic. - - - name: flags.checking_disabled - type: boolean - description: > - A DNS flag specifying that the client disables the server signature validation of the query. - - - name: flags.truncated_response - type: boolean - description: > - A DNS flag specifying that only the first 512 bytes of the reply were returned. - - - name: question.etld_plus_one - type: keyword - description: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. - example: amazon.co.uk. - - name: answers_count - type: long - description: > - The number of resource records contained in the `dns.answers` field. - - - name: authorities - type: object - description: > - An array containing a dictionary for each authority section from the answer. - - - name: authorities_count - type: long - description: > - The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. - - - name: authorities.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: authorities.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: authorities.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals - type: object - description: > - An array containing a dictionary for each additional section from the answer. - - - name: additionals_count - type: long - description: > - The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. - - - name: additionals.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: additionals.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: additionals.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals.ttl - description: > - The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - type: long - - name: additionals.data - type: keyword - description: > - The data describing the resource. The meaning of this data depends on the type and class of the resource record. - - - name: opt.version - type: keyword - description: The EDNS version. - example: "0" - - name: opt.do - type: boolean - description: If set, the transaction uses DNSSEC. - - name: opt.ext_rcode - type: keyword - description: Extended response code field. - example: "BADVERS" - - name: opt.udp_size - type: long - description: Requestor's UDP payload size (in bytes). diff --git a/packages/network_traffic/1.0.0/data_stream/dns/manifest.yml b/packages/network_traffic/1.0.0/data_stream/dns/manifest.yml deleted file mode 100755 index cc5476bfad..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dns/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: DNS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [53] - - name: include_authorities - type: bool - title: Include Authorities - description: |- - include_authorities controls whether or not the dns.authorities field - (authority resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: include_additionals - type: bool - title: Include Additionals - description: |- - include_additionals controls whether or not the dns.additionals field - (additional resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - send_request controls whether or not the stringified DNS - request messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - send_response controls whether or not the stringified DNS - response messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DNS - description: Capture DNS Traffic - template_path: dns.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/dns/sample_event.json b/packages/network_traffic/1.0.0/data_stream/dns/sample_event.json deleted file mode 100755 index 476a880555..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/dns/sample_event.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/flow/agent/stream/flow.yml.hbs b/packages/network_traffic/1.0.0/data_stream/flow/agent/stream/flow.yml.hbs deleted file mode 100755 index 80f2a27460..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/flow/agent/stream/flow.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -type: flow -{{#if timeout}} -flows.timeout: '{{timeout}}' -{{/if}} -{{#if period}} -flows.period: '{{period}}' -{{/if}} -{{#if processes}} -procs: - enabled: true - monitored: - {{#each processes}} - - cmdline_grep: {{this}} - {{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8a45c554fd..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing traffic flows -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/flow/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/flow/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/flow/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/flow/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/flow/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/flow/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/flow/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/flow/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/flow/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/flow/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/flow/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/flow/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/flow/manifest.yml b/packages/network_traffic/1.0.0/data_stream/flow/manifest.yml deleted file mode 100755 index 4f455c6f25..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/flow/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Flows -release: beta -type: logs -streams: - - input: packet - title: Flows - description: Track Network Flows - template_path: flow.yml.hbs - vars: - - name: period - type: text - title: Period - required: false - show_user: false - description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1. If disabled, flows are still reported once being timed out. - default: '10s' - - name: timeout - type: text - title: Flow timeout - description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. - required: false - show_user: false - default: '30s' diff --git a/packages/network_traffic/1.0.0/data_stream/http/agent/stream/http.yml.hbs b/packages/network_traffic/1.0.0/data_stream/http/agent/stream/http.yml.hbs deleted file mode 100755 index 4c2aecad10..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/http/agent/stream/http.yml.hbs +++ /dev/null @@ -1,85 +0,0 @@ -type: http -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if hide_keywords}} -hide_keywords: -{{#each hide_keywords as |hide_keyword|}} - - {{hide_keyword}} -{{/each}} -{{/if}} -{{#if send_headers}} -send_headers: {{send_headers}} -{{/if}} -{{#if send_all_headers}} -send_all_headers: {{send_all_headers}} -{{/if}} -{{#if redact_headers}} -redact_headers: -{{#each redact_headers as |redact_header|}} - - {{redact_header}} -{{/each}} -{{/if}} -{{#if include_body_for}} -include_body_for: -{{#each include_body_for as |include_body_for_elem|}} - - {{include_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_request_body_for}} -include_request_body_for: -{{#each include_request_body_for as |include_request_body_for_elem|}} - - {{include_request_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_response_body_for}} -include_response_body_for: -{{#each include_response_body_for as |include_response_body_for_elem|}} - - {{include_response_body_for_elem}} -{{/each}} -{{/if}} -{{#if decode_body}} -decode_body: {{decode_body}} -{{/if}} -{{#if split_cookie}} -split_cookie: {{split_cookie}} -{{/if}} -{{#if real_ip_header}} -real_ip_header: {{real_ip_header}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if max_message_size}} -max_message_size: {{max_message_size}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 73b1d30401..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing http traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/http/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/http/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/http/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/http/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/http/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/http/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/http/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/http/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/http/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/http/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/http/fields/ecs.yml deleted file mode 100755 index d003c7093e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/http/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/network_traffic/1.0.0/data_stream/http/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/http/fields/protocol.yml deleted file mode 100755 index 51b73ae344..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/http/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: http - type: group - description: Information about the HTTP request and response. - fields: - - name: request - description: HTTP request - type: group - fields: - - name: headers - type: flattened - description: > - A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - - - name: response - description: HTTP response - type: group - fields: - - name: status_phrase - type: keyword - description: The HTTP status phrase. - example: Not Found - - name: headers - type: flattened - description: > - A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - diff --git a/packages/network_traffic/1.0.0/data_stream/http/manifest.yml b/packages/network_traffic/1.0.0/data_stream/http/manifest.yml deleted file mode 100755 index f16188331c..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/http/manifest.yml +++ /dev/null @@ -1,173 +0,0 @@ -title: HTTP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [80, 8080, 8000, 5000, 8002] - - name: hide_keywords - type: text - title: Hide Keywords - description: |- - Uncomment the following to hide certain parameters in URL or forms attached - to HTTP requests. The names of the parameters are case insensitive. - The value of the parameters will be replaced with the 'xxxxx' string. - This is generally useful for avoiding storing user passwords or other - sensitive information. - Only query parameters and top level form parameters are replaced. - show_user: false - multi: true - required: false - - name: send_headers - type: bool - title: Send Headers - description: |- - A list of header names to capture and send to Elasticsearch. These headers - are placed under the `headers` dictionary in the resulting JSON. - show_user: false - multi: false - required: false - - name: send_all_headers - type: bool - title: Send All Headers - description: |- - Instead of sending a white list of headers to Elasticsearch, you can send - all headers by setting this option to true. The default is false. - show_user: false - multi: false - required: false - - name: redact_headers - type: text - title: Redact Headers - description: |- - A list of headers to redact if present in the HTTP request. This will keep - the header field present, but will redact it's value to show the headers - presence. - show_user: false - multi: true - required: false - - name: include_body_for - type: text - title: Include Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - payload. If the request's or response's Content-Type matches any on this - list, the full body will be included under the request or response field. - show_user: false - multi: true - required: false - - name: include_request_body_for - type: text - title: Include Request Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - request payload. - show_user: false - multi: true - required: false - - name: include_response_body_for - type: text - title: Include Response Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - response payload. - show_user: false - multi: true - required: false - - name: decode_body - type: bool - title: Decode Body - description: |- - Whether the body of a request must be decoded when a content-encoding - or transfer-encoding has been applied. - show_user: false - multi: false - required: false - - name: split_cookie - type: bool - title: Split Cookie - description: |- - If the Cookie or Set-Cookie headers are sent, this option controls whether - they are split into individual values. - show_user: false - multi: false - required: false - - name: real_ip_header - type: bool - title: Real Ip Header - description: |- - The header field to extract the real IP from. This setting is useful when - you want to capture traffic behind a reverse proxy, but you want to get the - geo-location information. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: max_message_size - type: integer - title: Max Message Size - description: |- - Maximum message size. If an HTTP message is larger than this, it will - be trimmed to this size. Default is 10 MB. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: HTTP - description: Capture HTTP Traffic - template_path: http.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/http/sample_event.json b/packages/network_traffic/1.0.0/data_stream/http/sample_event.json deleted file mode 100755 index f07301394b..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/http/sample_event.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/icmp/agent/stream/icmp.yml.hbs b/packages/network_traffic/1.0.0/data_stream/icmp/agent/stream/icmp.yml.hbs deleted file mode 100755 index f550ca79fa..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/icmp/agent/stream/icmp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -type: icmp -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8cd8d555f7..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing icmp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/icmp/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/icmp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/icmp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/icmp/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/icmp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/icmp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/icmp/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/icmp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/icmp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/icmp/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/icmp/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/icmp/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/icmp/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/icmp/fields/protocol.yml deleted file mode 100755 index 5aef1deaf4..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/icmp/fields/protocol.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: icmp - type: group - fields: - - name: version - type: long - description: The version of the ICMP protocol. - possible_values: - - 4 - - 6 - - name: request.message - type: keyword - description: A human readable form of the request. - - name: request.type - type: long - description: The request type. - - name: request.code - type: long - description: The request code. - - name: response.message - type: keyword - description: A human readable form of the response. - - name: response.type - type: long - description: The response type. - - name: response.code - type: long - description: The response code. diff --git a/packages/network_traffic/1.0.0/data_stream/icmp/manifest.yml b/packages/network_traffic/1.0.0/data_stream/icmp/manifest.yml deleted file mode 100755 index ca911dc8e0..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/icmp/manifest.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: ICMP -release: beta -type: logs -streams: - - input: packet - title: ICMP - description: Capture ICMP Traffic - template_path: icmp.yml.hbs - vars: - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false diff --git a/packages/network_traffic/1.0.0/data_stream/icmp/sample_event.json b/packages/network_traffic/1.0.0/data_stream/icmp/sample_event.json deleted file mode 100755 index 6dfd5d97d4..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/icmp/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/memcached/agent/stream/memcached.yml.hbs b/packages/network_traffic/1.0.0/data_stream/memcached/agent/stream/memcached.yml.hbs deleted file mode 100755 index 136c8ad877..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/memcached/agent/stream/memcached.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: memcache -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parseunknown}} -parseunknown: {{parseunknown}} -{{/if}} -{{#if maxvalues}} -maxvalues: {{maxvalues}} -{{/if}} -{{#if maxbytespervalue}} -maxbytespervalue: {{maxbytespervalue}} -{{/if}} -{{#if udptransactiontimeout}} -udptransactiontimeout: {{udptransactiontimeout}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8eb49dc336..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing memcached traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/memcached/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/memcached/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/memcached/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/memcached/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/memcached/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/memcached/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/memcached/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/memcached/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/memcached/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/memcached/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/memcached/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/memcached/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/memcached/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/memcached/fields/protocol.yml deleted file mode 100755 index 4d1c281dde..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/memcached/fields/protocol.yml +++ /dev/null @@ -1,215 +0,0 @@ -- name: memcache - type: group - fields: - - name: protocol_type - type: keyword - description: > - The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. - - - name: request.line - type: keyword - description: > - The raw command line for unknown commands ONLY. - - - name: request.command - type: keyword - description: > - The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. - - - name: response.command - type: keyword - description: > - Either the text based protocol response message type or the name of the originating request if binary protocol is used. - - - name: request.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". - - - name: response.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). - - - name: response.error_msg - type: keyword - description: > - The optional error message in the memcache response (text based protocol only). - - - name: request.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: response.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: request.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: response.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: request.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: response.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: request.vbucket - type: long - description: > - The vbucket index sent in the binary message. - - - name: response.status - type: keyword - description: > - The textual representation of the response error code (binary protocol only). - - - name: response.status_code - type: long - description: > - The status code value returned in the response (binary protocol only). - - - name: request.keys - type: array - description: > - The list of keys sent in the store or load commands. - - - name: response.keys - type: array - description: > - The list of keys returned for the load command (if present). - - - name: request.count_values - type: long - description: > - The number of values found in the memcache request message. If the command does not send any data, this field is missing. - - - name: response.count_values - type: long - description: > - The number of values found in the memcache response message. If the command does not send any data, this field is missing. - - - name: request.values - type: array - description: > - The list of base64 encoded values sent with the request (if present). - - - name: response.values - type: array - description: > - The list of base64 encoded values sent with the response (if present). - - - name: request.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: response.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: request.delta - type: long - description: > - The counter increment/decrement delta value. - - - name: request.initial - type: long - description: > - The counter increment/decrement initial value parameter (binary protocol only). - - - name: request.verbosity - type: long - description: > - The value of the memcache "verbosity" command. - - - name: request.raw_args - type: keyword - description: > - The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. - - - name: request.source_class - type: long - description: > - The source class id in 'slab reassign' command. - - - name: request.dest_class - type: long - description: > - The destination class id in 'slab reassign' command. - - - name: request.automove - type: keyword - description: > - The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. - - - name: request.flags - type: long - description: > - The memcache command flags sent in the request (if present). - - - name: response.flags - type: long - description: > - The memcache message flags sent in the response (if present). - - - name: request.exptime - type: long - description: > - The data expiry time in seconds sent with the memcache command (if present). If the value is `< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). - - - name: request.sleep_us - type: long - description: > - The sleep setting in microseconds for the 'lru_crawler sleep' command. - - - name: response.value - type: long - description: > - The counter value returned by a counter operation. - - - name: request.noreply - type: boolean - description: > - Set to true if noreply was set in the request. The `memcache.response` field will be missing. - - - name: request.quiet - type: boolean - description: > - Set to true if the binary protocol message is to be treated as a quiet message. - - - name: request.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier if present. - - - name: response.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). - - - name: response.stats - type: array - description: > - The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". - - - name: response.version - type: keyword - description: > - The returned memcache version string. - diff --git a/packages/network_traffic/1.0.0/data_stream/memcached/manifest.yml b/packages/network_traffic/1.0.0/data_stream/memcached/manifest.yml deleted file mode 100755 index 9120331b9d..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/memcached/manifest.yml +++ /dev/null @@ -1,116 +0,0 @@ -title: Memcached -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [11211] - - name: parseunknown - type: bool - title: Parseunknown - description: |- - Uncomment the parseunknown option to force the memcache text protocol parser - to accept unknown commands. - Note: All unknown commands MUST not contain any data parts! - Default: false - show_user: false - multi: false - required: false - - name: maxvalues - type: integer - title: Maxvalues - description: |- - Update the maxvalue option to store the values - base64 encoded - in the - json output. - possible values: - maxvalue: -1 store all values (text based protocol multi-get) - maxvalue: 0 store no values at all - maxvalue: N store up to N values - Default: 0 - show_user: false - multi: false - required: false - - name: maxbytespervalue - type: integer - title: Maxbytespervalue - description: |- - Use maxbytespervalue to limit the number of bytes to be copied per value element. - Note: Values will be base64 encoded, so actual size in json document - will be 4 times maxbytespervalue. - Default: unlimited - show_user: false - multi: false - required: false - - name: udptransactiontimeout - type: integer - title: Udptransactiontimeout - description: |- - UDP transaction timeout in milliseconds. - Note: Quiet messages in UDP binary protocol will get response only in error case. - The memcached analyzer will wait for udptransactiontimeout milliseconds - before publishing quiet messages. Non quiet messages or quiet requests with - error response will not have to wait for the timeout. - Default: 200 - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Memcached - description: Capture Memcached Traffic - template_path: memcached.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/memcached/sample_event.json b/packages/network_traffic/1.0.0/data_stream/memcached/sample_event.json deleted file mode 100755 index 4b4dc284f8..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/memcached/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs b/packages/network_traffic/1.0.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs deleted file mode 100755 index fe92042bcc..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: mongodb -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_docs}} -max_docs: {{max_docs}} -{{/if}} -{{#if max_doc_length}} -max_doc_length: {{max_doc_length}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index b5bf6df8f6..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing mongodb traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/mongodb/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/mongodb/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mongodb/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/mongodb/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/mongodb/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mongodb/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/mongodb/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/mongodb/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mongodb/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/mongodb/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/mongodb/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mongodb/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/mongodb/fields/protocol.yml deleted file mode 100755 index a84465c61e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mongodb/fields/protocol.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: mongodb - type: group - fields: - - name: error - type: keyword - description: > - If the MongoDB request has resulted in an error, this field contains the error message returned by the server. - - - name: fullCollectionName - type: keyword - description: > - The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. - - - name: numberToSkip - type: long - description: > - Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. - - - name: numberToReturn - type: long - description: > - The requested maximum number of documents to be returned. - - - name: numberReturned - type: long - description: > - The number of documents in the reply. - - - name: startingFrom - type: keyword - description: > - Where in the cursor this reply is starting. - - - name: query - type: keyword - description: > - A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. - - - name: returnFieldsSelector - type: keyword - description: > - A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. - - - name: selector - type: keyword - description: > - A BSON document that specifies the query for selecting the document to update or delete. - - - name: update - type: keyword - description: > - A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - - - name: cursorId - type: keyword - description: > - The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. - diff --git a/packages/network_traffic/1.0.0/data_stream/mongodb/manifest.yml b/packages/network_traffic/1.0.0/data_stream/mongodb/manifest.yml deleted file mode 100755 index 0ff11578a2..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mongodb/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: MongoDB -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [27017] - - name: max_docs - type: integer - title: Max Docs - description: |- - The maximum number of documents from the response to index in the `response` - field. The default is 10. - show_user: false - multi: false - required: false - - name: max_doc_length - type: integer - title: Max Doc Length - description: |- - The maximum number of characters in a single document indexed in the - `response` field. The default is 5000. You can set this to 0 to index an - unlimited number of characters per document. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MongoDB - description: Capture MongoDB Traffic - template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/mongodb/sample_event.json b/packages/network_traffic/1.0.0/data_stream/mongodb/sample_event.json deleted file mode 100755 index 4cfd576e4c..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mongodb/sample_event.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/mysql/agent/stream/mysql.yml.hbs b/packages/network_traffic/1.0.0/data_stream/mysql/agent/stream/mysql.yml.hbs deleted file mode 100755 index 85b82a47b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mysql/agent/stream/mysql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: mysql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 633b576c87..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing mysql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/mysql/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/mysql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mysql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/mysql/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/mysql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mysql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/mysql/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/mysql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mysql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/mysql/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/mysql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mysql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/mysql/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/mysql/fields/protocol.yml deleted file mode 100755 index 64675f8d8e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mysql/fields/protocol.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: mysql - type: group - fields: - - name: affected_rows - type: long - description: > - If the MySQL command is successful, this field contains the affected number of rows of the last statement. - - - name: insert_id - type: keyword - description: > - If the INSERT query is successful, this field contains the id of the newly inserted row. - - - name: num_fields - type: long - description: > - If the SELECT query is successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query is successful, this field is set to the number of rows returned. - - - name: query - type: keyword - description: > - The row mysql query as read from the transaction's request. - - - name: error_code - type: long - description: > - The error code returned by MySQL. - - - name: error_message - type: keyword - description: > - The error info message returned by MySQL. - diff --git a/packages/network_traffic/1.0.0/data_stream/mysql/manifest.yml b/packages/network_traffic/1.0.0/data_stream/mysql/manifest.yml deleted file mode 100755 index c4655854f0..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mysql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: MySQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [3306, 3307] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MySQL - description: Capture MySQL Traffic - template_path: mysql.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/mysql/sample_event.json b/packages/network_traffic/1.0.0/data_stream/mysql/sample_event.json deleted file mode 100755 index 2c33116053..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/mysql/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/nfs/agent/stream/nfs.yml.hbs b/packages/network_traffic/1.0.0/data_stream/nfs/agent/stream/nfs.yml.hbs deleted file mode 100755 index c8349a7bcb..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/nfs/agent/stream/nfs.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: nfs -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2dcc37d830..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing nfs traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/nfs/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/nfs/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/nfs/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/nfs/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/nfs/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/nfs/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/nfs/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/nfs/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/nfs/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/nfs/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/nfs/fields/ecs.yml deleted file mode 100755 index 2b26a193f9..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/nfs/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/network_traffic/1.0.0/data_stream/nfs/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/nfs/fields/protocol.yml deleted file mode 100755 index 4bcf6fecec..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/nfs/fields/protocol.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: nfs - type: group - fields: - - name: version - type: long - description: NFS protocol version number. - - name: minor_version - type: long - description: NFS protocol minor version number. - - name: tag - type: keyword - description: NFS v4 COMPOUND operation tag. - - name: opcode - type: keyword - description: > - NFS operation name, or main operation name, in case of COMPOUND calls. - - - name: status - type: keyword - description: NFS operation reply status. -- name: rpc - type: group - description: ONC RPC specific event fields. - fields: - - name: xid - type: keyword - description: RPC message transaction identifier. - - name: status - type: keyword - description: RPC message reply status. - - name: auth_flavor - type: keyword - description: RPC authentication flavor. - - name: cred.uid - type: long - description: RPC caller's user id, in case of auth-unix. - - name: cred.gid - type: long - description: RPC caller's group id, in case of auth-unix. - - name: cred.gids - type: long - description: RPC caller's secondary group ids, in case of auth-unix. - - name: cred.stamp - type: long - description: Arbitrary ID which the caller machine may generate. - - name: cred.machinename - type: keyword - description: The name of the caller's machine. diff --git a/packages/network_traffic/1.0.0/data_stream/nfs/manifest.yml b/packages/network_traffic/1.0.0/data_stream/nfs/manifest.yml deleted file mode 100755 index 4e5323fa1e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/nfs/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: NFS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [2049] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: NFS - description: Capture NFS Traffic - template_path: nfs.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/nfs/sample_event.json b/packages/network_traffic/1.0.0/data_stream/nfs/sample_event.json deleted file mode 100755 index de4b4525e0..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/nfs/sample_event.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs b/packages/network_traffic/1.0.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs deleted file mode 100755 index 8680c36b1a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: pgsql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index aa5fa721a5..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing pgsql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/pgsql/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/pgsql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/pgsql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/pgsql/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/pgsql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/pgsql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/pgsql/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/pgsql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/pgsql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/pgsql/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/pgsql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/pgsql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/pgsql/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/pgsql/fields/protocol.yml deleted file mode 100755 index 4fd03e12cb..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/pgsql/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: pgsql - type: group - fields: - - name: error_code - description: The PostgreSQL error code. - type: keyword - - name: error_message - type: keyword - description: The PostgreSQL error message. - - name: error_severity - type: keyword - description: The PostgreSQL error severity. - possible_values: - - ERROR - - FATAL - - PANIC - - name: num_fields - type: long - description: > - If the SELECT query if successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query if successful, this field is set to the number of rows returned. - diff --git a/packages/network_traffic/1.0.0/data_stream/pgsql/manifest.yml b/packages/network_traffic/1.0.0/data_stream/pgsql/manifest.yml deleted file mode 100755 index eb205cd837..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/pgsql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: PostgreSQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5432] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: PostgreSQL - description: Capture PostgreSQL Traffic - template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/pgsql/sample_event.json b/packages/network_traffic/1.0.0/data_stream/pgsql/sample_event.json deleted file mode 100755 index 462f734f42..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/pgsql/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/redis/agent/stream/redis.yml.hbs b/packages/network_traffic/1.0.0/data_stream/redis/agent/stream/redis.yml.hbs deleted file mode 100755 index f357ca3a6d..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/redis/agent/stream/redis.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: redis -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if queue_max_bytes}} -queue_max_bytes: {{queue_max_bytes}} -{{/if}} -{{#if queue_max_messages}} -queue_max_messages: {{queue_max_messages}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index d84f8b24b8..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing redis traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/redis/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/redis/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/redis/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/redis/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/redis/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/redis/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/redis/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/redis/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/redis/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/redis/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/redis/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/redis/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/redis/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/redis/fields/protocol.yml deleted file mode 100755 index 4982b2c2d3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/redis/fields/protocol.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: redis - type: group - fields: - - name: return_value - type: keyword - description: > - The return value of the Redis command in a human readable format. - - - name: error - type: keyword - description: > - If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. - diff --git a/packages/network_traffic/1.0.0/data_stream/redis/manifest.yml b/packages/network_traffic/1.0.0/data_stream/redis/manifest.yml deleted file mode 100755 index 9fe0ce4e18..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/redis/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: Redis -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [6379] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: queue_max_bytes - type: integer - title: Queue Max Bytes - description: |- - Max size for per-session message queue. This places a limit on the memory - that can be used to buffer requests and responses for correlation. - show_user: false - multi: false - required: false - - name: queue_max_messages - type: integer - title: Queue Max Messages - description: |- - Max number of messages for per-session message queue. This limits the number - of requests or responses that can be buffered for correlation. Set a value - large enough to allow for pipelining. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Redis - description: Capture Redis Traffic - template_path: redis.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/redis/sample_event.json b/packages/network_traffic/1.0.0/data_stream/redis/sample_event.json deleted file mode 100755 index 7ce644c935..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/redis/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/sip/agent/stream/sip.yml.hbs b/packages/network_traffic/1.0.0/data_stream/sip/agent/stream/sip.yml.hbs deleted file mode 100755 index 935ea011ee..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/sip/agent/stream/sip.yml.hbs +++ /dev/null @@ -1,34 +0,0 @@ -type: sip -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parse_authorization}} -parse_authorization: {{parse_authorization}} -{{/if}} -{{#if parse_body}} -parse_body: {{parse_body}} -{{/if}} -{{#if keep_original}} -keep_original: {{keep_original}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c20207afdd..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for processing sip traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -# Remove invalid "protocol" term added by packetbeat prior to v7.17.4/8.2.1. -- script: - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "protocol") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/sip/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/sip/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/sip/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/sip/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/sip/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/sip/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/sip/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/sip/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/sip/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/sip/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/sip/fields/ecs.yml deleted file mode 100755 index c2a147238b..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/sip/fields/ecs.yml +++ /dev/null @@ -1,174 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/network_traffic/1.0.0/data_stream/sip/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/sip/fields/protocol.yml deleted file mode 100755 index 5b25d9df6d..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/sip/fields/protocol.yml +++ /dev/null @@ -1,231 +0,0 @@ -- name: sip - type: group - description: Information about SIP traffic. - fields: - - name: code - type: long - description: Response status code. - - name: method - type: keyword - description: Request method. - - name: status - type: keyword - description: Response status phrase. - - name: type - type: keyword - description: Either request or response. - - name: version - type: keyword - description: SIP protocol version. - - name: uri.original - type: keyword - description: The original URI. - multi_fields: - - name: text - type: text - norms: false - - name: uri.scheme - type: keyword - description: The URI scheme. - - name: uri.username - type: keyword - description: The URI user name. - - name: uri.host - type: keyword - description: The URI host. - - name: uri.port - type: long - description: The URI port. - - name: accept - type: keyword - description: Accept header value. - - name: allow - type: keyword - description: Allowed methods. - - name: call_id - type: keyword - description: Call ID. - - name: content_length - type: long - - name: content_type - type: keyword - - name: max_forwards - type: long - - name: supported - type: keyword - description: Supported methods. - - name: user_agent.original - type: keyword - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.original - type: keyword - description: Private original URI. - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.scheme - type: keyword - description: Private URI scheme. - - name: private.uri.username - type: keyword - description: Private URI user name. - - name: private.uri.host - type: keyword - description: Private URI host. - - name: private.uri.port - type: long - description: Private URI port. - - name: cseq.code - type: long - description: Sequence code. - - name: cseq.method - type: keyword - description: Sequence method. - - name: via.original - type: keyword - description: The original Via value. - multi_fields: - - name: text - type: text - norms: false - - name: to.display_info - type: keyword - description: "To display info" - - name: to.uri.original - type: keyword - description: "To original URI" - multi_fields: - - name: text - type: text - norms: false - - name: to.uri.scheme - type: keyword - description: "To URI scheme" - - name: to.uri.username - type: keyword - description: "To URI user name" - - name: to.uri.host - type: keyword - description: "To URI host" - - name: to.uri.port - type: long - description: "To URI port" - - name: to.tag - type: keyword - description: "To tag" - - name: from.display_info - type: keyword - description: "From display info" - - name: from.uri.original - type: keyword - description: "From original URI" - multi_fields: - - name: text - type: text - norms: false - - name: from.uri.scheme - type: keyword - description: "From URI scheme" - - name: from.uri.username - type: keyword - description: "From URI user name" - - name: from.uri.host - type: keyword - description: "From URI host" - - name: from.uri.port - type: long - description: "From URI port" - - name: from.tag - type: keyword - description: "From tag" - - name: contact.display_info - type: keyword - description: "Contact display info" - - name: contact.uri.original - type: keyword - description: "Contact original URI" - multi_fields: - - name: text - type: text - norms: false - - name: contact.uri.scheme - type: keyword - description: "Contat URI scheme" - - name: contact.uri.username - type: keyword - description: "Contact URI user name" - - name: contact.uri.host - type: keyword - description: "Contact URI host" - - name: contact.uri.port - type: long - description: "Contact URI port" - - name: contact.transport - type: keyword - description: "Contact transport" - - name: contact.line - type: keyword - description: "Contact line" - - name: contact.expires - type: keyword - description: "Contact expires" - - name: contact.q - type: keyword - description: "Contact Q" - - name: auth.scheme - type: keyword - description: "Auth scheme" - - name: auth.realm - type: keyword - description: "Auth realm" - - name: auth.uri.original - type: keyword - description: "Auth original URI" - multi_fields: - - name: text - type: text - norms: false - - name: auth.uri.scheme - type: keyword - description: "Auth URI scheme" - - name: auth.uri.host - type: keyword - description: "Auth URI host" - - name: auth.uri.port - type: long - description: "Auth URI port" - - name: sdp.version - type: keyword - description: "SDP version" - - name: sdp.owner.username - type: keyword - description: "SDP owner user name" - - name: sdp.owner.session_id - type: keyword - description: "SDP owner session ID" - - name: sdp.owner.version - type: keyword - description: "SDP owner version" - - name: sdp.owner.ip - type: ip - description: "SDP owner IP" - - name: sdp.session.name - type: keyword - description: "SDP session name" - - name: sdp.connection.info - type: keyword - description: "SDP connection info" - - name: sdp.connection.address - type: keyword - description: "SDP connection address" - - name: sdp.body.original - type: keyword - description: "SDP original body" - multi_fields: - - name: text - type: text - norms: false diff --git a/packages/network_traffic/1.0.0/data_stream/sip/manifest.yml b/packages/network_traffic/1.0.0/data_stream/sip/manifest.yml deleted file mode 100755 index 79dd27ea52..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/sip/manifest.yml +++ /dev/null @@ -1,54 +0,0 @@ -title: SIP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5060] - - name: parse_authorization - type: bool - title: Parse Authorization - description: Parse the authorization headers - show_user: false - multi: false - required: false - - name: parse_body - type: bool - title: Parse Body - description: Parse body contents (only when body is SDP) - show_user: false - multi: false - required: false - - name: keep_original - type: bool - title: Keep Original - description: Preserve original contents in event.original - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: SIP - description: Capture SIP Traffic - template_path: sip.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/sip/sample_event.json b/packages/network_traffic/1.0.0/data_stream/sip/sample_event.json deleted file mode 100755 index 5a36041d5a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/sip/sample_event.json +++ /dev/null @@ -1,174 +0,0 @@ -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/thrift/agent/stream/thrift.yml.hbs b/packages/network_traffic/1.0.0/data_stream/thrift/agent/stream/thrift.yml.hbs deleted file mode 100755 index d6d9604253..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/thrift/agent/stream/thrift.yml.hbs +++ /dev/null @@ -1,64 +0,0 @@ -type: thrift -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if transport_type}} -transport_type: {{transport_type}} -{{/if}} -{{#if protocol_type}} -protocol_type: {{protocol_type}} -{{/if}} -{{#if idl_files}} -idl_files: -{{#each idl_files as |idl_file|}} - - {{idl_file}} -{{/each}} -{{/if}} -{{#if string_max_size}} -string_max_size: {{string_max_size}} -{{/if}} -{{#if collection_max_size}} -collection_max_size: {{collection_max_size}} -{{/if}} -{{#if capture_reply}} -capture_reply: {{capture_reply}} -{{/if}} -{{#if obfuscate_strings}} -obfuscate_strings: {{obfuscate_strings}} -{{/if}} -{{#if drop_after_n_struct_fields}} -drop_after_n_struct_fields: {{drop_after_n_struct_fields}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 608bb7e6a5..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing thrift traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/thrift/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/thrift/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/thrift/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/thrift/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/thrift/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/thrift/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/thrift/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/thrift/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/thrift/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/thrift/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/thrift/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/thrift/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.0/data_stream/thrift/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/thrift/fields/protocol.yml deleted file mode 100755 index dd097f61ee..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/thrift/fields/protocol.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: thrift - type: group - fields: - - name: params - type: keyword - description: > - The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. - - - name: service - type: keyword - description: > - The name of the Thrift-RPC service as defined in the IDL files. - - - name: return_value - type: keyword - description: > - The value returned by the Thrift-RPC call. This is encoded in a human readable format. - - - name: exceptions - type: keyword - description: > - If the call resulted in exceptions, this field contains the exceptions in a human readable format. - diff --git a/packages/network_traffic/1.0.0/data_stream/thrift/manifest.yml b/packages/network_traffic/1.0.0/data_stream/thrift/manifest.yml deleted file mode 100755 index 29eabbeb19..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/thrift/manifest.yml +++ /dev/null @@ -1,141 +0,0 @@ -title: Thrift -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9090] - - name: transport_type - type: text - title: Transport Type - description: |- - The Thrift transport type. Currently this option accepts the values socket - for TSocket, which is the default Thrift transport, and framed for the - TFramed Thrift transport. The default is socket. - show_user: false - multi: false - required: false - - name: protocol_type - type: text - title: Protocol Type - description: |- - The Thrift protocol type. Currently the only accepted value is binary for - the TBinary protocol, which is the default Thrift protocol. - show_user: false - multi: false - required: false - - name: idl_files - type: text - title: Idl Files - description: |- - The Thrift interface description language (IDL) files for the service that - Packetbeat is monitoring. Providing the IDL enables Packetbeat to include - parameter and exception names. - show_user: false - multi: true - required: false - - name: string_max_size - type: integer - title: String Max Size - description: |- - The maximum length for strings in parameters or return values. If a string - is longer than this value, the string is automatically truncated to this - length. - show_user: false - multi: false - required: false - - name: collection_max_size - type: integer - title: Collection Max Size - description: The maximum number of elements in a Thrift list, set, map, or structure. - show_user: false - multi: false - required: false - - name: capture_reply - type: bool - title: Capture Reply - description: |- - If this option is set to false, Packetbeat decodes the method name from the - reply and simply skips the rest of the response message. - show_user: false - multi: false - required: false - - name: obfuscate_strings - type: bool - title: Obfuscate Strings - description: |- - If this option is set to true, Packetbeat replaces all strings found in - method parameters, return codes, or exception structures with the "*" - string. - show_user: false - multi: false - required: false - - name: drop_after_n_struct_fields - type: integer - title: Drop After N Struct Fields - description: |- - The maximum number of fields that a structure can have before Packetbeat - ignores the whole transaction. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Thrift - description: Capture Thrift Traffic - template_path: thrift.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/thrift/sample_event.json b/packages/network_traffic/1.0.0/data_stream/thrift/sample_event.json deleted file mode 100755 index 4c1640a50d..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/thrift/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:33:31.022Z", - "agent": { - "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1394000, - "end": "2022-03-09T08:33:31.023Z", - "ingested": "2022-03-09T08:33:32Z", - "kind": "event", - "start": "2022-03-09T08:33:31.022Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/data_stream/tls/agent/stream/tls.yml.hbs b/packages/network_traffic/1.0.0/data_stream/tls/agent/stream/tls.yml.hbs deleted file mode 100755 index 877a553bfd..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/tls/agent/stream/tls.yml.hbs +++ /dev/null @@ -1,40 +0,0 @@ -type: tls -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if fingerprints}} -fingerprints: -{{#each fingerprints as |fingerprint|}} - - {{fingerprint}} -{{/each}} -{{/if}} -{{#if send_certificates}} -send_certificates: {{send_certificates}} -{{/if}} -{{#if include_raw_certificates}} -include_raw_certificates: {{include_raw_certificates}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 788c1210ef..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,55 +0,0 @@ ---- -description: Pipeline for processing tls traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true - -## -# Make tls.{client,server}.x509.version_number a string as per ECS. -## -- convert: - field: tls.client.x509.version_number - type: string - ignore_missing: true -- convert: - field: tls.server.x509.version_number - type: string - ignore_missing: true - -## -# This handles legacy TLS fields from Packetbeat 7.17. -## -- remove: - description: Remove legacy fields from Packetbeat 7.17 that are duplicated. - field: - - tls.client.x509.issuer.province # Duplicated as tls.client.x509.issuer.state_or_province. - - tls.client.x509.subject.province # Duplicated as tls.client.x509.subject.state_or_province. - - tls.client.x509.version # Duplicated as tls.client.x509.version_number. - - tls.detailed.client_certificate # Duplicated as tls.client.x509. - - tls.detailed.server_certificate # Duplicated as tls.server.x509. - - tls.server.x509.issuer.province # Duplicated as tls.server.x509.issuer.state_or_province. - - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province. - - tls.server.x509.version # Duplicated as tls.server.x509.version_number. - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.0/data_stream/tls/fields/agent.yml b/packages/network_traffic/1.0.0/data_stream/tls/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/tls/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.0/data_stream/tls/fields/base.yml b/packages/network_traffic/1.0.0/data_stream/tls/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/tls/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.0/data_stream/tls/fields/beats.yml b/packages/network_traffic/1.0.0/data_stream/tls/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/tls/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.0/data_stream/tls/fields/ecs.yml b/packages/network_traffic/1.0.0/data_stream/tls/fields/ecs.yml deleted file mode 100755 index 49c713858d..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/tls/fields/ecs.yml +++ /dev/null @@ -1,368 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - name: tls.client.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - name: tls.client.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha256 - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: Array of ciphers offered by the client during the client hello. - name: tls.client.supported_ciphers - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.client.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.client.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.client.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.client.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.client.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.client.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.client.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.client.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.client.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.client.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.client.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.client.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.client.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.client.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.client.x509.version_number - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - name: tls.next_protocol - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - name: tls.server.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - name: tls.server.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha256 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.server.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.server.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.server.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.server.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.server.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.server.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.server.x509.version_number - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/network_traffic/1.0.0/data_stream/tls/fields/protocol.yml b/packages/network_traffic/1.0.0/data_stream/tls/fields/protocol.yml deleted file mode 100755 index d8264468d4..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/tls/fields/protocol.yml +++ /dev/null @@ -1,173 +0,0 @@ -- name: tls - type: group - fields: - - name: detailed - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol used. - - example: "TLS 1.3" - - name: resumption_method - type: keyword - description: > - If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. - - - name: client_certificate_requested - type: boolean - description: > - Whether the server has requested the client to authenticate itself using a client certificate. - - - name: ocsp_response - type: keyword - description: > - The result of an OCSP request. - - - name: client_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol by which the client wishes to communicate during this session. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: supported_compression_methods - type: keyword - description: > - The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml - - - name: extensions - type: group - description: The hello extensions provided by the client. - fields: - - name: server_name_indication - type: keyword - description: List of hostnames - - name: application_layer_protocol_negotiation - type: keyword - description: > - List of application-layer protocols the client is willing to use. - - - name: session_ticket - type: keyword - description: > - Length of the session ticket, if provided, or an empty string to advertise support for tickets. - - - name: supported_versions - type: keyword - description: > - List of TLS versions that the client is willing to use. - - - name: supported_groups - type: keyword - description: > - List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. - - - name: signature_algorithms - type: keyword - description: > - List of signature algorithms that may be use in digital signatures. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: type - type: keyword - description: The type of the status request. Always "ocsp" if present. - - name: responder_id_list_length - type: short - description: The length of the list of trusted responders. - - name: request_extensions - type: short - description: The number of certificate extensions for the request. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: selected_compression_method - type: keyword - description: > - The compression method selected by the server from the list provided in the client hello. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: extensions - type: group - description: The hello extensions provided by the server. - fields: - - name: application_layer_protocol_negotiation - type: keyword - description: Negotiated application layer protocol - - name: session_ticket - type: keyword - description: > - Used to announce that a session ticket will be provided by the server. Always an empty string. - - - name: supported_versions - type: keyword - description: > - Negotiated TLS version to be used. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: response - type: boolean - description: Whether a certificate status request response was made. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_certificate_chain - type: array - description: Chain of trust for the server certificate. - - name: client_certificate_chain - type: array - description: Chain of trust for the client certificate. - - name: alert_types - type: keyword - description: > - An array containing the TLS alert type for every alert received. - diff --git a/packages/network_traffic/1.0.0/data_stream/tls/manifest.yml b/packages/network_traffic/1.0.0/data_stream/tls/manifest.yml deleted file mode 100755 index d2b8f403da..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/tls/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: TLS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [443, 993, 995, 5223, 8443, 8883, 9243] - - name: fingerprints - type: text - title: Fingerprints - description: |- - List of hash algorithms to use to calculate certificates' fingerprints. - Valid values are `sha1`, `sha256` and `md5`. - show_user: false - multi: true - required: false - - name: send_certificates - type: bool - title: Send Certificates - description: |- - If this option is enabled, the client and server certificates and - certificate chains are sent to Elasticsearch. The default is true. - show_user: false - multi: false - required: false - - name: include_raw_certificates - type: bool - title: Include Raw Certificates - description: |- - If this option is enabled, the raw certificates will be stored - in PEM format under the `raw` key. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: TLS - description: Capture TLS Traffic - template_path: tls.yml.hbs diff --git a/packages/network_traffic/1.0.0/data_stream/tls/sample_event.json b/packages/network_traffic/1.0.0/data_stream/tls/sample_event.json deleted file mode 100755 index f325b87dbb..0000000000 --- a/packages/network_traffic/1.0.0/data_stream/tls/sample_event.json +++ /dev/null @@ -1,196 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:34:08.391Z", - "agent": { - "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.1.36", - "port": 60946 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 14861200, - "end": "2022-03-09T08:34:08.406Z", - "ingested": "2022-03-09T08:34:09Z", - "kind": "event", - "start": "2022-03-09T08:34:08.391Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.36", - "216.58.201.174" - ] - }, - "server": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "source": { - "ip": "192.168.1.36", - "port": 60946 - }, - "status": "OK", - "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", - "client": { - "ja3": "d470a3fa301d80227bc5650c75567d25", - "server_name": "play.google.com", - "supported_ciphers": [ - "TLS_AES_128_GCM_SHA256", - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "_unparsed_": [ - "23", - "renegotiation_info", - "status_request", - "51", - "45", - "28", - "41" - ], - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "play.google.com" - ], - "signature_algorithms": [ - "ecdsa_secp256r1_sha256", - "ecdsa_secp384r1_sha384", - "ecdsa_secp521r1_sha512", - "rsa_pss_sha256", - "rsa_pss_sha384", - "rsa_pss_sha512", - "rsa_pkcs1_sha256", - "rsa_pkcs1_sha384", - "rsa_pkcs1_sha512", - "ecdsa_sha1", - "rsa_pkcs1_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1", - "secp521r1", - "ffdhe2048", - "ffdhe3072" - ], - "supported_versions": [ - "TLS 1.3", - "TLS 1.2", - "TLS 1.1", - "TLS 1.0" - ] - }, - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "resumption_method": "id", - "server_hello": { - "extensions": { - "_unparsed_": [ - "41", - "51" - ], - "supported_versions": "TLS 1.3" - }, - "selected_compression_method": "NULL", - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "version": "3.3" - }, - "version": "TLS 1.3" - }, - "established": true, - "resumed": true, - "version": "1.3", - "version_protocol": "tls" - }, - "type": "tls" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/docs/README.md b/packages/network_traffic/1.0.0/docs/README.md deleted file mode 100755 index adadb4cf1d..0000000000 --- a/packages/network_traffic/1.0.0/docs/README.md +++ /dev/null @@ -1,3960 +0,0 @@ -# Network Packet Capture Integration - -This integration sniffs network packets on a host and dissects -known protocols. - -## Network Flows - -Overall flow information about the network connections on a -host. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -## Protocols - -### AMQP - -Fields published for AMQP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| amqp.app-id | Creating application id. | keyword | -| amqp.arguments | Optional additional arguments passed to some methods. Can be of various types. | object | -| amqp.auto-delete | If set, auto-delete queue when unused. | boolean | -| amqp.class-id | Failing method class. | long | -| amqp.consumer-count | The number of consumers of a queue. | long | -| amqp.consumer-tag | Identifier for the consumer, valid within the current channel. | keyword | -| amqp.content-encoding | MIME content encoding. | keyword | -| amqp.content-type | MIME content type. | keyword | -| amqp.correlation-id | Application correlation identifier. | keyword | -| amqp.delivery-mode | Non-persistent (1) or persistent (2). | keyword | -| amqp.delivery-tag | The server-assigned and channel-specific delivery tag. | long | -| amqp.durable | If set, request a durable exchange/queue. | boolean | -| amqp.exchange | Name of the exchange. | keyword | -| amqp.exchange-type | Exchange type. | keyword | -| amqp.exclusive | If set, request an exclusive queue. | boolean | -| amqp.expiration | Message expiration specification. | keyword | -| amqp.headers | Message header field table. | object | -| amqp.if-empty | Delete only if empty. | boolean | -| amqp.if-unused | Delete only if unused. | boolean | -| amqp.immediate | Request immediate delivery. | boolean | -| amqp.mandatory | Indicates mandatory routing. | boolean | -| amqp.message-count | The number of messages in the queue, which will be zero for newly-declared queues. | long | -| amqp.message-id | Application message identifier. | keyword | -| amqp.method-id | Failing method ID. | long | -| amqp.multiple | Acknowledge multiple messages. | boolean | -| amqp.no-ack | If set, the server does not expect acknowledgements for messages. | boolean | -| amqp.no-local | If set, the server will not send messages to the connection that published them. | boolean | -| amqp.no-wait | If set, the server will not respond to the method. | boolean | -| amqp.passive | If set, do not create exchange/queue. | boolean | -| amqp.priority | Message priority, 0 to 9. | long | -| amqp.queue | The queue name identifies the queue within the vhost. | keyword | -| amqp.redelivered | Indicates that the message has been previously delivered to this or another client. | boolean | -| amqp.reply-code | AMQP reply code to an error, similar to http reply-code | long | -| amqp.reply-text | Text explaining the error. | keyword | -| amqp.reply-to | Address to reply to. | keyword | -| amqp.routing-key | Message routing key. | keyword | -| amqp.timestamp | Message timestamp. | keyword | -| amqp.type | Message type name. | keyword | -| amqp.user-id | Creating user id. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `amqp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} -``` - -### Cassandra - -Fields published for Apache Cassandra packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cassandra.no_request | Indicates that there is no request because this is a PUSH message. | boolean | -| cassandra.request.headers.flags | Flags applying to this frame. | keyword | -| cassandra.request.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.request.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.request.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.request.headers.version | The version of the protocol. | keyword | -| cassandra.request.query | The CQL query which client send to cassandra. | keyword | -| cassandra.response.authentication.class | Indicates the full class name of the IAuthenticator in use | keyword | -| cassandra.response.error.code | The error code of the Cassandra response. | long | -| cassandra.response.error.details.alive | Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). | long | -| cassandra.response.error.details.arg_types | One string for each argument type (as CQL type) of the failed function. | keyword | -| cassandra.response.error.details.blockfor | Representing the number of replicas whose acknowledgement is required to achieve consistency level. | long | -| cassandra.response.error.details.data_present | It means the replica that was asked for data had responded. | boolean | -| cassandra.response.error.details.function | The name of the failed function. | keyword | -| cassandra.response.error.details.keyspace | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.num_failures | Representing the number of nodes that experience a failure while executing the request. | keyword | -| cassandra.response.error.details.read_consistency | Representing the consistency level of the query that triggered the exception. | keyword | -| cassandra.response.error.details.received | Representing the number of nodes having acknowledged the request. | long | -| cassandra.response.error.details.required | Representing the number of nodes that should be alive to respect consistency level. | long | -| cassandra.response.error.details.stmt_id | Representing the unknown ID. | keyword | -| cassandra.response.error.details.table | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.write_type | Describe the type of the write that timed out. | keyword | -| cassandra.response.error.msg | The error message of the Cassandra response. | keyword | -| cassandra.response.error.type | The error type of the Cassandra response. | keyword | -| cassandra.response.event.change | The message corresponding respectively to the type of change followed by the address of the new/removed node. | keyword | -| cassandra.response.event.host | Representing the node ip. | keyword | -| cassandra.response.event.port | Representing the node port. | long | -| cassandra.response.event.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.event.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.event.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.event.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.event.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.event.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.event.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.event.type | Representing the event type. | keyword | -| cassandra.response.headers.flags | Flags applying to this frame. | keyword | -| cassandra.response.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.response.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.response.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.response.headers.version | The version of the protocol. | keyword | -| cassandra.response.result.keyspace | Indicating the name of the keyspace that has been set. | keyword | -| cassandra.response.result.prepared.prepared_id | Representing the prepared query ID. | keyword | -| cassandra.response.result.prepared.req_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.req_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.req_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.req_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.req_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.req_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.prepared.resp_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.resp_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.resp_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.resp_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.resp_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.resp_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.rows.meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.rows.meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.rows.meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.rows.meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.rows.meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.num_rows | Representing the number of rows present in this result. | long | -| cassandra.response.result.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.result.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.result.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.result.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.result.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.result.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.result.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.result.type | Cassandra result type. | keyword | -| cassandra.response.supported | Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. | flattened | -| cassandra.response.warnings | The text of the warnings, only occur when Warning flag was set. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `cassandra` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} -``` - -### DHCP - -Fields published for DHCPv4 packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dhcpv4.assigned_ip | The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. | ip | -| dhcpv4.client_ip | The current IP address of the client. | ip | -| dhcpv4.client_mac | The client's MAC address (layer two). | keyword | -| dhcpv4.flags | Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. | keyword | -| dhcpv4.hardware_type | The type of hardware used for the local network (Ethernet, LocalTalk, etc). | keyword | -| dhcpv4.hops | The number of hops the DHCP message went through. | long | -| dhcpv4.op_code | The message op code (bootrequest or bootreply). | keyword | -| dhcpv4.option.boot_file_name | This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. | keyword | -| dhcpv4.option.broadcast_address | This option specifies the broadcast address in use on the client's subnet. | ip | -| dhcpv4.option.class_identifier | This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. | keyword | -| dhcpv4.option.dns_servers | The domain name server option specifies a list of Domain Name System servers available to the client. | ip | -| dhcpv4.option.domain_name | This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. | keyword | -| dhcpv4.option.hostname | This option specifies the name of the client. | keyword | -| dhcpv4.option.ip_address_lease_time_sec | This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. | long | -| dhcpv4.option.max_dhcp_message_size | This option specifies the maximum length DHCP message that the client is willing to accept. | long | -| dhcpv4.option.message | This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. | text | -| dhcpv4.option.message_type | The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). | keyword | -| dhcpv4.option.ntp_servers | This option specifies a list of IP addresses indicating NTP servers available to the client. | ip | -| dhcpv4.option.parameter_request_list | This option is used by a DHCP client to request values for specified configuration parameters. | keyword | -| dhcpv4.option.rebinding_time_sec | This option specifies the time interval from address assignment until the client transitions to the REBINDING state. | long | -| dhcpv4.option.renewal_time_sec | This option specifies the time interval from address assignment until the client transitions to the RENEWING state. | long | -| dhcpv4.option.requested_ip_address | This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. | ip | -| dhcpv4.option.router | The router option specifies a list of IP addresses for routers on the client's subnet. | ip | -| dhcpv4.option.server_identifier | IP address of the individual DHCP server which handled this message. | ip | -| dhcpv4.option.subnet_mask | The subnet mask that the client should use on the currnet network. | ip | -| dhcpv4.option.time_servers | The time server option specifies a list of RFC 868 time servers available to the client. | ip | -| dhcpv4.option.utc_time_offset_sec | The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). | long | -| dhcpv4.option.vendor_identifying_options | A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. | object | -| dhcpv4.relay_ip | The relay IP address used by the client to contact the server (i.e. a DHCP relay server). | ip | -| dhcpv4.seconds | Number of seconds elapsed since client began address acquisition or renewal process. | long | -| dhcpv4.server_ip | The IP address of the DHCP server that the client should use for the next step in the bootstrap process. | ip | -| dhcpv4.server_name | The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. | keyword | -| dhcpv4.transaction_id | Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dhcpv4` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} -``` - -### DNS - -Fields published for DNS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.additionals | An array containing a dictionary for each additional section from the answer. | object | -| dns.additionals.class | The class of DNS data contained in this resource record. | keyword | -| dns.additionals.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.additionals.name | The domain name to which this resource record pertains. | keyword | -| dns.additionals.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.additionals.type | The type of data contained in this resource record. | keyword | -| dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | -| dns.authorities | An array containing a dictionary for each authority section from the answer. | object | -| dns.authorities.class | The class of DNS data contained in this resource record. | keyword | -| dns.authorities.name | The domain name to which this resource record pertains. | keyword | -| dns.authorities.type | The type of data contained in this resource record. | keyword | -| dns.authorities_count | The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.flags.authentic_data | A DNS flag specifying that the recursive server considers the response authentic. | boolean | -| dns.flags.authoritative | A DNS flag specifying that the responding server is an authority for the domain name used in the question. | boolean | -| dns.flags.checking_disabled | A DNS flag specifying that the client disables the server signature validation of the query. | boolean | -| dns.flags.recursion_available | A DNS flag specifying whether recursive query support is available in the name server. | boolean | -| dns.flags.recursion_desired | A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. | boolean | -| dns.flags.truncated_response | A DNS flag specifying that only the first 512 bytes of the reply were returned. | boolean | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.opt.do | If set, the transaction uses DNSSEC. | boolean | -| dns.opt.ext_rcode | Extended response code field. | keyword | -| dns.opt.udp_size | Requestor's UDP payload size (in bytes). | long | -| dns.opt.version | The EDNS version. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.etld_plus_one | The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} -``` - -### HTTP - -Fields published for HTTP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.headers | A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.headers | A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.response.status_code | HTTP response status code. | long | -| http.response.status_phrase | The HTTP status phrase. | keyword | -| http.version | HTTP version. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `http` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} -``` - -### ICMP - -Fields published for ICMP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| icmp.request.code | The request code. | long | -| icmp.request.message | A human readable form of the request. | keyword | -| icmp.request.type | The request type. | long | -| icmp.response.code | The response code. | long | -| icmp.response.message | A human readable form of the response. | keyword | -| icmp.response.type | The response type. | long | -| icmp.version | The version of the ICMP protocol. | long | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `icmp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} -``` - -### Memcached - -Fields published for Memcached packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| memcache.protocol_type | The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. | keyword | -| memcache.request.automove | The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. | keyword | -| memcache.request.bytes | The byte count of the values being transferred. | long | -| memcache.request.cas_unique | The CAS (compare-and-swap) identifier if present. | long | -| memcache.request.command | The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. | keyword | -| memcache.request.count_values | The number of values found in the memcache request message. If the command does not send any data, this field is missing. | long | -| memcache.request.delta | The counter increment/decrement delta value. | long | -| memcache.request.dest_class | The destination class id in 'slab reassign' command. | long | -| memcache.request.exptime | The data expiry time in seconds sent with the memcache command (if present). If the value is `\< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). | long | -| memcache.request.flags | The memcache command flags sent in the request (if present). | long | -| memcache.request.initial | The counter increment/decrement initial value parameter (binary protocol only). | long | -| memcache.request.keys | The list of keys sent in the store or load commands. | array | -| memcache.request.line | The raw command line for unknown commands ONLY. | keyword | -| memcache.request.noreply | Set to true if noreply was set in the request. The `memcache.response` field will be missing. | boolean | -| memcache.request.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.request.opcode | The binary protocol message opcode name. | keyword | -| memcache.request.opcode_value | The binary protocol message opcode value. | long | -| memcache.request.quiet | Set to true if the binary protocol message is to be treated as a quiet message. | boolean | -| memcache.request.raw_args | The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. | keyword | -| memcache.request.sleep_us | The sleep setting in microseconds for the 'lru_crawler sleep' command. | long | -| memcache.request.source_class | The source class id in 'slab reassign' command. | long | -| memcache.request.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". | keyword | -| memcache.request.values | The list of base64 encoded values sent with the request (if present). | array | -| memcache.request.vbucket | The vbucket index sent in the binary message. | long | -| memcache.request.verbosity | The value of the memcache "verbosity" command. | long | -| memcache.response.bytes | The byte count of the values being transferred. | long | -| memcache.response.cas_unique | The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). | long | -| memcache.response.command | Either the text based protocol response message type or the name of the originating request if binary protocol is used. | keyword | -| memcache.response.count_values | The number of values found in the memcache response message. If the command does not send any data, this field is missing. | long | -| memcache.response.error_msg | The optional error message in the memcache response (text based protocol only). | keyword | -| memcache.response.flags | The memcache message flags sent in the response (if present). | long | -| memcache.response.keys | The list of keys returned for the load command (if present). | array | -| memcache.response.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.response.opcode | The binary protocol message opcode name. | keyword | -| memcache.response.opcode_value | The binary protocol message opcode value. | long | -| memcache.response.stats | The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". | array | -| memcache.response.status | The textual representation of the response error code (binary protocol only). | keyword | -| memcache.response.status_code | The status code value returned in the response (binary protocol only). | long | -| memcache.response.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). | keyword | -| memcache.response.value | The counter value returned by a counter operation. | long | -| memcache.response.values | The list of base64 encoded values sent with the response (if present). | array | -| memcache.response.version | The returned memcache version string. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `memcached` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} -``` - -### MongoDB - -Fields published for MongoDB packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | -| mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | -| mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | -| mongodb.numberReturned | The number of documents in the reply. | long | -| mongodb.numberToReturn | The requested maximum number of documents to be returned. | long | -| mongodb.numberToSkip | Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. | long | -| mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | -| mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | -| mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | -| mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mongodb` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} -``` - -### MySQL - -Fields published for MySQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mysql.affected_rows | If the MySQL command is successful, this field contains the affected number of rows of the last statement. | long | -| mysql.error_code | The error code returned by MySQL. | long | -| mysql.error_message | The error info message returned by MySQL. | keyword | -| mysql.insert_id | If the INSERT query is successful, this field contains the id of the newly inserted row. | keyword | -| mysql.num_fields | If the SELECT query is successful, this field is set to the number of fields returned. | long | -| mysql.num_rows | If the SELECT query is successful, this field is set to the number of rows returned. | long | -| mysql.query | The row mysql query as read from the transaction's request. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mysql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} -``` - -### NFS - -Fields published for NFS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| nfs.minor_version | NFS protocol minor version number. | long | -| nfs.opcode | NFS operation name, or main operation name, in case of COMPOUND calls. | keyword | -| nfs.status | NFS operation reply status. | keyword | -| nfs.tag | NFS v4 COMPOUND operation tag. | keyword | -| nfs.version | NFS protocol version number. | long | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| rpc.auth_flavor | RPC authentication flavor. | keyword | -| rpc.cred.gid | RPC caller's group id, in case of auth-unix. | long | -| rpc.cred.gids | RPC caller's secondary group ids, in case of auth-unix. | long | -| rpc.cred.machinename | The name of the caller's machine. | keyword | -| rpc.cred.stamp | Arbitrary ID which the caller machine may generate. | long | -| rpc.cred.uid | RPC caller's user id, in case of auth-unix. | long | -| rpc.status | RPC message reply status. | keyword | -| rpc.xid | RPC message transaction identifier. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -An example event for `nfs` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} -``` - -### PostgreSQL - -Fields published for PostgreSQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| pgsql.error_code | The PostgreSQL error code. | keyword | -| pgsql.error_message | The PostgreSQL error message. | keyword | -| pgsql.error_severity | The PostgreSQL error severity. | keyword | -| pgsql.num_fields | If the SELECT query if successful, this field is set to the number of fields returned. | long | -| pgsql.num_rows | If the SELECT query if successful, this field is set to the number of rows returned. | long | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `pgsql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} -``` - -### Redis - -Fields published for Redis packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| redis.error | If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. | keyword | -| redis.return_value | The return value of the Redis command in a human readable format. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `redis` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} -``` - -### SIP - -Fields published for SIP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| sip.accept | Accept header value. | keyword | -| sip.allow | Allowed methods. | keyword | -| sip.auth.realm | Auth realm | keyword | -| sip.auth.scheme | Auth scheme | keyword | -| sip.auth.uri.host | Auth URI host | keyword | -| sip.auth.uri.original | Auth original URI | keyword | -| sip.auth.uri.original.text | Multi-field of `sip.auth.uri.original`. | text | -| sip.auth.uri.port | Auth URI port | long | -| sip.auth.uri.scheme | Auth URI scheme | keyword | -| sip.call_id | Call ID. | keyword | -| sip.code | Response status code. | long | -| sip.contact.display_info | Contact display info | keyword | -| sip.contact.expires | Contact expires | keyword | -| sip.contact.line | Contact line | keyword | -| sip.contact.q | Contact Q | keyword | -| sip.contact.transport | Contact transport | keyword | -| sip.contact.uri.host | Contact URI host | keyword | -| sip.contact.uri.original | Contact original URI | keyword | -| sip.contact.uri.original.text | Multi-field of `sip.contact.uri.original`. | text | -| sip.contact.uri.port | Contact URI port | long | -| sip.contact.uri.scheme | Contat URI scheme | keyword | -| sip.contact.uri.username | Contact URI user name | keyword | -| sip.content_length | | long | -| sip.content_type | | keyword | -| sip.cseq.code | Sequence code. | long | -| sip.cseq.method | Sequence method. | keyword | -| sip.from.display_info | From display info | keyword | -| sip.from.tag | From tag | keyword | -| sip.from.uri.host | From URI host | keyword | -| sip.from.uri.original | From original URI | keyword | -| sip.from.uri.original.text | Multi-field of `sip.from.uri.original`. | text | -| sip.from.uri.port | From URI port | long | -| sip.from.uri.scheme | From URI scheme | keyword | -| sip.from.uri.username | From URI user name | keyword | -| sip.max_forwards | | long | -| sip.method | Request method. | keyword | -| sip.private.uri.host | Private URI host. | keyword | -| sip.private.uri.original | Private original URI. | keyword | -| sip.private.uri.original.text | Multi-field of `sip.private.uri.original`. | text | -| sip.private.uri.port | Private URI port. | long | -| sip.private.uri.scheme | Private URI scheme. | keyword | -| sip.private.uri.username | Private URI user name. | keyword | -| sip.sdp.body.original | SDP original body | keyword | -| sip.sdp.body.original.text | Multi-field of `sip.sdp.body.original`. | text | -| sip.sdp.connection.address | SDP connection address | keyword | -| sip.sdp.connection.info | SDP connection info | keyword | -| sip.sdp.owner.ip | SDP owner IP | ip | -| sip.sdp.owner.session_id | SDP owner session ID | keyword | -| sip.sdp.owner.username | SDP owner user name | keyword | -| sip.sdp.owner.version | SDP owner version | keyword | -| sip.sdp.session.name | SDP session name | keyword | -| sip.sdp.version | SDP version | keyword | -| sip.status | Response status phrase. | keyword | -| sip.supported | Supported methods. | keyword | -| sip.to.display_info | To display info | keyword | -| sip.to.tag | To tag | keyword | -| sip.to.uri.host | To URI host | keyword | -| sip.to.uri.original | To original URI | keyword | -| sip.to.uri.original.text | Multi-field of `sip.to.uri.original`. | text | -| sip.to.uri.port | To URI port | long | -| sip.to.uri.scheme | To URI scheme | keyword | -| sip.to.uri.username | To URI user name | keyword | -| sip.type | Either request or response. | keyword | -| sip.uri.host | The URI host. | keyword | -| sip.uri.original | The original URI. | keyword | -| sip.uri.original.text | Multi-field of `sip.uri.original`. | text | -| sip.uri.port | The URI port. | long | -| sip.uri.scheme | The URI scheme. | keyword | -| sip.uri.username | The URI user name. | keyword | -| sip.user_agent.original | | keyword | -| sip.user_agent.original.text | Multi-field of `sip.user_agent.original`. | text | -| sip.version | SIP protocol version. | keyword | -| sip.via.original | The original Via value. | keyword | -| sip.via.original.text | Multi-field of `sip.via.original`. | text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `sip` looks as following: - -```json -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} -``` - -### Thrift - -Fields published for Thrift packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| thrift.exceptions | If the call resulted in exceptions, this field contains the exceptions in a human readable format. | keyword | -| thrift.params | The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. | keyword | -| thrift.return_value | The value returned by the Thrift-RPC call. This is encoded in a human readable format. | keyword | -| thrift.service | The name of the Thrift-RPC service as defined in the IDL files. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `thrift` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:33:31.022Z", - "agent": { - "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1394000, - "end": "2022-03-09T08:33:31.023Z", - "ingested": "2022-03-09T08:33:32Z", - "kind": "event", - "start": "2022-03-09T08:33:31.022Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} -``` - -### TLS - -Fields published for TLS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | -| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country (C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.detailed.alert_types | An array containing the TLS alert type for every alert received. | keyword | -| tls.detailed.client_certificate_chain | Chain of trust for the client certificate. | array | -| tls.detailed.client_certificate_requested | Whether the server has requested the client to authenticate itself using a client certificate. | boolean | -| tls.detailed.client_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.client_hello.extensions.application_layer_protocol_negotiation | List of application-layer protocols the client is willing to use. | keyword | -| tls.detailed.client_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. | keyword | -| tls.detailed.client_hello.extensions.server_name_indication | List of hostnames | keyword | -| tls.detailed.client_hello.extensions.session_ticket | Length of the session ticket, if provided, or an empty string to advertise support for tickets. | keyword | -| tls.detailed.client_hello.extensions.signature_algorithms | List of signature algorithms that may be use in digital signatures. | keyword | -| tls.detailed.client_hello.extensions.status_request.request_extensions | The number of certificate extensions for the request. | short | -| tls.detailed.client_hello.extensions.status_request.responder_id_list_length | The length of the list of trusted responders. | short | -| tls.detailed.client_hello.extensions.status_request.type | The type of the status request. Always "ocsp" if present. | keyword | -| tls.detailed.client_hello.extensions.supported_groups | List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. | keyword | -| tls.detailed.client_hello.extensions.supported_versions | List of TLS versions that the client is willing to use. | keyword | -| tls.detailed.client_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.client_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.client_hello.supported_compression_methods | The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml | keyword | -| tls.detailed.client_hello.version | The version of the TLS protocol by which the client wishes to communicate during this session. | keyword | -| tls.detailed.ocsp_response | The result of an OCSP request. | keyword | -| tls.detailed.resumption_method | If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. | keyword | -| tls.detailed.server_certificate_chain | Chain of trust for the server certificate. | array | -| tls.detailed.server_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.server_hello.extensions.application_layer_protocol_negotiation | Negotiated application layer protocol | keyword | -| tls.detailed.server_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. | keyword | -| tls.detailed.server_hello.extensions.session_ticket | Used to announce that a session ticket will be provided by the server. Always an empty string. | keyword | -| tls.detailed.server_hello.extensions.status_request.response | Whether a certificate status request response was made. | boolean | -| tls.detailed.server_hello.extensions.supported_versions | Negotiated TLS version to be used. | keyword | -| tls.detailed.server_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.server_hello.selected_compression_method | The compression method selected by the server from the list provided in the client hello. | keyword | -| tls.detailed.server_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.server_hello.version | The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. | keyword | -| tls.detailed.version | The version of the TLS protocol used. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | -| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `tls` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:34:08.391Z", - "agent": { - "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.1.36", - "port": 60946 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 14861200, - "end": "2022-03-09T08:34:08.406Z", - "ingested": "2022-03-09T08:34:09Z", - "kind": "event", - "start": "2022-03-09T08:34:08.391Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.36", - "216.58.201.174" - ] - }, - "server": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "source": { - "ip": "192.168.1.36", - "port": 60946 - }, - "status": "OK", - "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", - "client": { - "ja3": "d470a3fa301d80227bc5650c75567d25", - "server_name": "play.google.com", - "supported_ciphers": [ - "TLS_AES_128_GCM_SHA256", - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "_unparsed_": [ - "23", - "renegotiation_info", - "status_request", - "51", - "45", - "28", - "41" - ], - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "play.google.com" - ], - "signature_algorithms": [ - "ecdsa_secp256r1_sha256", - "ecdsa_secp384r1_sha384", - "ecdsa_secp521r1_sha512", - "rsa_pss_sha256", - "rsa_pss_sha384", - "rsa_pss_sha512", - "rsa_pkcs1_sha256", - "rsa_pkcs1_sha384", - "rsa_pkcs1_sha512", - "ecdsa_sha1", - "rsa_pkcs1_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1", - "secp521r1", - "ffdhe2048", - "ffdhe3072" - ], - "supported_versions": [ - "TLS 1.3", - "TLS 1.2", - "TLS 1.1", - "TLS 1.0" - ] - }, - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "resumption_method": "id", - "server_hello": { - "extensions": { - "_unparsed_": [ - "41", - "51" - ], - "supported_versions": "TLS 1.3" - }, - "selected_compression_method": "NULL", - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "version": "3.3" - }, - "version": "TLS 1.3" - }, - "established": true, - "resumed": true, - "version": "1.3", - "version_protocol": "tls" - }, - "type": "tls" -} -``` - -## Licensing for Windows Systems - -The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 16f534dd5e..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Overview of DNS request and response metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":13,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":11,\"x\":13,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-65120940-1454-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-dns-query-summary", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-dns-request-status-over-time", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-dns-question-types", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dns-top-10-questions", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-dns-response-codes", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 7562508a09..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "DHCPv4 Overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":13,\"x\":24,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "5:panel_5", - "type": "search" - }, - { - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-cassandra.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-cassandra.json deleted file mode 100755 index 489417c609..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-cassandra.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":36,\"y\":8},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":8},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":12,\"x\":12,\"y\":8},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"cassandra.request.query\",\"cassandra.response.result.rows.meta.keyspace\",\"cassandra.response.result.rows.meta.table\",\"cassandra.response.result.rows.num_rows\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"search\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Cassandra", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-cassandra-responsekeyspace", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetype", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetime", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcount", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-ops", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountstackbytype", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountstackbytype", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountbytype", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountbytype", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-queryview", - "name": "20:panel_20", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-dashboard.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-dashboard.json deleted file mode 100755 index c1dee3dfea..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-dashboard.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Network Packet Capture overview dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":12,\"x\":24,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"3f5bc195-da9d-4ec8-a68f-896db321a54b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9638dc3f-f85a-4e68-8e14-25654df43f8e\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"client.geo.location\\\",\\\"id\\\":\\\"220c104b-34a8-4aa7-a3d6-7b56ad4d3b9e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":2.4,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"agent.type:packetbeat\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"[Network Packet Capture] Map 2\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":90,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":2.4},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"title\":\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dashboard", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-db-transactions", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-errors-count-over-time", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-errors-vs-successful-transactions", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-latency-histogram", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-repartition", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "92e797bb-1975-4320-9d19-9b7f11e9e538:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-dns-unique-domains.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-dns-unique-domains.json deleted file mode 100755 index d6f50f2545..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-dns-unique-domains.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "Detecting tunneling over DNS.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"NOT dns.question.type:PTR\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique Subdomain Count\":\"#EF843C\",\"Unique count of dns.question.name\":\"#E0752D\"},\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Tunneling", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-unique-domains", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-unique-fqdns-per-etld-1", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-bytes-transferred-per-domain", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-flows.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-flows.json deleted file mode 100755 index 13b51d1106..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-flows.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"3\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":35,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Network Flows", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-top-hosts-creating-traffic", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-connections-over-time", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-top-hosts-receiving-traffic", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-network-traffic-between-your-hosts", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-http.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-http.json deleted file mode 100755 index 0699eb175a..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-http.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":36,\"x\":12,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] HTTP", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes-evolution", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-total-number-of-http-transactions", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-http-codes-for-the-top-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-10-http-requests", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-mongodb-performance.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-mongodb-performance.json deleted file mode 100755 index 76b41ed6ac..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-mongodb-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6\",\"w\":32,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":35},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MongoDB", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-commands", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors-per-collection", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-in-slash-out-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-response-times-by-collection", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-slowest-mongodb-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-mysql-performance.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-mysql-performance.json deleted file mode 100755 index 6e51b19d93..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-mysql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MySQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-methods", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-throughput", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-mysql-queries", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-mysql-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-response-times-percentiles", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-reads-vs-writes", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-nfs.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-nfs.json deleted file mode 100755 index 2b9bfc8b82..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-nfs.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "NFSv3 and NFSv4 transactions over TCP.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":25,\"i\":\"1\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":10},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":30,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"9\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"10\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_8\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] NFS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-clients-pie-chart", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operations-area-chart", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-group-pie-chart", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-users-pie-chart", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-response-times", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-errors", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operation-table", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-bytes-in-slash-out", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-pgsql-performance.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-pgsql-performance.json deleted file mode 100755 index 462ad7a8be..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-pgsql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Postgres database query performance.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] PgSQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-methods", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-response-times-percentiles", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-reads-vs-writes", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-pgsql-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-pgsql-queries", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-thrift-performance.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-thrift-performance.json deleted file mode 100755 index fe50a1efbd..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-thrift-performance.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Thrift performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-requests-per-minute", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-rpc-errors", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-thrift-rpc-methods", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-methods", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "name": "7:panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-tls-sessions.json b/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-tls-sessions.json deleted file mode 100755 index 876601f994..0000000000 --- a/packages/network_traffic/1.0.0/kibana/dashboard/network_traffic-tls-sessions.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "[Network Packet Capture] TLS Sessions", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"8\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":12,\"x\":12,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":12,\"x\":0,\"y\":16},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"12\",\"w\":12,\"x\":24,\"y\":28},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":12,\"x\":36,\"y\":28},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":28},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":36,\"x\":12,\"y\":16},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-tls-sessions", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index afb21d2457..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 67be55b24a..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.ja3\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.ja3\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Fingerprint", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index 6d16385a7d..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] HTTP Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 438de0c09a..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"event.duration\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Handshake Latency", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index b2320634bf..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.server.x509.public_key_size\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.server.x509.public_key_size\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Server Public Key Size", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json deleted file mode 100755 index 7851d8f875..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.server_name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.server_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Server Name Indication", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json deleted file mode 100755 index 44b4e814c2..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "dhcpv4.transaction_id", - "dhcpv4.op_code", - "dhcpv4.option.message_type", - "source.ip", - "destination.ip", - "dhcpv4.client_mac", - "dhcpv4.option.hostname", - "dhcpv4.option.class_identifier" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json deleted file mode 100755 index 48114ab869..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.detailed.version\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.detailed.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Version", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-cassandra-queryview.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-cassandra-queryview.json deleted file mode 100755 index 4da4785f32..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-cassandra-queryview.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "cassandra.request.query", - "cassandra.response.result.rows.meta.keyspace", - "cassandra.response.result.rows.meta.table", - "cassandra.response.result.rows.num_rows" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cassandra.request.headers.op\",\"negate\":false,\"params\":{\"query\":\"QUERY\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra.request.headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"cassandra.response.headers.op\",\"negate\":true,\"params\":{\"query\":\"ERROR\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR\"},\"query\":{\"match\":{\"cassandra.response.headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Query Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-queryview", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json deleted file mode 100755 index e042ed47b0..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "server.ip", - "destination.ip", - "dns.question.name", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"dns\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"dns\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"dns\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DNS Protocol", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json deleted file mode 100755 index adda40afe3..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json deleted file mode 100755 index 54ccb16243..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":\"TLS sessions\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-flows-search.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-flows-search.json deleted file mode 100755 index 94bf5f31c0..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-flows-search.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "type", - "event.start", - "event.end", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "source.bytes", - "destination.bytes" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.flow\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Flows Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json deleted file mode 100755 index f3f1e907c0..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb and request: \\\"writeConcern w 0\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB transactions with write concern 0", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-mongodb-transactions.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-mongodb-transactions.json deleted file mode 100755 index 71fb0f7d06..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-mongodb-transactions.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB Transaction Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-mysql-errors.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-mysql-errors.json deleted file mode 100755 index e6696d3dfe..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-mysql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-mysql-transactions.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-mysql-transactions.json deleted file mode 100755 index 035e4af69f..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-mysql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-nfs-errors-search.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-nfs-errors-search.json deleted file mode 100755 index 234a135c17..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-nfs-errors-search.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFSERR_NOENT\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFS_OK\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Error Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-nfs.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-nfs.json deleted file mode 100755 index 637ab8785a..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-nfs.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-pgsql-errors.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-pgsql-errors.json deleted file mode 100755 index e1e696c06b..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-pgsql-transactions.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-pgsql-transactions.json deleted file mode 100755 index 4cf83e438b..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-pgsql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-search.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-search.json deleted file mode 100755 index b8dcde28ff..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-search.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-thrift-errors.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-thrift-errors.json deleted file mode 100755 index 4ada45ff68..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-thrift-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-thrift-transactions.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-thrift-transactions.json deleted file mode 100755 index d561697995..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-thrift-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/search/network_traffic-transactions-errors.json b/packages/network_traffic/1.0.0/kibana/search/network_traffic-transactions-errors.json deleted file mode 100755 index 26f67d32a2..0000000000 --- a/packages/network_traffic/1.0.0/kibana/search/network_traffic-transactions-errors.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Transactions Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-transactions-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json deleted file mode 100755 index 72cce261f0..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Sessions", - "uiStateJSON": "{\"vis\":{\"colors\":{\"false\":\"#E24D42\",\"true\":\"#7EB26D\"},\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sessions per minute\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Handshake completed\",\"field\":\"tls.established\",\"json\":\"\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Sessions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index 428c808c1b..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] Total Number of TLS Sessions", - "uiStateJSON": "{\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total Number of TLS Sessions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 3d5fc5d68c..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.server.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Organization\",\"field\":\"tls.server.x509.subject.organization\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Server Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index a9a6b6d585..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Versions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TLS version\",\"field\":\"tls.detailed.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Versions\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json deleted file mode 100755 index 5c709d21ab..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Client Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique MACs\",\"field\":\"dhcpv4.client_mac\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Client Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 238ff5fe1b..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Session Resume", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"tls.detailed.resumption_method\",\"json\":\"{\\n\\\"missing\\\": \\\"none\\\"\\n}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Session Resume\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index 28758eb761..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Message Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Op Code\",\"field\":\"dhcpv4.op_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message Type\",\"field\":\"dhcpv4.option.message_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DHCPv4 Message Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json deleted file mode 100755 index dfd0b9c2df..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Cipher", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cipher\",\"field\":\"tls.cipher\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Cipher\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json deleted file mode 100755 index 69216a897d..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"dhcpv4.option.message_type:nak OR dhcpv4.option.message_type:decline\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 NAK and Decline Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":57,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 NAK and Decline Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index e347b89b8e..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Avg Response Time (ns)\":\"#629E51\",\"Max Response Time (ns)\":\"#E24D42\",\"Min Response Time (ns)\":\"#70DBED\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Max Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"4\",\"label\":\"Min Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Max Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Average event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 27390bc2a6..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"}}" - }, - "title": "[Network Packet Capture] DHCPv4 Message Types over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"c2cf4410-8ba8-11e8-ae15-bdcba81344e6\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"type:dhcpv4\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"ignore_global_filter\":0,\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"NOT dhcpv4.option.message_type:nak NOT dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"8abe6eb0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"Response\",\"line_width\":1,\"metrics\":[{\"id\":\"8abe6eb1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"dhcpv4.option.message_type\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:nak\"},\"formatter\":\"number\",\"id\":\"ae5610d0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"nak\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"ae5610d1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"cf7ba180-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"decline\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"cf7ba181-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"[Network Packet Capture] DHCPv4 Message Types over Time\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 23e4ad24db..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Client Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.client.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Signature Algorithm\",\"field\":\"tls.client.x509.signature_algorithm\",\"json\":\"{ \\\"missing\\\": \\\"N/A\\\" }\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Client Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index e100d4e38f..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Name Indication", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Name Indication\",\"field\":\"tls.client.server_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"hideLabel\":false,\"maxFontSize\":64,\"minFontSize\":14,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"[Network Packet Capture] TLS Server Name Indication\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 204f509a93..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Fingerprint", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"JA3 Fingerprint\",\"field\":\"tls.client.ja3\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Fingerprint\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index c8ca05e364..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Public Key Size", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Public Key Size\",\"field\":\"tls.server.x509.public_key_size\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] Server Public Key Size\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 7d805b99d1..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Client and Servers Pie Chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Client and Servers Pie Chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json deleted file mode 100755 index 6b89c0127d..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Bytes Transferred per Domain", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Bytes In\":\"#F2C96D\",\"Bytes Out\":\"#629E51\",\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Bytes Out\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Bytes In\"},\"mode\":\"normal\",\"show\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"grouped\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Bytes Transferred per Domain\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bytes-transferred-per-domain", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json deleted file mode 100755 index 1b5f21f993..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"exists\\\":{\\\"field\\\":\\\"tls\\\"}}\"},\"query\":{\"exists\":{\"field\":\"tls\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] TLS Alerts", - "uiStateJSON": "{\"vis\":{\"colors\":{\"None\":\"#7EB26D\",\"handshake_failure\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"tls.detailed.alert_types\",\"include\":\".*\",\"json\":\"{\\\"missing\\\": \\\"None\\\"}\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Alerts\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-ops.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-ops.json deleted file mode 100755 index fcdb742965..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-ops.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra Ops", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra Ops\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-ops", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-requestcount.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-requestcount.json deleted file mode 100755 index ac31b1fa2f..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-requestcount.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCount", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCount\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcount", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json deleted file mode 100755 index be3352be29..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":\"13\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json deleted file mode 100755 index 9e1ebf6056..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json deleted file mode 100755 index 17a71a0e30..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"radiusRatio\":\"15\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra: ResponseCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json deleted file mode 100755 index ee9d47e2f6..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json deleted file mode 100755 index 2f203d6dd9..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseKeyspace", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.keyspace\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.table\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseKeyspace\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsekeyspace", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsetime.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsetime.json deleted file mode 100755 index 152ebf53ef..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsetime.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseTime", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[5,25,50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseTime\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetime", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsetype.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsetype.json deleted file mode 100755 index 85c2b4d398..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-cassandra-responsetype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseType\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-connections-over-time.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-connections-over-time.json deleted file mode 100755 index 97d4affdf5..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-connections-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Connections over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Flows\",\"field\":\"flow.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique Flows\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Connections over time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-connections-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index d8cedfb7c3..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Transaction Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Transactions\",\"field\":\"dhcpv4.transaction_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Transaction Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 856211710f..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"params\":{\"gte\":0,\"lt\":1000000000},\"type\":\"range\",\"value\":\"0 to 1,000,000,000\"},\"range\":{\"event.duration\":{\"gte\":0,\"lt\":1000000000}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Handshake Latency", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Handshake Latency (ns)\",\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":2000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Handshake Latency\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-db-transactions.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-db-transactions.json deleted file mode 100755 index 475882f60d..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-db-transactions.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.type\",\"negate\":true,\"params\":{\"query\":\"flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"flow\"},\"query\":{\"match\":{\"event.type\":{\"query\":\"flow\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"}}" - }, - "title": "[Network Packet Capture] Transaction Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.dataset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Transaction Types\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-db-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json deleted file mode 100755 index 333052a373..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"}}" - }, - "title": "[Network Packet Capture] Top Domains by Data Volume", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top Domains by Data Volume\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-query-summary.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-query-summary.json deleted file mode 100755 index 1898c984d8..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-query-summary.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Query Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"17\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":28,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DNS Query Summary\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-query-summary", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-question-types.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-question-types.json deleted file mode 100755 index b2a975b430..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-question-types.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Question Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Question Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-question-types", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-request-status-over-time.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-request-status-over-time.json deleted file mode 100755 index 53c1b991c8..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-request-status-over-time.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Request Status Over Time", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#890F02\",\"OK\":\"#0A50A1\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] DNS Request Status Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-request-status-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-response-codes.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-response-codes.json deleted file mode 100755 index b9edd3cab4..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-response-codes.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Response Codes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"dns.response_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Response Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-response-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-top-10-questions.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-top-10-questions.json deleted file mode 100755 index d86db94a8d..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-dns-top-10-questions.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":false,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Top 10 Questions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Question\",\"field\":\"dns.question.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Top 10 Questions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-top-10-questions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json deleted file mode 100755 index b89d822540..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":3.5,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Avg Response Time\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Transactions\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-errors-count-over-time.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-errors-count-over-time.json deleted file mode 100755 index 5582bc6c67..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-errors-count-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors count over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"30s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] New Visualization\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-count-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-transactions-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json deleted file mode 100755 index c3ac23f5a7..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors vs successful transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"percentage\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"percentage\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Errors vs successful transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-vs-successful-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json deleted file mode 100755 index c0d680e520..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Data Transfer", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Requests\",\"field\":\"client.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Responses\",\"field\":\"server.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":24,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Data Transfer\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json deleted file mode 100755 index d8885cd43f..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP status codes for the top queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Query\",\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":false,\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] HTTP status codes for the top queries\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-codes-for-the-top-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-http-error-codes-evolution.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-http-error-codes-evolution.json deleted file mode 100755 index 479733a2af..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-http-error-codes-evolution.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"http.response.status_code\",\"negate\":true,\"params\":{\"gte\":200,\"lt\":299},\"type\":\"range\",\"value\":\"200 to 299\"},\"range\":{\"http.response.status_code\":{\"gte\":200,\"lte\":299}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes evolution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes evolution\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes-evolution", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-http-error-codes.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-http-error-codes.json deleted file mode 100755 index 1cb90080fc..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-http-error-codes.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"type\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http and http.response.status_code \\u003e= 300\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"type\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique count of type\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-latency-histogram.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-latency-histogram.json deleted file mode 100755 index 34aa0f3d11..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-latency-histogram.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Latency Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Latency Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-latency-histogram", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-commands.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-commands.json deleted file mode 100755 index 87474df326..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-commands.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB Commands", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"silhouette\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"silhouette\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB Commands\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-commands", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json deleted file mode 100755 index ea23f3560f..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors per collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors per collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors-per-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-errors.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-errors.json deleted file mode 100755 index 183ec66ef3..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"row\":true,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json deleted file mode 100755 index 74b8a6fd64..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB in/out throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of source.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Sum of destination.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB in/out throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-in-slash-out-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json deleted file mode 100755 index 0346b7b1cd..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB response times by collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":false,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB response times by collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-response-times-by-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json deleted file mode 100755 index 08c27fcecf..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent MySQL queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"query\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true},\"title\":\"[Network Packet Capture] Most frequent MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json deleted file mode 100755 index 6ddc08eafb..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent PgSQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Most frequent PgSQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-errors.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-errors.json deleted file mode 100755 index 25ded66860..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-methods.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-methods.json deleted file mode 100755 index 34e609f25b..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json deleted file mode 100755 index 4fece54090..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json deleted file mode 100755 index add1156167..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Mysql response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Mysql response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-throughput.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-throughput.json deleted file mode 100755 index fd67a3b714..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-mysql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] MySQL throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-navigation.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-navigation.json deleted file mode 100755 index 958a4a7a7c..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-navigation.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Network Packet Capture] Navigation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### Network Packet Capture:\\n\\n[Overview](#/dashboard/network_traffic-dashboard)\\n\\n[Network Flows](#/dashboard/network_traffic-flows)\\n\\n[DNS Overview](#/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e) | [Tunneling](#/dashboard/network_traffic-dns-unique-domains)\\n\\n[DHCPv4 Transactions](#/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb)\\n\\n[TLS Overview](#/dashboard/network_traffic-tls-sessions)\\n\\n[HTTP transactions](#/dashboard/network_traffic-http)\\n\\nDatabases: [MySQL](#/dashboard/network_traffic-mysql-performance) | [PostgreSQL](#/dashboard/network_traffic-pgsql-performance) | [MongoDB](#/dashboard/network_traffic-mongodb-performance) | [Cassandra](#/dashboard/network_traffic-cassandra)\\n\\nRPC: [Thrift](#/dashboard/network_traffic-thrift-performance)\\n\\nStorage: [NFS](#/dashboard/network_traffic-nfs)\",\"openLinksInNewTab\":false},\"title\":\"[Network Packet Capture] Navigation\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-navigation", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json deleted file mode 100755 index 292355bbdf..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Traffic Between Hosts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Traffic Between Hosts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-network-traffic-between-your-hosts", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json deleted file mode 100755 index 8b550d78cf..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS Request / Response Sizes", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Sum of rpc.reply_size\":\"#7EB26D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Request Size\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Size\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Request Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Response Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS Request / Response Sizes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-bytes-in-slash-out", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json deleted file mode 100755 index 4272f7571e..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS clients pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.machinename\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS clients pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-clients-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-errors.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-errors.json deleted file mode 100755 index f407f4153d..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"nfs.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":12},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-errors-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-operation-table.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-operation-table.json deleted file mode 100755 index 56e28320c1..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-operation-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operation table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Opcode\",\"field\":\"nfs.opcode\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] NFS operation table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operation-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json deleted file mode 100755 index 56cb538f8f..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operations area chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"nfs.opcode\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":16},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS operations area chart\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operations-area-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-response-times.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-response-times.json deleted file mode 100755 index 2ffaacd816..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-response-times.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS response times", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[50]},\"schema\":\"metric\",\"type\":\"median\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Median event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Median event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS response times\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-response-times", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json deleted file mode 100755 index c1b2816c13..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top group pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.gid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top group pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-group-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json deleted file mode 100755 index 543bfe7058..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top users pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.uid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top users pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-users-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json deleted file mode 100755 index 770c776e13..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-errors.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-errors.json deleted file mode 100755 index 88a19443ff..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-methods.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-methods.json deleted file mode 100755 index e49215022c..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json deleted file mode 100755 index 60be8776dd..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json deleted file mode 100755 index 66eb8b3b8b..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-throughput.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-throughput.json deleted file mode 100755 index aba4ebafd0..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-pgsql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL Throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-response-times-percentiles.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-response-times-percentiles.json deleted file mode 100755 index f43cfc0233..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,95,99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-response-times-repartition.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-response-times-repartition.json deleted file mode 100755 index 2271bdb9a7..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-response-times-repartition.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times repartition", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"group\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times repartition\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-repartition", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-slowest-mysql-queries.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-slowest-mysql-queries.json deleted file mode 100755 index 9194c62aaa..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-slowest-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest MySQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json deleted file mode 100755 index ce2d661459..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest PgSQL Queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Average Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest PgSQL Queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json deleted file mode 100755 index 777f4d7abe..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest Thrift RPC methods", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest Thrift RPC methods\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json deleted file mode 100755 index e9dee7461a..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift requests per minute", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift requests per minute\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-requests-per-minute", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json deleted file mode 100755 index 835ee06280..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Thrift response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-thrift-rpc-errors.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-thrift-rpc-errors.json deleted file mode 100755 index 37e3e901fc..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-thrift-rpc-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift RPC Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift RPC Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-rpc-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-10-http-requests.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-10-http-requests.json deleted file mode 100755 index bb5c71dbfe..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-10-http-requests.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top 10 HTTP requests", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top 10 HTTP requests\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-10-http-requests", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json deleted file mode 100755 index 842f9f29ec..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Creating Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Source Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Creating Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-creating-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json deleted file mode 100755 index 34f9d74be2..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Receiving Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Receiving Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-receiving-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json deleted file mode 100755 index e39b39b7f9..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top slowest MongoDB queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top slowest MongoDB queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-slowest-mongodb-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json deleted file mode 100755 index 3f7aee4851..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC calls with errors", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"shareYAxis\":true},\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json deleted file mode 100755 index 8add979f7b..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC methods ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Thrift-RPC methods\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json deleted file mode 100755 index 77e8f9b41a..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Total number of HTTP transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"37\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total number of HTTP transactions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-total-number-of-http-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json deleted file mode 100755 index 93a9d62de2..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1 Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Unique Domains\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1 Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json deleted file mode 100755 index e94d78a938..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Subdomain Count\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-web-transactions.json b/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-web-transactions.json deleted file mode 100755 index 354ec98cef..0000000000 --- a/packages/network_traffic/1.0.0/kibana/visualization/network_traffic-web-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP Transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-web-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.0/manifest.yml b/packages/network_traffic/1.0.0/manifest.yml deleted file mode 100755 index 683d23a988..0000000000 --- a/packages/network_traffic/1.0.0/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -format_version: 1.0.0 -name: network_traffic -title: Network Packet Capture -version: 1.0.0 -license: basic -description: Capture and analyze network traffic from a host with Elastic Agent. -type: integration -categories: - - web -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -policy_templates: - - name: network - title: Network Packet Capture - description: Capture network traffic - inputs: - - type: packet - title: Capture network traffic - description: Collecting network traffic - vars: - - name: interface - type: text - title: Interface - required: false - show_user: false - - name: processes - type: text - multi: true - title: Processes - description: Processes to monitor (this will act as a command line grep) - required: false - show_user: false -owner: - github: elastic/security-external-integrations diff --git a/packages/network_traffic/1.0.1/changelog.yml b/packages/network_traffic/1.0.1/changelog.yml deleted file mode 100755 index 0e42de3f49..0000000000 --- a/packages/network_traffic/1.0.1/changelog.yml +++ /dev/null @@ -1,129 +0,0 @@ -# newer versions go on top -- version: "1.0.1" - changes: - - description: Remove invalid value from `event.category`. - type: bugfix - link: https://github.com/elastic/integrations/pull/3384 -- version: "1.0.0" - changes: - - description: Release as GA. - type: enhancement - link: https://github.com/elastic/integrations/pull/3355 -- version: "0.10.1" - changes: - - description: Remove invalid value from `event.category` in SIP data set. - type: bugfix - link: https://github.com/elastic/integrations/pull/3343 -- version: "0.10.0" - changes: - - description: Add configuration options for each protocol. - type: enhancement - link: https://github.com/elastic/integrations/pull/3157 -- version: "0.9.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.8.2" - changes: - - description: Add missing field mappings to DNS and TLS data streams. - type: bugfix - link: https://github.com/elastic/integrations/pull/3078 -- version: "0.8.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.8.0" - changes: - - description: Change release stability to beta. - type: enhancement - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.1" - changes: - - description: Fix mapping for tls.detailed.client_certificate_chain. - type: bugfix - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.0" - changes: - - description: Add dashboards. Update the Kibana constraint to require 7.17.0 or 8.0.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/2762 -- version: "0.6.3" - changes: - - description: Add license note to README. - type: bugfix - link: https://github.com/elastic/integrations/pull/2809 -- version: "0.6.2" - changes: - - description: Add fields for TLS random data and OCSP status. - type: enhancement - link: https://github.com/elastic/integrations/pull/2703 -- version: "0.6.1" - changes: - - description: Remove unused field metadata. - type: enhancement - link: https://github.com/elastic/integrations/pull/2648 -- version: "0.6.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2426 -- version: "0.5.1" - changes: - - description: Fix mapping for tls.detailed.server_certificate_chain - type: bugfix - link: https://github.com/elastic/integrations/pull/2517 -- version: "0.5.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2224 -- version: "0.4.2" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2097 -- version: "0.4.1" - changes: - - description: Update Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1975 -- version: "0.4.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1669 -- version: "0.3.0" - changes: - - description: Change title to Network Packet Capture. Added timeout/period config to flows data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1764 -- version: "0.2.2" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.2.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/21 diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/agent/stream/amqp.yml.hbs b/packages/network_traffic/1.0.1/data_stream/amqp/agent/stream/amqp.yml.hbs deleted file mode 100755 index 22fb1883a0..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/amqp/agent/stream/amqp.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: amqp -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_body_length}} -max_body_length: {{max_body_length}} -{{/if}} -{{#if parse_headers}} -parse_headers: {{parse_headers}} -{{/if}} -{{#if parse_arguments}} -parse_arguments: {{parse_arguments}} -{{/if}} -{{#if hide_connection_information}} -hide_connection_information: {{hide_connection_information}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index dd8f95ef44..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing amqp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/amqp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/amqp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/amqp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/amqp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/amqp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/amqp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/amqp/fields/ecs.yml deleted file mode 100755 index da1822dec9..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/amqp/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/amqp/fields/protocol.yml deleted file mode 100755 index 4b87cf176c..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/amqp/fields/protocol.yml +++ /dev/null @@ -1,202 +0,0 @@ -- name: amqp - type: group - fields: - - name: reply-code - type: long - description: > - AMQP reply code to an error, similar to http reply-code - - example: 404 - - name: reply-text - type: keyword - description: > - Text explaining the error. - - - name: class-id - type: long - description: > - Failing method class. - - - name: method-id - type: long - description: > - Failing method ID. - - - name: exchange - type: keyword - description: > - Name of the exchange. - - - name: exchange-type - type: keyword - description: > - Exchange type. - - example: fanout - - name: passive - type: boolean - description: > - If set, do not create exchange/queue. - - - name: durable - type: boolean - description: > - If set, request a durable exchange/queue. - - - name: exclusive - type: boolean - description: > - If set, request an exclusive queue. - - - name: auto-delete - type: boolean - description: > - If set, auto-delete queue when unused. - - - name: no-wait - type: boolean - description: > - If set, the server will not respond to the method. - - - name: consumer-tag - type: keyword - description: > - Identifier for the consumer, valid within the current channel. - - - name: delivery-tag - type: long - description: > - The server-assigned and channel-specific delivery tag. - - - name: message-count - type: long - description: > - The number of messages in the queue, which will be zero for newly-declared queues. - - - name: consumer-count - type: long - description: > - The number of consumers of a queue. - - - name: routing-key - type: keyword - description: > - Message routing key. - - - name: no-ack - type: boolean - description: > - If set, the server does not expect acknowledgements for messages. - - - name: no-local - type: boolean - description: > - If set, the server will not send messages to the connection that published them. - - - name: if-unused - type: boolean - description: > - Delete only if unused. - - - name: if-empty - type: boolean - description: > - Delete only if empty. - - - name: queue - type: keyword - description: > - The queue name identifies the queue within the vhost. - - - name: redelivered - type: boolean - description: > - Indicates that the message has been previously delivered to this or another client. - - - name: multiple - type: boolean - description: > - Acknowledge multiple messages. - - - name: arguments - type: object - description: > - Optional additional arguments passed to some methods. Can be of various types. - - - name: mandatory - type: boolean - description: > - Indicates mandatory routing. - - - name: immediate - type: boolean - description: > - Request immediate delivery. - - - name: content-type - type: keyword - description: > - MIME content type. - - example: text/plain - - name: content-encoding - type: keyword - description: > - MIME content encoding. - - - name: headers - type: object - object_type: keyword - description: > - Message header field table. - - - name: delivery-mode - type: keyword - description: > - Non-persistent (1) or persistent (2). - - - name: priority - type: long - description: > - Message priority, 0 to 9. - - - name: correlation-id - type: keyword - description: > - Application correlation identifier. - - - name: reply-to - type: keyword - description: > - Address to reply to. - - - name: expiration - type: keyword - description: > - Message expiration specification. - - - name: message-id - type: keyword - description: > - Application message identifier. - - - name: timestamp - type: keyword - description: > - Message timestamp. - - - name: type - type: keyword - description: > - Message type name. - - - name: user-id - type: keyword - description: > - Creating user id. - - - name: app-id - type: keyword - description: > - Creating application id. - diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/manifest.yml b/packages/network_traffic/1.0.1/data_stream/amqp/manifest.yml deleted file mode 100755 index 392448511a..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/amqp/manifest.yml +++ /dev/null @@ -1,105 +0,0 @@ -title: AMQP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5672] - - name: max_body_length - type: integer - title: Max Body Length - description: |- - Truncate messages that are published and avoid huge messages being - indexed. - Default: 1000 - show_user: false - multi: false - required: false - - name: parse_headers - type: bool - title: Parse Headers - description: |- - Hide the header fields in header frames. - Default: false - show_user: false - multi: false - required: false - - name: parse_arguments - type: bool - title: Parse Arguments - description: |- - Hide the additional arguments of method frames. - Default: false - show_user: false - multi: false - required: false - - name: hide_connection_information - type: bool - title: Hide Connection Information - description: |- - Hide all methods relative to connection negotiation between server and - client. - Default: true - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: AMQP - description: Capture AMQP Traffic - template_path: amqp.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/amqp/sample_event.json b/packages/network_traffic/1.0.1/data_stream/amqp/sample_event.json deleted file mode 100755 index 9ef02f389f..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/amqp/sample_event.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs b/packages/network_traffic/1.0.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs deleted file mode 100755 index 9c4ec167d1..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/cassandra/agent/stream/cassandra.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: cassandra -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_request_header}} -send_request_header: {{send_request_header}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if send_response_header}} -send_response_header: {{send_response_header}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if compressor}} -compressor: {{compressor}} -{{/if}} -{{#if ignored_ops}} -ignored_ops: -{{#each ignored_ops as |ignored_op|}} - - {{ignored_op}} -{{/each}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2860fd7f9e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing cassandra traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/fields/protocol.yml deleted file mode 100755 index 58a2f6c12d..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/cassandra/fields/protocol.yml +++ /dev/null @@ -1,283 +0,0 @@ -- name: cassandra - type: group - description: Information about the Cassandra request and response. - fields: - - name: no_request - type: boolean - description: > - Indicates that there is no request because this is a PUSH message. - - - name: request - type: group - description: Cassandra request. - fields: - - name: headers - type: group - description: Cassandra request headers. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: query - type: keyword - description: The CQL query which client send to cassandra. - - name: response - type: group - description: Cassandra response. - fields: - - name: headers - type: group - description: Cassandra response headers, the structure is as same as request's header. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: result - type: group - description: Details about the returned result. - fields: - - name: type - type: keyword - description: Cassandra result type. - - name: rows - type: group - description: Details about the rows. - fields: - - name: num_rows - type: long - description: Representing the number of rows present in this result. - - name: meta - type: group - description: Composed of result metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: keyspace - type: keyword - description: Indicating the name of the keyspace that has been set. - - name: schema_change - type: group - description: The result to a schema_change message. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: prepared - type: group - description: The result to a PREPARE message. - fields: - - name: prepared_id - type: keyword - description: Representing the prepared query ID. - - name: req_meta - type: group - description: This describes the request metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: resp_meta - type: group - description: This describes the metadata for the result set. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: supported - type: flattened - description: Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. - - name: authentication - type: group - description: Indicates that the server requires authentication, and which authentication mechanism to use. - fields: - - name: class - type: keyword - description: Indicates the full class name of the IAuthenticator in use - - name: warnings - type: keyword - description: The text of the warnings, only occur when Warning flag was set. - - name: event - type: group - description: Event pushed by the server. A client will only receive events for the types it has REGISTERed to. - fields: - - name: type - type: keyword - description: Representing the event type. - - name: change - type: keyword - description: The message corresponding respectively to the type of change followed by the address of the new/removed node. - - name: host - type: keyword - description: Representing the node ip. - - name: port - type: long - description: Representing the node port. - - name: schema_change - type: group - description: The events details related to schema change. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: error - type: group - description: Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. - fields: - - name: code - type: long - description: The error code of the Cassandra response. - - name: msg - type: keyword - description: The error message of the Cassandra response. - - name: type - type: keyword - description: The error type of the Cassandra response. - - name: details - type: group - description: The details of the error. - fields: - - name: read_consistency - type: keyword - description: Representing the consistency level of the query that triggered the exception. - - name: required - type: long - description: Representing the number of nodes that should be alive to respect consistency level. - - name: alive - type: long - description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). - - name: received - type: long - description: Representing the number of nodes having acknowledged the request. - - name: blockfor - type: long - description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. - - name: write_type - type: keyword - description: Describe the type of the write that timed out. - - name: data_present - type: boolean - description: It means the replica that was asked for data had responded. - - name: keyspace - type: keyword - description: The keyspace of the failed function. - - name: table - type: keyword - description: The keyspace of the failed function. - - name: stmt_id - type: keyword - description: Representing the unknown ID. - - name: num_failures - type: keyword - description: Representing the number of nodes that experience a failure while executing the request. - - name: function - type: keyword - description: The name of the failed function. - - name: arg_types - type: keyword - description: One string for each argument type (as CQL type) of the failed function. diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/manifest.yml b/packages/network_traffic/1.0.1/data_stream/cassandra/manifest.yml deleted file mode 100755 index b05f2d1e4e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/cassandra/manifest.yml +++ /dev/null @@ -1,92 +0,0 @@ -title: Cassandra -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9042] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`cassandra_request` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_request_header - type: bool - title: Send Request Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field) - is included in published events. The default is true. enable `send_request` first before enable this option. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`cassandra_response` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_response_header - type: bool - title: Send Response Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field) - is included in published events. The default is true. enable `send_response` first before enable this option. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: compressor - type: text - title: Compressor - description: |- - Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured. - By default no compressor is configured. - show_user: false - multi: false - required: false - - name: ignored_ops - type: text - title: Ignored Ops - description: This option indicates which Operator/Operators will be ignored. - show_user: false - multi: true - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Cassandra - description: Capture Cassandra Traffic - template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/cassandra/sample_event.json b/packages/network_traffic/1.0.1/data_stream/cassandra/sample_event.json deleted file mode 100755 index aa2d587c11..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/cassandra/sample_event.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/1.0.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs deleted file mode 100755 index 2c56638255..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -type: dhcpv4 -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a0f2d285e8..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: dhcpv4.client_mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: dhcpv4.client_mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: dhcpv4.client_mac - ignore_missing: true -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/protocol.yml deleted file mode 100755 index 0180691a5b..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dhcpv4/fields/protocol.yml +++ /dev/null @@ -1,177 +0,0 @@ -- name: dhcpv4 - type: group - fields: - - name: transaction_id - type: keyword - description: | - Transaction ID, a random number chosen by the - client, used by the client and server to associate - messages and responses between a client and a - server. - - name: seconds - type: long - description: | - Number of seconds elapsed since client began address acquisition or - renewal process. - - name: flags - type: keyword - description: | - Flags are set by the client to indicate how the DHCP server should - its reply -- either unicast or broadcast. - - name: client_ip - type: ip - description: The current IP address of the client. - - name: assigned_ip - type: ip - description: | - The IP address that the DHCP server is assigning to the client. - This field is also known as "your" IP address. - - name: server_ip - type: ip - description: | - The IP address of the DHCP server that the client should use for the - next step in the bootstrap process. - - name: relay_ip - type: ip - description: | - The relay IP address used by the client to contact the server - (i.e. a DHCP relay server). - - name: client_mac - type: keyword - description: The client's MAC address (layer two). - - name: server_name - type: keyword - description: | - The name of the server sending the message. Optional. Used in - DHCPOFFER or DHCPACK messages. - - name: op_code - type: keyword - example: bootreply - description: | - The message op code (bootrequest or bootreply). - - name: hops - type: long - description: The number of hops the DHCP message went through. - - name: hardware_type - type: keyword - description: | - The type of hardware used for the local network (Ethernet, - LocalTalk, etc). - - name: option - type: group - fields: - - name: message_type - type: keyword - example: ack - description: | - The specific type of DHCP message being sent (e.g. discover, - offer, request, decline, ack, nak, release, inform). - - name: parameter_request_list - type: keyword - description: | - This option is used by a DHCP client to request values for - specified configuration parameters. - - name: requested_ip_address - type: ip - description: | - This option is used in a client request (DHCPDISCOVER) to allow - the client to request that a particular IP address be assigned. - - name: server_identifier - type: ip - description: | - IP address of the individual DHCP server which handled this - message. - - name: broadcast_address - type: ip - description: | - This option specifies the broadcast address in use on the - client's subnet. - - name: max_dhcp_message_size - type: long - description: | - This option specifies the maximum length DHCP message that the - client is willing to accept. - - name: class_identifier - type: keyword - description: | - This option is used by DHCP clients to optionally identify the - vendor type and configuration of a DHCP client. Vendors may - choose to define specific vendor class identifiers to convey - particular configuration or other identification information - about a client. For example, the identifier may encode the - client's hardware configuration. - - name: domain_name - type: keyword - description: | - This option specifies the domain name that client should use - when resolving hostnames via the Domain Name System. - - name: dns_servers - type: ip - description: | - The domain name server option specifies a list of Domain Name - System servers available to the client. - - name: vendor_identifying_options - type: object - description: | - A DHCP client may use this option to unambiguously identify the - vendor that manufactured the hardware on which the client is - running, the software in use, or an industry consortium to which - the vendor belongs. This field is described in RFC 3925. - - name: subnet_mask - type: ip - description: | - The subnet mask that the client should use on the currnet - network. - - name: utc_time_offset_sec - type: long - description: | - The time offset field specifies the offset of the client's - subnet in seconds from Coordinated Universal Time (UTC). - - name: router - type: ip - description: | - The router option specifies a list of IP addresses for routers - on the client's subnet. - - name: time_servers - type: ip - description: | - The time server option specifies a list of RFC 868 time servers - available to the client. - - name: ntp_servers - type: ip - description: | - This option specifies a list of IP addresses indicating NTP - servers available to the client. - - name: hostname - type: keyword - description: | - This option specifies the name of the client. - - name: ip_address_lease_time_sec - type: long - description: | - This option is used in a client request (DHCPDISCOVER or - DHCPREQUEST) to allow the client to request a lease time for the - IP address. In a server reply (DHCPOFFER), a DHCP server uses - this option to specify the lease time it is willing to offer. - - name: message - type: text - description: | - This option is used by a DHCP server to provide an error message - to a DHCP client in a DHCPNAK message in the event of a failure. - A client may use this option in a DHCPDECLINE message to - indicate the why the client declined the offered parameters. - - name: renewal_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the RENEWING state. - - name: rebinding_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the REBINDING state. - - name: boot_file_name - type: keyword - description: | - This option is used to identify a bootfile when the 'file' field - in the DHCP header has been used for DHCP options. diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/1.0.1/data_stream/dhcpv4/manifest.yml deleted file mode 100755 index fc09a92781..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dhcpv4/manifest.yml +++ /dev/null @@ -1,40 +0,0 @@ -title: DHCP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [67, 68] - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DHCP - description: Capture DHCP Traffic - template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/dhcpv4/sample_event.json b/packages/network_traffic/1.0.1/data_stream/dhcpv4/sample_event.json deleted file mode 100755 index 59ab870695..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dhcpv4/sample_event.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/dns/agent/stream/dns.yml.hbs b/packages/network_traffic/1.0.1/data_stream/dns/agent/stream/dns.yml.hbs deleted file mode 100755 index e68885b2f8..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dns/agent/stream/dns.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: dns -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if include_authorities}} -include_authorities: {{include_authorities}} -{{/if}} -{{#if include_additionals}} -include_additionals: {{include_additionals}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 70d49c51b6..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/dns/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/dns/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/dns/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/dns/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dns/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/dns/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/dns/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dns/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/dns/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/dns/fields/ecs.yml deleted file mode 100755 index e2ea6f338f..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,200 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - Array of 2 letter DNS header flags. - Expected values are: AA, TC, RD, RA, AD, CD, DO. - name: dns.header_flags - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/dns/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/dns/fields/protocol.yml deleted file mode 100755 index 28d506b996..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dns/fields/protocol.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: dns - type: group - fields: - - name: flags.authoritative - type: boolean - description: > - A DNS flag specifying that the responding server is an authority for the domain name used in the question. - - - name: flags.recursion_available - type: boolean - description: > - A DNS flag specifying whether recursive query support is available in the name server. - - - name: flags.recursion_desired - type: boolean - description: > - A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. - - - name: flags.authentic_data - type: boolean - description: > - A DNS flag specifying that the recursive server considers the response authentic. - - - name: flags.checking_disabled - type: boolean - description: > - A DNS flag specifying that the client disables the server signature validation of the query. - - - name: flags.truncated_response - type: boolean - description: > - A DNS flag specifying that only the first 512 bytes of the reply were returned. - - - name: question.etld_plus_one - type: keyword - description: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. - example: amazon.co.uk. - - name: answers_count - type: long - description: > - The number of resource records contained in the `dns.answers` field. - - - name: authorities - type: object - description: > - An array containing a dictionary for each authority section from the answer. - - - name: authorities_count - type: long - description: > - The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. - - - name: authorities.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: authorities.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: authorities.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals - type: object - description: > - An array containing a dictionary for each additional section from the answer. - - - name: additionals_count - type: long - description: > - The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. - - - name: additionals.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: additionals.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: additionals.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals.ttl - description: > - The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - type: long - - name: additionals.data - type: keyword - description: > - The data describing the resource. The meaning of this data depends on the type and class of the resource record. - - - name: opt.version - type: keyword - description: The EDNS version. - example: "0" - - name: opt.do - type: boolean - description: If set, the transaction uses DNSSEC. - - name: opt.ext_rcode - type: keyword - description: Extended response code field. - example: "BADVERS" - - name: opt.udp_size - type: long - description: Requestor's UDP payload size (in bytes). diff --git a/packages/network_traffic/1.0.1/data_stream/dns/manifest.yml b/packages/network_traffic/1.0.1/data_stream/dns/manifest.yml deleted file mode 100755 index cc5476bfad..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dns/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: DNS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [53] - - name: include_authorities - type: bool - title: Include Authorities - description: |- - include_authorities controls whether or not the dns.authorities field - (authority resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: include_additionals - type: bool - title: Include Additionals - description: |- - include_additionals controls whether or not the dns.additionals field - (additional resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - send_request controls whether or not the stringified DNS - request messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - send_response controls whether or not the stringified DNS - response messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DNS - description: Capture DNS Traffic - template_path: dns.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/dns/sample_event.json b/packages/network_traffic/1.0.1/data_stream/dns/sample_event.json deleted file mode 100755 index 476a880555..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/dns/sample_event.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/flow/agent/stream/flow.yml.hbs b/packages/network_traffic/1.0.1/data_stream/flow/agent/stream/flow.yml.hbs deleted file mode 100755 index 80f2a27460..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/flow/agent/stream/flow.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -type: flow -{{#if timeout}} -flows.timeout: '{{timeout}}' -{{/if}} -{{#if period}} -flows.period: '{{period}}' -{{/if}} -{{#if processes}} -procs: - enabled: true - monitored: - {{#each processes}} - - cmdline_grep: {{this}} - {{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8a45c554fd..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/flow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing traffic flows -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/flow/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/flow/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/flow/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/flow/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/flow/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/flow/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/flow/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/flow/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/flow/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/flow/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/flow/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/flow/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/flow/manifest.yml b/packages/network_traffic/1.0.1/data_stream/flow/manifest.yml deleted file mode 100755 index 4f455c6f25..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/flow/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Flows -release: beta -type: logs -streams: - - input: packet - title: Flows - description: Track Network Flows - template_path: flow.yml.hbs - vars: - - name: period - type: text - title: Period - required: false - show_user: false - description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1. If disabled, flows are still reported once being timed out. - default: '10s' - - name: timeout - type: text - title: Flow timeout - description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. - required: false - show_user: false - default: '30s' diff --git a/packages/network_traffic/1.0.1/data_stream/http/agent/stream/http.yml.hbs b/packages/network_traffic/1.0.1/data_stream/http/agent/stream/http.yml.hbs deleted file mode 100755 index 4c2aecad10..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/http/agent/stream/http.yml.hbs +++ /dev/null @@ -1,85 +0,0 @@ -type: http -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if hide_keywords}} -hide_keywords: -{{#each hide_keywords as |hide_keyword|}} - - {{hide_keyword}} -{{/each}} -{{/if}} -{{#if send_headers}} -send_headers: {{send_headers}} -{{/if}} -{{#if send_all_headers}} -send_all_headers: {{send_all_headers}} -{{/if}} -{{#if redact_headers}} -redact_headers: -{{#each redact_headers as |redact_header|}} - - {{redact_header}} -{{/each}} -{{/if}} -{{#if include_body_for}} -include_body_for: -{{#each include_body_for as |include_body_for_elem|}} - - {{include_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_request_body_for}} -include_request_body_for: -{{#each include_request_body_for as |include_request_body_for_elem|}} - - {{include_request_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_response_body_for}} -include_response_body_for: -{{#each include_response_body_for as |include_response_body_for_elem|}} - - {{include_response_body_for_elem}} -{{/each}} -{{/if}} -{{#if decode_body}} -decode_body: {{decode_body}} -{{/if}} -{{#if split_cookie}} -split_cookie: {{split_cookie}} -{{/if}} -{{#if real_ip_header}} -real_ip_header: {{real_ip_header}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if max_message_size}} -max_message_size: {{max_message_size}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e0cbf2bf88..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/http/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing http traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/http/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/http/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/http/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/http/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/http/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/http/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/http/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/http/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/http/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/http/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/http/fields/ecs.yml deleted file mode 100755 index d003c7093e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/http/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/network_traffic/1.0.1/data_stream/http/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/http/fields/protocol.yml deleted file mode 100755 index 51b73ae344..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/http/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: http - type: group - description: Information about the HTTP request and response. - fields: - - name: request - description: HTTP request - type: group - fields: - - name: headers - type: flattened - description: > - A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - - - name: response - description: HTTP response - type: group - fields: - - name: status_phrase - type: keyword - description: The HTTP status phrase. - example: Not Found - - name: headers - type: flattened - description: > - A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - diff --git a/packages/network_traffic/1.0.1/data_stream/http/manifest.yml b/packages/network_traffic/1.0.1/data_stream/http/manifest.yml deleted file mode 100755 index f16188331c..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/http/manifest.yml +++ /dev/null @@ -1,173 +0,0 @@ -title: HTTP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [80, 8080, 8000, 5000, 8002] - - name: hide_keywords - type: text - title: Hide Keywords - description: |- - Uncomment the following to hide certain parameters in URL or forms attached - to HTTP requests. The names of the parameters are case insensitive. - The value of the parameters will be replaced with the 'xxxxx' string. - This is generally useful for avoiding storing user passwords or other - sensitive information. - Only query parameters and top level form parameters are replaced. - show_user: false - multi: true - required: false - - name: send_headers - type: bool - title: Send Headers - description: |- - A list of header names to capture and send to Elasticsearch. These headers - are placed under the `headers` dictionary in the resulting JSON. - show_user: false - multi: false - required: false - - name: send_all_headers - type: bool - title: Send All Headers - description: |- - Instead of sending a white list of headers to Elasticsearch, you can send - all headers by setting this option to true. The default is false. - show_user: false - multi: false - required: false - - name: redact_headers - type: text - title: Redact Headers - description: |- - A list of headers to redact if present in the HTTP request. This will keep - the header field present, but will redact it's value to show the headers - presence. - show_user: false - multi: true - required: false - - name: include_body_for - type: text - title: Include Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - payload. If the request's or response's Content-Type matches any on this - list, the full body will be included under the request or response field. - show_user: false - multi: true - required: false - - name: include_request_body_for - type: text - title: Include Request Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - request payload. - show_user: false - multi: true - required: false - - name: include_response_body_for - type: text - title: Include Response Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - response payload. - show_user: false - multi: true - required: false - - name: decode_body - type: bool - title: Decode Body - description: |- - Whether the body of a request must be decoded when a content-encoding - or transfer-encoding has been applied. - show_user: false - multi: false - required: false - - name: split_cookie - type: bool - title: Split Cookie - description: |- - If the Cookie or Set-Cookie headers are sent, this option controls whether - they are split into individual values. - show_user: false - multi: false - required: false - - name: real_ip_header - type: bool - title: Real Ip Header - description: |- - The header field to extract the real IP from. This setting is useful when - you want to capture traffic behind a reverse proxy, but you want to get the - geo-location information. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: max_message_size - type: integer - title: Max Message Size - description: |- - Maximum message size. If an HTTP message is larger than this, it will - be trimmed to this size. Default is 10 MB. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: HTTP - description: Capture HTTP Traffic - template_path: http.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/http/sample_event.json b/packages/network_traffic/1.0.1/data_stream/http/sample_event.json deleted file mode 100755 index f07301394b..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/http/sample_event.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/agent/stream/icmp.yml.hbs b/packages/network_traffic/1.0.1/data_stream/icmp/agent/stream/icmp.yml.hbs deleted file mode 100755 index f550ca79fa..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/icmp/agent/stream/icmp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -type: icmp -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1ae74a0692..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing icmp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/icmp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/icmp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/icmp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/icmp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/icmp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/icmp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/icmp/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/icmp/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/icmp/fields/protocol.yml deleted file mode 100755 index 5aef1deaf4..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/icmp/fields/protocol.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: icmp - type: group - fields: - - name: version - type: long - description: The version of the ICMP protocol. - possible_values: - - 4 - - 6 - - name: request.message - type: keyword - description: A human readable form of the request. - - name: request.type - type: long - description: The request type. - - name: request.code - type: long - description: The request code. - - name: response.message - type: keyword - description: A human readable form of the response. - - name: response.type - type: long - description: The response type. - - name: response.code - type: long - description: The response code. diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/manifest.yml b/packages/network_traffic/1.0.1/data_stream/icmp/manifest.yml deleted file mode 100755 index ca911dc8e0..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/icmp/manifest.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: ICMP -release: beta -type: logs -streams: - - input: packet - title: ICMP - description: Capture ICMP Traffic - template_path: icmp.yml.hbs - vars: - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false diff --git a/packages/network_traffic/1.0.1/data_stream/icmp/sample_event.json b/packages/network_traffic/1.0.1/data_stream/icmp/sample_event.json deleted file mode 100755 index 6dfd5d97d4..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/icmp/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/agent/stream/memcached.yml.hbs b/packages/network_traffic/1.0.1/data_stream/memcached/agent/stream/memcached.yml.hbs deleted file mode 100755 index 136c8ad877..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/memcached/agent/stream/memcached.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: memcache -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parseunknown}} -parseunknown: {{parseunknown}} -{{/if}} -{{#if maxvalues}} -maxvalues: {{maxvalues}} -{{/if}} -{{#if maxbytespervalue}} -maxbytespervalue: {{maxbytespervalue}} -{{/if}} -{{#if udptransactiontimeout}} -udptransactiontimeout: {{udptransactiontimeout}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 79d3c2cf54..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing memcached traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/memcached/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/memcached/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/memcached/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/memcached/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/memcached/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/memcached/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/memcached/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/memcached/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/memcached/fields/protocol.yml deleted file mode 100755 index 4d1c281dde..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/memcached/fields/protocol.yml +++ /dev/null @@ -1,215 +0,0 @@ -- name: memcache - type: group - fields: - - name: protocol_type - type: keyword - description: > - The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. - - - name: request.line - type: keyword - description: > - The raw command line for unknown commands ONLY. - - - name: request.command - type: keyword - description: > - The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. - - - name: response.command - type: keyword - description: > - Either the text based protocol response message type or the name of the originating request if binary protocol is used. - - - name: request.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". - - - name: response.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). - - - name: response.error_msg - type: keyword - description: > - The optional error message in the memcache response (text based protocol only). - - - name: request.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: response.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: request.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: response.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: request.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: response.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: request.vbucket - type: long - description: > - The vbucket index sent in the binary message. - - - name: response.status - type: keyword - description: > - The textual representation of the response error code (binary protocol only). - - - name: response.status_code - type: long - description: > - The status code value returned in the response (binary protocol only). - - - name: request.keys - type: array - description: > - The list of keys sent in the store or load commands. - - - name: response.keys - type: array - description: > - The list of keys returned for the load command (if present). - - - name: request.count_values - type: long - description: > - The number of values found in the memcache request message. If the command does not send any data, this field is missing. - - - name: response.count_values - type: long - description: > - The number of values found in the memcache response message. If the command does not send any data, this field is missing. - - - name: request.values - type: array - description: > - The list of base64 encoded values sent with the request (if present). - - - name: response.values - type: array - description: > - The list of base64 encoded values sent with the response (if present). - - - name: request.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: response.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: request.delta - type: long - description: > - The counter increment/decrement delta value. - - - name: request.initial - type: long - description: > - The counter increment/decrement initial value parameter (binary protocol only). - - - name: request.verbosity - type: long - description: > - The value of the memcache "verbosity" command. - - - name: request.raw_args - type: keyword - description: > - The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. - - - name: request.source_class - type: long - description: > - The source class id in 'slab reassign' command. - - - name: request.dest_class - type: long - description: > - The destination class id in 'slab reassign' command. - - - name: request.automove - type: keyword - description: > - The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. - - - name: request.flags - type: long - description: > - The memcache command flags sent in the request (if present). - - - name: response.flags - type: long - description: > - The memcache message flags sent in the response (if present). - - - name: request.exptime - type: long - description: > - The data expiry time in seconds sent with the memcache command (if present). If the value is `< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). - - - name: request.sleep_us - type: long - description: > - The sleep setting in microseconds for the 'lru_crawler sleep' command. - - - name: response.value - type: long - description: > - The counter value returned by a counter operation. - - - name: request.noreply - type: boolean - description: > - Set to true if noreply was set in the request. The `memcache.response` field will be missing. - - - name: request.quiet - type: boolean - description: > - Set to true if the binary protocol message is to be treated as a quiet message. - - - name: request.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier if present. - - - name: response.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). - - - name: response.stats - type: array - description: > - The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". - - - name: response.version - type: keyword - description: > - The returned memcache version string. - diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/manifest.yml b/packages/network_traffic/1.0.1/data_stream/memcached/manifest.yml deleted file mode 100755 index 9120331b9d..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/memcached/manifest.yml +++ /dev/null @@ -1,116 +0,0 @@ -title: Memcached -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [11211] - - name: parseunknown - type: bool - title: Parseunknown - description: |- - Uncomment the parseunknown option to force the memcache text protocol parser - to accept unknown commands. - Note: All unknown commands MUST not contain any data parts! - Default: false - show_user: false - multi: false - required: false - - name: maxvalues - type: integer - title: Maxvalues - description: |- - Update the maxvalue option to store the values - base64 encoded - in the - json output. - possible values: - maxvalue: -1 store all values (text based protocol multi-get) - maxvalue: 0 store no values at all - maxvalue: N store up to N values - Default: 0 - show_user: false - multi: false - required: false - - name: maxbytespervalue - type: integer - title: Maxbytespervalue - description: |- - Use maxbytespervalue to limit the number of bytes to be copied per value element. - Note: Values will be base64 encoded, so actual size in json document - will be 4 times maxbytespervalue. - Default: unlimited - show_user: false - multi: false - required: false - - name: udptransactiontimeout - type: integer - title: Udptransactiontimeout - description: |- - UDP transaction timeout in milliseconds. - Note: Quiet messages in UDP binary protocol will get response only in error case. - The memcached analyzer will wait for udptransactiontimeout milliseconds - before publishing quiet messages. Non quiet messages or quiet requests with - error response will not have to wait for the timeout. - Default: 200 - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Memcached - description: Capture Memcached Traffic - template_path: memcached.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/memcached/sample_event.json b/packages/network_traffic/1.0.1/data_stream/memcached/sample_event.json deleted file mode 100755 index 4b4dc284f8..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/memcached/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs b/packages/network_traffic/1.0.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs deleted file mode 100755 index fe92042bcc..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mongodb/agent/stream/mongodb.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: mongodb -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_docs}} -max_docs: {{max_docs}} -{{/if}} -{{#if max_doc_length}} -max_doc_length: {{max_doc_length}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 53b9f4a0df..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mongodb traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/fields/protocol.yml deleted file mode 100755 index a84465c61e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mongodb/fields/protocol.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: mongodb - type: group - fields: - - name: error - type: keyword - description: > - If the MongoDB request has resulted in an error, this field contains the error message returned by the server. - - - name: fullCollectionName - type: keyword - description: > - The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. - - - name: numberToSkip - type: long - description: > - Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. - - - name: numberToReturn - type: long - description: > - The requested maximum number of documents to be returned. - - - name: numberReturned - type: long - description: > - The number of documents in the reply. - - - name: startingFrom - type: keyword - description: > - Where in the cursor this reply is starting. - - - name: query - type: keyword - description: > - A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. - - - name: returnFieldsSelector - type: keyword - description: > - A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. - - - name: selector - type: keyword - description: > - A BSON document that specifies the query for selecting the document to update or delete. - - - name: update - type: keyword - description: > - A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - - - name: cursorId - type: keyword - description: > - The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. - diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/manifest.yml b/packages/network_traffic/1.0.1/data_stream/mongodb/manifest.yml deleted file mode 100755 index 0ff11578a2..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mongodb/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: MongoDB -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [27017] - - name: max_docs - type: integer - title: Max Docs - description: |- - The maximum number of documents from the response to index in the `response` - field. The default is 10. - show_user: false - multi: false - required: false - - name: max_doc_length - type: integer - title: Max Doc Length - description: |- - The maximum number of characters in a single document indexed in the - `response` field. The default is 5000. You can set this to 0 to index an - unlimited number of characters per document. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MongoDB - description: Capture MongoDB Traffic - template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/mongodb/sample_event.json b/packages/network_traffic/1.0.1/data_stream/mongodb/sample_event.json deleted file mode 100755 index 4cfd576e4c..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mongodb/sample_event.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/agent/stream/mysql.yml.hbs b/packages/network_traffic/1.0.1/data_stream/mysql/agent/stream/mysql.yml.hbs deleted file mode 100755 index 85b82a47b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mysql/agent/stream/mysql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: mysql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 23ad4ad9d5..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mysql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/mysql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mysql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/mysql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mysql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/mysql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mysql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/mysql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mysql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/mysql/fields/protocol.yml deleted file mode 100755 index 64675f8d8e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mysql/fields/protocol.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: mysql - type: group - fields: - - name: affected_rows - type: long - description: > - If the MySQL command is successful, this field contains the affected number of rows of the last statement. - - - name: insert_id - type: keyword - description: > - If the INSERT query is successful, this field contains the id of the newly inserted row. - - - name: num_fields - type: long - description: > - If the SELECT query is successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query is successful, this field is set to the number of rows returned. - - - name: query - type: keyword - description: > - The row mysql query as read from the transaction's request. - - - name: error_code - type: long - description: > - The error code returned by MySQL. - - - name: error_message - type: keyword - description: > - The error info message returned by MySQL. - diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/manifest.yml b/packages/network_traffic/1.0.1/data_stream/mysql/manifest.yml deleted file mode 100755 index c4655854f0..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mysql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: MySQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [3306, 3307] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MySQL - description: Capture MySQL Traffic - template_path: mysql.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/mysql/sample_event.json b/packages/network_traffic/1.0.1/data_stream/mysql/sample_event.json deleted file mode 100755 index 2c33116053..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/mysql/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/agent/stream/nfs.yml.hbs b/packages/network_traffic/1.0.1/data_stream/nfs/agent/stream/nfs.yml.hbs deleted file mode 100755 index c8349a7bcb..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/nfs/agent/stream/nfs.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: nfs -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cd66758ed4..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing nfs traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/nfs/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/nfs/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/nfs/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/nfs/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/nfs/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/nfs/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/nfs/fields/ecs.yml deleted file mode 100755 index 2b26a193f9..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/nfs/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/nfs/fields/protocol.yml deleted file mode 100755 index 4bcf6fecec..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/nfs/fields/protocol.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: nfs - type: group - fields: - - name: version - type: long - description: NFS protocol version number. - - name: minor_version - type: long - description: NFS protocol minor version number. - - name: tag - type: keyword - description: NFS v4 COMPOUND operation tag. - - name: opcode - type: keyword - description: > - NFS operation name, or main operation name, in case of COMPOUND calls. - - - name: status - type: keyword - description: NFS operation reply status. -- name: rpc - type: group - description: ONC RPC specific event fields. - fields: - - name: xid - type: keyword - description: RPC message transaction identifier. - - name: status - type: keyword - description: RPC message reply status. - - name: auth_flavor - type: keyword - description: RPC authentication flavor. - - name: cred.uid - type: long - description: RPC caller's user id, in case of auth-unix. - - name: cred.gid - type: long - description: RPC caller's group id, in case of auth-unix. - - name: cred.gids - type: long - description: RPC caller's secondary group ids, in case of auth-unix. - - name: cred.stamp - type: long - description: Arbitrary ID which the caller machine may generate. - - name: cred.machinename - type: keyword - description: The name of the caller's machine. diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/manifest.yml b/packages/network_traffic/1.0.1/data_stream/nfs/manifest.yml deleted file mode 100755 index 4e5323fa1e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/nfs/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: NFS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [2049] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: NFS - description: Capture NFS Traffic - template_path: nfs.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/nfs/sample_event.json b/packages/network_traffic/1.0.1/data_stream/nfs/sample_event.json deleted file mode 100755 index de4b4525e0..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/nfs/sample_event.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs b/packages/network_traffic/1.0.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs deleted file mode 100755 index 8680c36b1a..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/pgsql/agent/stream/pgsql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: pgsql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7bd75120a7..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing pgsql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/fields/protocol.yml deleted file mode 100755 index 4fd03e12cb..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/pgsql/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: pgsql - type: group - fields: - - name: error_code - description: The PostgreSQL error code. - type: keyword - - name: error_message - type: keyword - description: The PostgreSQL error message. - - name: error_severity - type: keyword - description: The PostgreSQL error severity. - possible_values: - - ERROR - - FATAL - - PANIC - - name: num_fields - type: long - description: > - If the SELECT query if successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query if successful, this field is set to the number of rows returned. - diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/manifest.yml b/packages/network_traffic/1.0.1/data_stream/pgsql/manifest.yml deleted file mode 100755 index eb205cd837..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/pgsql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: PostgreSQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5432] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: PostgreSQL - description: Capture PostgreSQL Traffic - template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/pgsql/sample_event.json b/packages/network_traffic/1.0.1/data_stream/pgsql/sample_event.json deleted file mode 100755 index 462f734f42..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/pgsql/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/redis/agent/stream/redis.yml.hbs b/packages/network_traffic/1.0.1/data_stream/redis/agent/stream/redis.yml.hbs deleted file mode 100755 index f357ca3a6d..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/redis/agent/stream/redis.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: redis -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if queue_max_bytes}} -queue_max_bytes: {{queue_max_bytes}} -{{/if}} -{{#if queue_max_messages}} -queue_max_messages: {{queue_max_messages}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a2af2349ac..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/redis/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing redis traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/redis/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/redis/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/redis/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/redis/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/redis/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/redis/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/redis/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/redis/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/redis/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/redis/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/redis/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/redis/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/redis/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/redis/fields/protocol.yml deleted file mode 100755 index 4982b2c2d3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/redis/fields/protocol.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: redis - type: group - fields: - - name: return_value - type: keyword - description: > - The return value of the Redis command in a human readable format. - - - name: error - type: keyword - description: > - If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. - diff --git a/packages/network_traffic/1.0.1/data_stream/redis/manifest.yml b/packages/network_traffic/1.0.1/data_stream/redis/manifest.yml deleted file mode 100755 index 9fe0ce4e18..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/redis/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: Redis -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [6379] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: queue_max_bytes - type: integer - title: Queue Max Bytes - description: |- - Max size for per-session message queue. This places a limit on the memory - that can be used to buffer requests and responses for correlation. - show_user: false - multi: false - required: false - - name: queue_max_messages - type: integer - title: Queue Max Messages - description: |- - Max number of messages for per-session message queue. This limits the number - of requests or responses that can be buffered for correlation. Set a value - large enough to allow for pipelining. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Redis - description: Capture Redis Traffic - template_path: redis.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/redis/sample_event.json b/packages/network_traffic/1.0.1/data_stream/redis/sample_event.json deleted file mode 100755 index 7ce644c935..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/redis/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/sip/agent/stream/sip.yml.hbs b/packages/network_traffic/1.0.1/data_stream/sip/agent/stream/sip.yml.hbs deleted file mode 100755 index 935ea011ee..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/sip/agent/stream/sip.yml.hbs +++ /dev/null @@ -1,34 +0,0 @@ -type: sip -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parse_authorization}} -parse_authorization: {{parse_authorization}} -{{/if}} -{{#if parse_body}} -parse_body: {{parse_body}} -{{/if}} -{{#if keep_original}} -keep_original: {{keep_original}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c20207afdd..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/sip/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for processing sip traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -# Remove invalid "protocol" term added by packetbeat prior to v7.17.4/8.2.1. -- script: - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "protocol") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/sip/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/sip/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/sip/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/sip/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/sip/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/sip/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/sip/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/sip/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/sip/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/sip/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/sip/fields/ecs.yml deleted file mode 100755 index c2a147238b..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/sip/fields/ecs.yml +++ /dev/null @@ -1,174 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/network_traffic/1.0.1/data_stream/sip/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/sip/fields/protocol.yml deleted file mode 100755 index 5b25d9df6d..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/sip/fields/protocol.yml +++ /dev/null @@ -1,231 +0,0 @@ -- name: sip - type: group - description: Information about SIP traffic. - fields: - - name: code - type: long - description: Response status code. - - name: method - type: keyword - description: Request method. - - name: status - type: keyword - description: Response status phrase. - - name: type - type: keyword - description: Either request or response. - - name: version - type: keyword - description: SIP protocol version. - - name: uri.original - type: keyword - description: The original URI. - multi_fields: - - name: text - type: text - norms: false - - name: uri.scheme - type: keyword - description: The URI scheme. - - name: uri.username - type: keyword - description: The URI user name. - - name: uri.host - type: keyword - description: The URI host. - - name: uri.port - type: long - description: The URI port. - - name: accept - type: keyword - description: Accept header value. - - name: allow - type: keyword - description: Allowed methods. - - name: call_id - type: keyword - description: Call ID. - - name: content_length - type: long - - name: content_type - type: keyword - - name: max_forwards - type: long - - name: supported - type: keyword - description: Supported methods. - - name: user_agent.original - type: keyword - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.original - type: keyword - description: Private original URI. - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.scheme - type: keyword - description: Private URI scheme. - - name: private.uri.username - type: keyword - description: Private URI user name. - - name: private.uri.host - type: keyword - description: Private URI host. - - name: private.uri.port - type: long - description: Private URI port. - - name: cseq.code - type: long - description: Sequence code. - - name: cseq.method - type: keyword - description: Sequence method. - - name: via.original - type: keyword - description: The original Via value. - multi_fields: - - name: text - type: text - norms: false - - name: to.display_info - type: keyword - description: "To display info" - - name: to.uri.original - type: keyword - description: "To original URI" - multi_fields: - - name: text - type: text - norms: false - - name: to.uri.scheme - type: keyword - description: "To URI scheme" - - name: to.uri.username - type: keyword - description: "To URI user name" - - name: to.uri.host - type: keyword - description: "To URI host" - - name: to.uri.port - type: long - description: "To URI port" - - name: to.tag - type: keyword - description: "To tag" - - name: from.display_info - type: keyword - description: "From display info" - - name: from.uri.original - type: keyword - description: "From original URI" - multi_fields: - - name: text - type: text - norms: false - - name: from.uri.scheme - type: keyword - description: "From URI scheme" - - name: from.uri.username - type: keyword - description: "From URI user name" - - name: from.uri.host - type: keyword - description: "From URI host" - - name: from.uri.port - type: long - description: "From URI port" - - name: from.tag - type: keyword - description: "From tag" - - name: contact.display_info - type: keyword - description: "Contact display info" - - name: contact.uri.original - type: keyword - description: "Contact original URI" - multi_fields: - - name: text - type: text - norms: false - - name: contact.uri.scheme - type: keyword - description: "Contat URI scheme" - - name: contact.uri.username - type: keyword - description: "Contact URI user name" - - name: contact.uri.host - type: keyword - description: "Contact URI host" - - name: contact.uri.port - type: long - description: "Contact URI port" - - name: contact.transport - type: keyword - description: "Contact transport" - - name: contact.line - type: keyword - description: "Contact line" - - name: contact.expires - type: keyword - description: "Contact expires" - - name: contact.q - type: keyword - description: "Contact Q" - - name: auth.scheme - type: keyword - description: "Auth scheme" - - name: auth.realm - type: keyword - description: "Auth realm" - - name: auth.uri.original - type: keyword - description: "Auth original URI" - multi_fields: - - name: text - type: text - norms: false - - name: auth.uri.scheme - type: keyword - description: "Auth URI scheme" - - name: auth.uri.host - type: keyword - description: "Auth URI host" - - name: auth.uri.port - type: long - description: "Auth URI port" - - name: sdp.version - type: keyword - description: "SDP version" - - name: sdp.owner.username - type: keyword - description: "SDP owner user name" - - name: sdp.owner.session_id - type: keyword - description: "SDP owner session ID" - - name: sdp.owner.version - type: keyword - description: "SDP owner version" - - name: sdp.owner.ip - type: ip - description: "SDP owner IP" - - name: sdp.session.name - type: keyword - description: "SDP session name" - - name: sdp.connection.info - type: keyword - description: "SDP connection info" - - name: sdp.connection.address - type: keyword - description: "SDP connection address" - - name: sdp.body.original - type: keyword - description: "SDP original body" - multi_fields: - - name: text - type: text - norms: false diff --git a/packages/network_traffic/1.0.1/data_stream/sip/manifest.yml b/packages/network_traffic/1.0.1/data_stream/sip/manifest.yml deleted file mode 100755 index 79dd27ea52..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/sip/manifest.yml +++ /dev/null @@ -1,54 +0,0 @@ -title: SIP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5060] - - name: parse_authorization - type: bool - title: Parse Authorization - description: Parse the authorization headers - show_user: false - multi: false - required: false - - name: parse_body - type: bool - title: Parse Body - description: Parse body contents (only when body is SDP) - show_user: false - multi: false - required: false - - name: keep_original - type: bool - title: Keep Original - description: Preserve original contents in event.original - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: SIP - description: Capture SIP Traffic - template_path: sip.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/sip/sample_event.json b/packages/network_traffic/1.0.1/data_stream/sip/sample_event.json deleted file mode 100755 index 5a36041d5a..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/sip/sample_event.json +++ /dev/null @@ -1,174 +0,0 @@ -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/agent/stream/thrift.yml.hbs b/packages/network_traffic/1.0.1/data_stream/thrift/agent/stream/thrift.yml.hbs deleted file mode 100755 index d6d9604253..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/thrift/agent/stream/thrift.yml.hbs +++ /dev/null @@ -1,64 +0,0 @@ -type: thrift -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if transport_type}} -transport_type: {{transport_type}} -{{/if}} -{{#if protocol_type}} -protocol_type: {{protocol_type}} -{{/if}} -{{#if idl_files}} -idl_files: -{{#each idl_files as |idl_file|}} - - {{idl_file}} -{{/each}} -{{/if}} -{{#if string_max_size}} -string_max_size: {{string_max_size}} -{{/if}} -{{#if collection_max_size}} -collection_max_size: {{collection_max_size}} -{{/if}} -{{#if capture_reply}} -capture_reply: {{capture_reply}} -{{/if}} -{{#if obfuscate_strings}} -obfuscate_strings: {{obfuscate_strings}} -{{/if}} -{{#if drop_after_n_struct_fields}} -drop_after_n_struct_fields: {{drop_after_n_struct_fields}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 608bb7e6a5..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing thrift traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/thrift/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/thrift/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/thrift/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/thrift/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/thrift/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/thrift/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/thrift/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/thrift/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/thrift/fields/protocol.yml deleted file mode 100755 index dd097f61ee..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/thrift/fields/protocol.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: thrift - type: group - fields: - - name: params - type: keyword - description: > - The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. - - - name: service - type: keyword - description: > - The name of the Thrift-RPC service as defined in the IDL files. - - - name: return_value - type: keyword - description: > - The value returned by the Thrift-RPC call. This is encoded in a human readable format. - - - name: exceptions - type: keyword - description: > - If the call resulted in exceptions, this field contains the exceptions in a human readable format. - diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/manifest.yml b/packages/network_traffic/1.0.1/data_stream/thrift/manifest.yml deleted file mode 100755 index 29eabbeb19..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/thrift/manifest.yml +++ /dev/null @@ -1,141 +0,0 @@ -title: Thrift -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9090] - - name: transport_type - type: text - title: Transport Type - description: |- - The Thrift transport type. Currently this option accepts the values socket - for TSocket, which is the default Thrift transport, and framed for the - TFramed Thrift transport. The default is socket. - show_user: false - multi: false - required: false - - name: protocol_type - type: text - title: Protocol Type - description: |- - The Thrift protocol type. Currently the only accepted value is binary for - the TBinary protocol, which is the default Thrift protocol. - show_user: false - multi: false - required: false - - name: idl_files - type: text - title: Idl Files - description: |- - The Thrift interface description language (IDL) files for the service that - Packetbeat is monitoring. Providing the IDL enables Packetbeat to include - parameter and exception names. - show_user: false - multi: true - required: false - - name: string_max_size - type: integer - title: String Max Size - description: |- - The maximum length for strings in parameters or return values. If a string - is longer than this value, the string is automatically truncated to this - length. - show_user: false - multi: false - required: false - - name: collection_max_size - type: integer - title: Collection Max Size - description: The maximum number of elements in a Thrift list, set, map, or structure. - show_user: false - multi: false - required: false - - name: capture_reply - type: bool - title: Capture Reply - description: |- - If this option is set to false, Packetbeat decodes the method name from the - reply and simply skips the rest of the response message. - show_user: false - multi: false - required: false - - name: obfuscate_strings - type: bool - title: Obfuscate Strings - description: |- - If this option is set to true, Packetbeat replaces all strings found in - method parameters, return codes, or exception structures with the "*" - string. - show_user: false - multi: false - required: false - - name: drop_after_n_struct_fields - type: integer - title: Drop After N Struct Fields - description: |- - The maximum number of fields that a structure can have before Packetbeat - ignores the whole transaction. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Thrift - description: Capture Thrift Traffic - template_path: thrift.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/thrift/sample_event.json b/packages/network_traffic/1.0.1/data_stream/thrift/sample_event.json deleted file mode 100755 index 4c1640a50d..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/thrift/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:33:31.022Z", - "agent": { - "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1394000, - "end": "2022-03-09T08:33:31.023Z", - "ingested": "2022-03-09T08:33:32Z", - "kind": "event", - "start": "2022-03-09T08:33:31.022Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/data_stream/tls/agent/stream/tls.yml.hbs b/packages/network_traffic/1.0.1/data_stream/tls/agent/stream/tls.yml.hbs deleted file mode 100755 index 877a553bfd..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/tls/agent/stream/tls.yml.hbs +++ /dev/null @@ -1,40 +0,0 @@ -type: tls -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if fingerprints}} -fingerprints: -{{#each fingerprints as |fingerprint|}} - - {{fingerprint}} -{{/each}} -{{/if}} -{{#if send_certificates}} -send_certificates: {{send_certificates}} -{{/if}} -{{#if include_raw_certificates}} -include_raw_certificates: {{include_raw_certificates}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 788c1210ef..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/tls/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,55 +0,0 @@ ---- -description: Pipeline for processing tls traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true - -## -# Make tls.{client,server}.x509.version_number a string as per ECS. -## -- convert: - field: tls.client.x509.version_number - type: string - ignore_missing: true -- convert: - field: tls.server.x509.version_number - type: string - ignore_missing: true - -## -# This handles legacy TLS fields from Packetbeat 7.17. -## -- remove: - description: Remove legacy fields from Packetbeat 7.17 that are duplicated. - field: - - tls.client.x509.issuer.province # Duplicated as tls.client.x509.issuer.state_or_province. - - tls.client.x509.subject.province # Duplicated as tls.client.x509.subject.state_or_province. - - tls.client.x509.version # Duplicated as tls.client.x509.version_number. - - tls.detailed.client_certificate # Duplicated as tls.client.x509. - - tls.detailed.server_certificate # Duplicated as tls.server.x509. - - tls.server.x509.issuer.province # Duplicated as tls.server.x509.issuer.state_or_province. - - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province. - - tls.server.x509.version # Duplicated as tls.server.x509.version_number. - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.1/data_stream/tls/fields/agent.yml b/packages/network_traffic/1.0.1/data_stream/tls/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/tls/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.1/data_stream/tls/fields/base.yml b/packages/network_traffic/1.0.1/data_stream/tls/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/tls/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.1/data_stream/tls/fields/beats.yml b/packages/network_traffic/1.0.1/data_stream/tls/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/tls/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.1/data_stream/tls/fields/ecs.yml b/packages/network_traffic/1.0.1/data_stream/tls/fields/ecs.yml deleted file mode 100755 index 49c713858d..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/tls/fields/ecs.yml +++ /dev/null @@ -1,368 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - name: tls.client.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - name: tls.client.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha256 - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: Array of ciphers offered by the client during the client hello. - name: tls.client.supported_ciphers - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.client.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.client.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.client.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.client.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.client.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.client.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.client.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.client.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.client.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.client.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.client.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.client.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.client.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.client.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.client.x509.version_number - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - name: tls.next_protocol - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - name: tls.server.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - name: tls.server.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha256 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.server.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.server.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.server.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.server.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.server.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.server.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.server.x509.version_number - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/network_traffic/1.0.1/data_stream/tls/fields/protocol.yml b/packages/network_traffic/1.0.1/data_stream/tls/fields/protocol.yml deleted file mode 100755 index d8264468d4..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/tls/fields/protocol.yml +++ /dev/null @@ -1,173 +0,0 @@ -- name: tls - type: group - fields: - - name: detailed - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol used. - - example: "TLS 1.3" - - name: resumption_method - type: keyword - description: > - If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. - - - name: client_certificate_requested - type: boolean - description: > - Whether the server has requested the client to authenticate itself using a client certificate. - - - name: ocsp_response - type: keyword - description: > - The result of an OCSP request. - - - name: client_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol by which the client wishes to communicate during this session. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: supported_compression_methods - type: keyword - description: > - The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml - - - name: extensions - type: group - description: The hello extensions provided by the client. - fields: - - name: server_name_indication - type: keyword - description: List of hostnames - - name: application_layer_protocol_negotiation - type: keyword - description: > - List of application-layer protocols the client is willing to use. - - - name: session_ticket - type: keyword - description: > - Length of the session ticket, if provided, or an empty string to advertise support for tickets. - - - name: supported_versions - type: keyword - description: > - List of TLS versions that the client is willing to use. - - - name: supported_groups - type: keyword - description: > - List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. - - - name: signature_algorithms - type: keyword - description: > - List of signature algorithms that may be use in digital signatures. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: type - type: keyword - description: The type of the status request. Always "ocsp" if present. - - name: responder_id_list_length - type: short - description: The length of the list of trusted responders. - - name: request_extensions - type: short - description: The number of certificate extensions for the request. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: selected_compression_method - type: keyword - description: > - The compression method selected by the server from the list provided in the client hello. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: extensions - type: group - description: The hello extensions provided by the server. - fields: - - name: application_layer_protocol_negotiation - type: keyword - description: Negotiated application layer protocol - - name: session_ticket - type: keyword - description: > - Used to announce that a session ticket will be provided by the server. Always an empty string. - - - name: supported_versions - type: keyword - description: > - Negotiated TLS version to be used. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: response - type: boolean - description: Whether a certificate status request response was made. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_certificate_chain - type: array - description: Chain of trust for the server certificate. - - name: client_certificate_chain - type: array - description: Chain of trust for the client certificate. - - name: alert_types - type: keyword - description: > - An array containing the TLS alert type for every alert received. - diff --git a/packages/network_traffic/1.0.1/data_stream/tls/manifest.yml b/packages/network_traffic/1.0.1/data_stream/tls/manifest.yml deleted file mode 100755 index d2b8f403da..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/tls/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: TLS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [443, 993, 995, 5223, 8443, 8883, 9243] - - name: fingerprints - type: text - title: Fingerprints - description: |- - List of hash algorithms to use to calculate certificates' fingerprints. - Valid values are `sha1`, `sha256` and `md5`. - show_user: false - multi: true - required: false - - name: send_certificates - type: bool - title: Send Certificates - description: |- - If this option is enabled, the client and server certificates and - certificate chains are sent to Elasticsearch. The default is true. - show_user: false - multi: false - required: false - - name: include_raw_certificates - type: bool - title: Include Raw Certificates - description: |- - If this option is enabled, the raw certificates will be stored - in PEM format under the `raw` key. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: TLS - description: Capture TLS Traffic - template_path: tls.yml.hbs diff --git a/packages/network_traffic/1.0.1/data_stream/tls/sample_event.json b/packages/network_traffic/1.0.1/data_stream/tls/sample_event.json deleted file mode 100755 index f325b87dbb..0000000000 --- a/packages/network_traffic/1.0.1/data_stream/tls/sample_event.json +++ /dev/null @@ -1,196 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:34:08.391Z", - "agent": { - "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.1.36", - "port": 60946 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 14861200, - "end": "2022-03-09T08:34:08.406Z", - "ingested": "2022-03-09T08:34:09Z", - "kind": "event", - "start": "2022-03-09T08:34:08.391Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.36", - "216.58.201.174" - ] - }, - "server": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "source": { - "ip": "192.168.1.36", - "port": 60946 - }, - "status": "OK", - "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", - "client": { - "ja3": "d470a3fa301d80227bc5650c75567d25", - "server_name": "play.google.com", - "supported_ciphers": [ - "TLS_AES_128_GCM_SHA256", - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "_unparsed_": [ - "23", - "renegotiation_info", - "status_request", - "51", - "45", - "28", - "41" - ], - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "play.google.com" - ], - "signature_algorithms": [ - "ecdsa_secp256r1_sha256", - "ecdsa_secp384r1_sha384", - "ecdsa_secp521r1_sha512", - "rsa_pss_sha256", - "rsa_pss_sha384", - "rsa_pss_sha512", - "rsa_pkcs1_sha256", - "rsa_pkcs1_sha384", - "rsa_pkcs1_sha512", - "ecdsa_sha1", - "rsa_pkcs1_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1", - "secp521r1", - "ffdhe2048", - "ffdhe3072" - ], - "supported_versions": [ - "TLS 1.3", - "TLS 1.2", - "TLS 1.1", - "TLS 1.0" - ] - }, - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "resumption_method": "id", - "server_hello": { - "extensions": { - "_unparsed_": [ - "41", - "51" - ], - "supported_versions": "TLS 1.3" - }, - "selected_compression_method": "NULL", - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "version": "3.3" - }, - "version": "TLS 1.3" - }, - "established": true, - "resumed": true, - "version": "1.3", - "version_protocol": "tls" - }, - "type": "tls" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/docs/README.md b/packages/network_traffic/1.0.1/docs/README.md deleted file mode 100755 index adadb4cf1d..0000000000 --- a/packages/network_traffic/1.0.1/docs/README.md +++ /dev/null @@ -1,3960 +0,0 @@ -# Network Packet Capture Integration - -This integration sniffs network packets on a host and dissects -known protocols. - -## Network Flows - -Overall flow information about the network connections on a -host. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -## Protocols - -### AMQP - -Fields published for AMQP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| amqp.app-id | Creating application id. | keyword | -| amqp.arguments | Optional additional arguments passed to some methods. Can be of various types. | object | -| amqp.auto-delete | If set, auto-delete queue when unused. | boolean | -| amqp.class-id | Failing method class. | long | -| amqp.consumer-count | The number of consumers of a queue. | long | -| amqp.consumer-tag | Identifier for the consumer, valid within the current channel. | keyword | -| amqp.content-encoding | MIME content encoding. | keyword | -| amqp.content-type | MIME content type. | keyword | -| amqp.correlation-id | Application correlation identifier. | keyword | -| amqp.delivery-mode | Non-persistent (1) or persistent (2). | keyword | -| amqp.delivery-tag | The server-assigned and channel-specific delivery tag. | long | -| amqp.durable | If set, request a durable exchange/queue. | boolean | -| amqp.exchange | Name of the exchange. | keyword | -| amqp.exchange-type | Exchange type. | keyword | -| amqp.exclusive | If set, request an exclusive queue. | boolean | -| amqp.expiration | Message expiration specification. | keyword | -| amqp.headers | Message header field table. | object | -| amqp.if-empty | Delete only if empty. | boolean | -| amqp.if-unused | Delete only if unused. | boolean | -| amqp.immediate | Request immediate delivery. | boolean | -| amqp.mandatory | Indicates mandatory routing. | boolean | -| amqp.message-count | The number of messages in the queue, which will be zero for newly-declared queues. | long | -| amqp.message-id | Application message identifier. | keyword | -| amqp.method-id | Failing method ID. | long | -| amqp.multiple | Acknowledge multiple messages. | boolean | -| amqp.no-ack | If set, the server does not expect acknowledgements for messages. | boolean | -| amqp.no-local | If set, the server will not send messages to the connection that published them. | boolean | -| amqp.no-wait | If set, the server will not respond to the method. | boolean | -| amqp.passive | If set, do not create exchange/queue. | boolean | -| amqp.priority | Message priority, 0 to 9. | long | -| amqp.queue | The queue name identifies the queue within the vhost. | keyword | -| amqp.redelivered | Indicates that the message has been previously delivered to this or another client. | boolean | -| amqp.reply-code | AMQP reply code to an error, similar to http reply-code | long | -| amqp.reply-text | Text explaining the error. | keyword | -| amqp.reply-to | Address to reply to. | keyword | -| amqp.routing-key | Message routing key. | keyword | -| amqp.timestamp | Message timestamp. | keyword | -| amqp.type | Message type name. | keyword | -| amqp.user-id | Creating user id. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `amqp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} -``` - -### Cassandra - -Fields published for Apache Cassandra packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cassandra.no_request | Indicates that there is no request because this is a PUSH message. | boolean | -| cassandra.request.headers.flags | Flags applying to this frame. | keyword | -| cassandra.request.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.request.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.request.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.request.headers.version | The version of the protocol. | keyword | -| cassandra.request.query | The CQL query which client send to cassandra. | keyword | -| cassandra.response.authentication.class | Indicates the full class name of the IAuthenticator in use | keyword | -| cassandra.response.error.code | The error code of the Cassandra response. | long | -| cassandra.response.error.details.alive | Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). | long | -| cassandra.response.error.details.arg_types | One string for each argument type (as CQL type) of the failed function. | keyword | -| cassandra.response.error.details.blockfor | Representing the number of replicas whose acknowledgement is required to achieve consistency level. | long | -| cassandra.response.error.details.data_present | It means the replica that was asked for data had responded. | boolean | -| cassandra.response.error.details.function | The name of the failed function. | keyword | -| cassandra.response.error.details.keyspace | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.num_failures | Representing the number of nodes that experience a failure while executing the request. | keyword | -| cassandra.response.error.details.read_consistency | Representing the consistency level of the query that triggered the exception. | keyword | -| cassandra.response.error.details.received | Representing the number of nodes having acknowledged the request. | long | -| cassandra.response.error.details.required | Representing the number of nodes that should be alive to respect consistency level. | long | -| cassandra.response.error.details.stmt_id | Representing the unknown ID. | keyword | -| cassandra.response.error.details.table | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.write_type | Describe the type of the write that timed out. | keyword | -| cassandra.response.error.msg | The error message of the Cassandra response. | keyword | -| cassandra.response.error.type | The error type of the Cassandra response. | keyword | -| cassandra.response.event.change | The message corresponding respectively to the type of change followed by the address of the new/removed node. | keyword | -| cassandra.response.event.host | Representing the node ip. | keyword | -| cassandra.response.event.port | Representing the node port. | long | -| cassandra.response.event.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.event.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.event.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.event.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.event.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.event.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.event.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.event.type | Representing the event type. | keyword | -| cassandra.response.headers.flags | Flags applying to this frame. | keyword | -| cassandra.response.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.response.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.response.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.response.headers.version | The version of the protocol. | keyword | -| cassandra.response.result.keyspace | Indicating the name of the keyspace that has been set. | keyword | -| cassandra.response.result.prepared.prepared_id | Representing the prepared query ID. | keyword | -| cassandra.response.result.prepared.req_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.req_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.req_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.req_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.req_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.req_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.prepared.resp_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.resp_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.resp_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.resp_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.resp_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.resp_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.rows.meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.rows.meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.rows.meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.rows.meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.rows.meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.num_rows | Representing the number of rows present in this result. | long | -| cassandra.response.result.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.result.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.result.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.result.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.result.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.result.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.result.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.result.type | Cassandra result type. | keyword | -| cassandra.response.supported | Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. | flattened | -| cassandra.response.warnings | The text of the warnings, only occur when Warning flag was set. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `cassandra` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} -``` - -### DHCP - -Fields published for DHCPv4 packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dhcpv4.assigned_ip | The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. | ip | -| dhcpv4.client_ip | The current IP address of the client. | ip | -| dhcpv4.client_mac | The client's MAC address (layer two). | keyword | -| dhcpv4.flags | Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. | keyword | -| dhcpv4.hardware_type | The type of hardware used for the local network (Ethernet, LocalTalk, etc). | keyword | -| dhcpv4.hops | The number of hops the DHCP message went through. | long | -| dhcpv4.op_code | The message op code (bootrequest or bootreply). | keyword | -| dhcpv4.option.boot_file_name | This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. | keyword | -| dhcpv4.option.broadcast_address | This option specifies the broadcast address in use on the client's subnet. | ip | -| dhcpv4.option.class_identifier | This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. | keyword | -| dhcpv4.option.dns_servers | The domain name server option specifies a list of Domain Name System servers available to the client. | ip | -| dhcpv4.option.domain_name | This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. | keyword | -| dhcpv4.option.hostname | This option specifies the name of the client. | keyword | -| dhcpv4.option.ip_address_lease_time_sec | This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. | long | -| dhcpv4.option.max_dhcp_message_size | This option specifies the maximum length DHCP message that the client is willing to accept. | long | -| dhcpv4.option.message | This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. | text | -| dhcpv4.option.message_type | The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). | keyword | -| dhcpv4.option.ntp_servers | This option specifies a list of IP addresses indicating NTP servers available to the client. | ip | -| dhcpv4.option.parameter_request_list | This option is used by a DHCP client to request values for specified configuration parameters. | keyword | -| dhcpv4.option.rebinding_time_sec | This option specifies the time interval from address assignment until the client transitions to the REBINDING state. | long | -| dhcpv4.option.renewal_time_sec | This option specifies the time interval from address assignment until the client transitions to the RENEWING state. | long | -| dhcpv4.option.requested_ip_address | This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. | ip | -| dhcpv4.option.router | The router option specifies a list of IP addresses for routers on the client's subnet. | ip | -| dhcpv4.option.server_identifier | IP address of the individual DHCP server which handled this message. | ip | -| dhcpv4.option.subnet_mask | The subnet mask that the client should use on the currnet network. | ip | -| dhcpv4.option.time_servers | The time server option specifies a list of RFC 868 time servers available to the client. | ip | -| dhcpv4.option.utc_time_offset_sec | The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). | long | -| dhcpv4.option.vendor_identifying_options | A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. | object | -| dhcpv4.relay_ip | The relay IP address used by the client to contact the server (i.e. a DHCP relay server). | ip | -| dhcpv4.seconds | Number of seconds elapsed since client began address acquisition or renewal process. | long | -| dhcpv4.server_ip | The IP address of the DHCP server that the client should use for the next step in the bootstrap process. | ip | -| dhcpv4.server_name | The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. | keyword | -| dhcpv4.transaction_id | Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dhcpv4` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} -``` - -### DNS - -Fields published for DNS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.additionals | An array containing a dictionary for each additional section from the answer. | object | -| dns.additionals.class | The class of DNS data contained in this resource record. | keyword | -| dns.additionals.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.additionals.name | The domain name to which this resource record pertains. | keyword | -| dns.additionals.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.additionals.type | The type of data contained in this resource record. | keyword | -| dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | -| dns.authorities | An array containing a dictionary for each authority section from the answer. | object | -| dns.authorities.class | The class of DNS data contained in this resource record. | keyword | -| dns.authorities.name | The domain name to which this resource record pertains. | keyword | -| dns.authorities.type | The type of data contained in this resource record. | keyword | -| dns.authorities_count | The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.flags.authentic_data | A DNS flag specifying that the recursive server considers the response authentic. | boolean | -| dns.flags.authoritative | A DNS flag specifying that the responding server is an authority for the domain name used in the question. | boolean | -| dns.flags.checking_disabled | A DNS flag specifying that the client disables the server signature validation of the query. | boolean | -| dns.flags.recursion_available | A DNS flag specifying whether recursive query support is available in the name server. | boolean | -| dns.flags.recursion_desired | A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. | boolean | -| dns.flags.truncated_response | A DNS flag specifying that only the first 512 bytes of the reply were returned. | boolean | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.opt.do | If set, the transaction uses DNSSEC. | boolean | -| dns.opt.ext_rcode | Extended response code field. | keyword | -| dns.opt.udp_size | Requestor's UDP payload size (in bytes). | long | -| dns.opt.version | The EDNS version. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.etld_plus_one | The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} -``` - -### HTTP - -Fields published for HTTP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.headers | A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.headers | A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.response.status_code | HTTP response status code. | long | -| http.response.status_phrase | The HTTP status phrase. | keyword | -| http.version | HTTP version. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `http` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} -``` - -### ICMP - -Fields published for ICMP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| icmp.request.code | The request code. | long | -| icmp.request.message | A human readable form of the request. | keyword | -| icmp.request.type | The request type. | long | -| icmp.response.code | The response code. | long | -| icmp.response.message | A human readable form of the response. | keyword | -| icmp.response.type | The response type. | long | -| icmp.version | The version of the ICMP protocol. | long | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `icmp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} -``` - -### Memcached - -Fields published for Memcached packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| memcache.protocol_type | The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. | keyword | -| memcache.request.automove | The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. | keyword | -| memcache.request.bytes | The byte count of the values being transferred. | long | -| memcache.request.cas_unique | The CAS (compare-and-swap) identifier if present. | long | -| memcache.request.command | The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. | keyword | -| memcache.request.count_values | The number of values found in the memcache request message. If the command does not send any data, this field is missing. | long | -| memcache.request.delta | The counter increment/decrement delta value. | long | -| memcache.request.dest_class | The destination class id in 'slab reassign' command. | long | -| memcache.request.exptime | The data expiry time in seconds sent with the memcache command (if present). If the value is `\< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). | long | -| memcache.request.flags | The memcache command flags sent in the request (if present). | long | -| memcache.request.initial | The counter increment/decrement initial value parameter (binary protocol only). | long | -| memcache.request.keys | The list of keys sent in the store or load commands. | array | -| memcache.request.line | The raw command line for unknown commands ONLY. | keyword | -| memcache.request.noreply | Set to true if noreply was set in the request. The `memcache.response` field will be missing. | boolean | -| memcache.request.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.request.opcode | The binary protocol message opcode name. | keyword | -| memcache.request.opcode_value | The binary protocol message opcode value. | long | -| memcache.request.quiet | Set to true if the binary protocol message is to be treated as a quiet message. | boolean | -| memcache.request.raw_args | The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. | keyword | -| memcache.request.sleep_us | The sleep setting in microseconds for the 'lru_crawler sleep' command. | long | -| memcache.request.source_class | The source class id in 'slab reassign' command. | long | -| memcache.request.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". | keyword | -| memcache.request.values | The list of base64 encoded values sent with the request (if present). | array | -| memcache.request.vbucket | The vbucket index sent in the binary message. | long | -| memcache.request.verbosity | The value of the memcache "verbosity" command. | long | -| memcache.response.bytes | The byte count of the values being transferred. | long | -| memcache.response.cas_unique | The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). | long | -| memcache.response.command | Either the text based protocol response message type or the name of the originating request if binary protocol is used. | keyword | -| memcache.response.count_values | The number of values found in the memcache response message. If the command does not send any data, this field is missing. | long | -| memcache.response.error_msg | The optional error message in the memcache response (text based protocol only). | keyword | -| memcache.response.flags | The memcache message flags sent in the response (if present). | long | -| memcache.response.keys | The list of keys returned for the load command (if present). | array | -| memcache.response.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.response.opcode | The binary protocol message opcode name. | keyword | -| memcache.response.opcode_value | The binary protocol message opcode value. | long | -| memcache.response.stats | The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". | array | -| memcache.response.status | The textual representation of the response error code (binary protocol only). | keyword | -| memcache.response.status_code | The status code value returned in the response (binary protocol only). | long | -| memcache.response.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). | keyword | -| memcache.response.value | The counter value returned by a counter operation. | long | -| memcache.response.values | The list of base64 encoded values sent with the response (if present). | array | -| memcache.response.version | The returned memcache version string. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `memcached` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} -``` - -### MongoDB - -Fields published for MongoDB packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | -| mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | -| mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | -| mongodb.numberReturned | The number of documents in the reply. | long | -| mongodb.numberToReturn | The requested maximum number of documents to be returned. | long | -| mongodb.numberToSkip | Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. | long | -| mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | -| mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | -| mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | -| mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mongodb` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} -``` - -### MySQL - -Fields published for MySQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mysql.affected_rows | If the MySQL command is successful, this field contains the affected number of rows of the last statement. | long | -| mysql.error_code | The error code returned by MySQL. | long | -| mysql.error_message | The error info message returned by MySQL. | keyword | -| mysql.insert_id | If the INSERT query is successful, this field contains the id of the newly inserted row. | keyword | -| mysql.num_fields | If the SELECT query is successful, this field is set to the number of fields returned. | long | -| mysql.num_rows | If the SELECT query is successful, this field is set to the number of rows returned. | long | -| mysql.query | The row mysql query as read from the transaction's request. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mysql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} -``` - -### NFS - -Fields published for NFS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| nfs.minor_version | NFS protocol minor version number. | long | -| nfs.opcode | NFS operation name, or main operation name, in case of COMPOUND calls. | keyword | -| nfs.status | NFS operation reply status. | keyword | -| nfs.tag | NFS v4 COMPOUND operation tag. | keyword | -| nfs.version | NFS protocol version number. | long | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| rpc.auth_flavor | RPC authentication flavor. | keyword | -| rpc.cred.gid | RPC caller's group id, in case of auth-unix. | long | -| rpc.cred.gids | RPC caller's secondary group ids, in case of auth-unix. | long | -| rpc.cred.machinename | The name of the caller's machine. | keyword | -| rpc.cred.stamp | Arbitrary ID which the caller machine may generate. | long | -| rpc.cred.uid | RPC caller's user id, in case of auth-unix. | long | -| rpc.status | RPC message reply status. | keyword | -| rpc.xid | RPC message transaction identifier. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -An example event for `nfs` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} -``` - -### PostgreSQL - -Fields published for PostgreSQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| pgsql.error_code | The PostgreSQL error code. | keyword | -| pgsql.error_message | The PostgreSQL error message. | keyword | -| pgsql.error_severity | The PostgreSQL error severity. | keyword | -| pgsql.num_fields | If the SELECT query if successful, this field is set to the number of fields returned. | long | -| pgsql.num_rows | If the SELECT query if successful, this field is set to the number of rows returned. | long | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `pgsql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} -``` - -### Redis - -Fields published for Redis packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| redis.error | If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. | keyword | -| redis.return_value | The return value of the Redis command in a human readable format. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `redis` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} -``` - -### SIP - -Fields published for SIP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| sip.accept | Accept header value. | keyword | -| sip.allow | Allowed methods. | keyword | -| sip.auth.realm | Auth realm | keyword | -| sip.auth.scheme | Auth scheme | keyword | -| sip.auth.uri.host | Auth URI host | keyword | -| sip.auth.uri.original | Auth original URI | keyword | -| sip.auth.uri.original.text | Multi-field of `sip.auth.uri.original`. | text | -| sip.auth.uri.port | Auth URI port | long | -| sip.auth.uri.scheme | Auth URI scheme | keyword | -| sip.call_id | Call ID. | keyword | -| sip.code | Response status code. | long | -| sip.contact.display_info | Contact display info | keyword | -| sip.contact.expires | Contact expires | keyword | -| sip.contact.line | Contact line | keyword | -| sip.contact.q | Contact Q | keyword | -| sip.contact.transport | Contact transport | keyword | -| sip.contact.uri.host | Contact URI host | keyword | -| sip.contact.uri.original | Contact original URI | keyword | -| sip.contact.uri.original.text | Multi-field of `sip.contact.uri.original`. | text | -| sip.contact.uri.port | Contact URI port | long | -| sip.contact.uri.scheme | Contat URI scheme | keyword | -| sip.contact.uri.username | Contact URI user name | keyword | -| sip.content_length | | long | -| sip.content_type | | keyword | -| sip.cseq.code | Sequence code. | long | -| sip.cseq.method | Sequence method. | keyword | -| sip.from.display_info | From display info | keyword | -| sip.from.tag | From tag | keyword | -| sip.from.uri.host | From URI host | keyword | -| sip.from.uri.original | From original URI | keyword | -| sip.from.uri.original.text | Multi-field of `sip.from.uri.original`. | text | -| sip.from.uri.port | From URI port | long | -| sip.from.uri.scheme | From URI scheme | keyword | -| sip.from.uri.username | From URI user name | keyword | -| sip.max_forwards | | long | -| sip.method | Request method. | keyword | -| sip.private.uri.host | Private URI host. | keyword | -| sip.private.uri.original | Private original URI. | keyword | -| sip.private.uri.original.text | Multi-field of `sip.private.uri.original`. | text | -| sip.private.uri.port | Private URI port. | long | -| sip.private.uri.scheme | Private URI scheme. | keyword | -| sip.private.uri.username | Private URI user name. | keyword | -| sip.sdp.body.original | SDP original body | keyword | -| sip.sdp.body.original.text | Multi-field of `sip.sdp.body.original`. | text | -| sip.sdp.connection.address | SDP connection address | keyword | -| sip.sdp.connection.info | SDP connection info | keyword | -| sip.sdp.owner.ip | SDP owner IP | ip | -| sip.sdp.owner.session_id | SDP owner session ID | keyword | -| sip.sdp.owner.username | SDP owner user name | keyword | -| sip.sdp.owner.version | SDP owner version | keyword | -| sip.sdp.session.name | SDP session name | keyword | -| sip.sdp.version | SDP version | keyword | -| sip.status | Response status phrase. | keyword | -| sip.supported | Supported methods. | keyword | -| sip.to.display_info | To display info | keyword | -| sip.to.tag | To tag | keyword | -| sip.to.uri.host | To URI host | keyword | -| sip.to.uri.original | To original URI | keyword | -| sip.to.uri.original.text | Multi-field of `sip.to.uri.original`. | text | -| sip.to.uri.port | To URI port | long | -| sip.to.uri.scheme | To URI scheme | keyword | -| sip.to.uri.username | To URI user name | keyword | -| sip.type | Either request or response. | keyword | -| sip.uri.host | The URI host. | keyword | -| sip.uri.original | The original URI. | keyword | -| sip.uri.original.text | Multi-field of `sip.uri.original`. | text | -| sip.uri.port | The URI port. | long | -| sip.uri.scheme | The URI scheme. | keyword | -| sip.uri.username | The URI user name. | keyword | -| sip.user_agent.original | | keyword | -| sip.user_agent.original.text | Multi-field of `sip.user_agent.original`. | text | -| sip.version | SIP protocol version. | keyword | -| sip.via.original | The original Via value. | keyword | -| sip.via.original.text | Multi-field of `sip.via.original`. | text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `sip` looks as following: - -```json -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} -``` - -### Thrift - -Fields published for Thrift packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| thrift.exceptions | If the call resulted in exceptions, this field contains the exceptions in a human readable format. | keyword | -| thrift.params | The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. | keyword | -| thrift.return_value | The value returned by the Thrift-RPC call. This is encoded in a human readable format. | keyword | -| thrift.service | The name of the Thrift-RPC service as defined in the IDL files. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `thrift` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:33:31.022Z", - "agent": { - "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1394000, - "end": "2022-03-09T08:33:31.023Z", - "ingested": "2022-03-09T08:33:32Z", - "kind": "event", - "start": "2022-03-09T08:33:31.022Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} -``` - -### TLS - -Fields published for TLS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | -| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country (C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.detailed.alert_types | An array containing the TLS alert type for every alert received. | keyword | -| tls.detailed.client_certificate_chain | Chain of trust for the client certificate. | array | -| tls.detailed.client_certificate_requested | Whether the server has requested the client to authenticate itself using a client certificate. | boolean | -| tls.detailed.client_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.client_hello.extensions.application_layer_protocol_negotiation | List of application-layer protocols the client is willing to use. | keyword | -| tls.detailed.client_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. | keyword | -| tls.detailed.client_hello.extensions.server_name_indication | List of hostnames | keyword | -| tls.detailed.client_hello.extensions.session_ticket | Length of the session ticket, if provided, or an empty string to advertise support for tickets. | keyword | -| tls.detailed.client_hello.extensions.signature_algorithms | List of signature algorithms that may be use in digital signatures. | keyword | -| tls.detailed.client_hello.extensions.status_request.request_extensions | The number of certificate extensions for the request. | short | -| tls.detailed.client_hello.extensions.status_request.responder_id_list_length | The length of the list of trusted responders. | short | -| tls.detailed.client_hello.extensions.status_request.type | The type of the status request. Always "ocsp" if present. | keyword | -| tls.detailed.client_hello.extensions.supported_groups | List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. | keyword | -| tls.detailed.client_hello.extensions.supported_versions | List of TLS versions that the client is willing to use. | keyword | -| tls.detailed.client_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.client_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.client_hello.supported_compression_methods | The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml | keyword | -| tls.detailed.client_hello.version | The version of the TLS protocol by which the client wishes to communicate during this session. | keyword | -| tls.detailed.ocsp_response | The result of an OCSP request. | keyword | -| tls.detailed.resumption_method | If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. | keyword | -| tls.detailed.server_certificate_chain | Chain of trust for the server certificate. | array | -| tls.detailed.server_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.server_hello.extensions.application_layer_protocol_negotiation | Negotiated application layer protocol | keyword | -| tls.detailed.server_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. | keyword | -| tls.detailed.server_hello.extensions.session_ticket | Used to announce that a session ticket will be provided by the server. Always an empty string. | keyword | -| tls.detailed.server_hello.extensions.status_request.response | Whether a certificate status request response was made. | boolean | -| tls.detailed.server_hello.extensions.supported_versions | Negotiated TLS version to be used. | keyword | -| tls.detailed.server_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.server_hello.selected_compression_method | The compression method selected by the server from the list provided in the client hello. | keyword | -| tls.detailed.server_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.server_hello.version | The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. | keyword | -| tls.detailed.version | The version of the TLS protocol used. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | -| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `tls` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:34:08.391Z", - "agent": { - "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.1.36", - "port": 60946 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 14861200, - "end": "2022-03-09T08:34:08.406Z", - "ingested": "2022-03-09T08:34:09Z", - "kind": "event", - "start": "2022-03-09T08:34:08.391Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.36", - "216.58.201.174" - ] - }, - "server": { - "domain": "play.google.com", - "ip": "216.58.201.174", - "port": 443 - }, - "source": { - "ip": "192.168.1.36", - "port": 60946 - }, - "status": "OK", - "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", - "client": { - "ja3": "d470a3fa301d80227bc5650c75567d25", - "server_name": "play.google.com", - "supported_ciphers": [ - "TLS_AES_128_GCM_SHA256", - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "_unparsed_": [ - "23", - "renegotiation_info", - "status_request", - "51", - "45", - "28", - "41" - ], - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "play.google.com" - ], - "signature_algorithms": [ - "ecdsa_secp256r1_sha256", - "ecdsa_secp384r1_sha384", - "ecdsa_secp521r1_sha512", - "rsa_pss_sha256", - "rsa_pss_sha384", - "rsa_pss_sha512", - "rsa_pkcs1_sha256", - "rsa_pkcs1_sha384", - "rsa_pkcs1_sha512", - "ecdsa_sha1", - "rsa_pkcs1_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1", - "secp521r1", - "ffdhe2048", - "ffdhe3072" - ], - "supported_versions": [ - "TLS 1.3", - "TLS 1.2", - "TLS 1.1", - "TLS 1.0" - ] - }, - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "resumption_method": "id", - "server_hello": { - "extensions": { - "_unparsed_": [ - "41", - "51" - ], - "supported_versions": "TLS 1.3" - }, - "selected_compression_method": "NULL", - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", - "version": "3.3" - }, - "version": "TLS 1.3" - }, - "established": true, - "resumed": true, - "version": "1.3", - "version_protocol": "tls" - }, - "type": "tls" -} -``` - -## Licensing for Windows Systems - -The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 16f534dd5e..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Overview of DNS request and response metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":13,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":11,\"x\":13,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-65120940-1454-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-dns-query-summary", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-dns-request-status-over-time", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-dns-question-types", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dns-top-10-questions", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-dns-response-codes", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 7562508a09..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "DHCPv4 Overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":13,\"x\":24,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "5:panel_5", - "type": "search" - }, - { - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-cassandra.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-cassandra.json deleted file mode 100755 index 489417c609..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-cassandra.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":36,\"y\":8},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":8},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":12,\"x\":12,\"y\":8},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"cassandra.request.query\",\"cassandra.response.result.rows.meta.keyspace\",\"cassandra.response.result.rows.meta.table\",\"cassandra.response.result.rows.num_rows\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"search\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Cassandra", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-cassandra-responsekeyspace", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetype", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetime", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcount", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-ops", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountstackbytype", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountstackbytype", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountbytype", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountbytype", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-queryview", - "name": "20:panel_20", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dashboard.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dashboard.json deleted file mode 100755 index c1dee3dfea..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dashboard.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Network Packet Capture overview dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":12,\"x\":24,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"3f5bc195-da9d-4ec8-a68f-896db321a54b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9638dc3f-f85a-4e68-8e14-25654df43f8e\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"client.geo.location\\\",\\\"id\\\":\\\"220c104b-34a8-4aa7-a3d6-7b56ad4d3b9e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":2.4,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"agent.type:packetbeat\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"[Network Packet Capture] Map 2\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":90,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":2.4},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"title\":\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dashboard", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-db-transactions", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-errors-count-over-time", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-errors-vs-successful-transactions", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-latency-histogram", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-repartition", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "92e797bb-1975-4320-9d19-9b7f11e9e538:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dns-unique-domains.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dns-unique-domains.json deleted file mode 100755 index d6f50f2545..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-dns-unique-domains.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "Detecting tunneling over DNS.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"NOT dns.question.type:PTR\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique Subdomain Count\":\"#EF843C\",\"Unique count of dns.question.name\":\"#E0752D\"},\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Tunneling", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-unique-domains", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-unique-fqdns-per-etld-1", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-bytes-transferred-per-domain", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-flows.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-flows.json deleted file mode 100755 index 13b51d1106..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-flows.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"3\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":35,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Network Flows", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-top-hosts-creating-traffic", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-connections-over-time", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-top-hosts-receiving-traffic", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-network-traffic-between-your-hosts", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-http.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-http.json deleted file mode 100755 index 0699eb175a..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-http.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":36,\"x\":12,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] HTTP", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes-evolution", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-total-number-of-http-transactions", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-http-codes-for-the-top-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-10-http-requests", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mongodb-performance.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mongodb-performance.json deleted file mode 100755 index 76b41ed6ac..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mongodb-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6\",\"w\":32,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":35},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MongoDB", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-commands", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors-per-collection", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-in-slash-out-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-response-times-by-collection", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-slowest-mongodb-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mysql-performance.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mysql-performance.json deleted file mode 100755 index 6e51b19d93..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-mysql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MySQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-methods", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-throughput", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-mysql-queries", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-mysql-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-response-times-percentiles", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-reads-vs-writes", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-nfs.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-nfs.json deleted file mode 100755 index 2b9bfc8b82..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-nfs.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "NFSv3 and NFSv4 transactions over TCP.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":25,\"i\":\"1\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":10},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":30,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"9\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"10\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_8\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] NFS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-clients-pie-chart", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operations-area-chart", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-group-pie-chart", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-users-pie-chart", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-response-times", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-errors", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operation-table", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-bytes-in-slash-out", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-pgsql-performance.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-pgsql-performance.json deleted file mode 100755 index 462ad7a8be..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-pgsql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Postgres database query performance.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] PgSQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-methods", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-response-times-percentiles", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-reads-vs-writes", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-pgsql-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-pgsql-queries", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-thrift-performance.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-thrift-performance.json deleted file mode 100755 index fe50a1efbd..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-thrift-performance.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Thrift performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-requests-per-minute", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-rpc-errors", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-thrift-rpc-methods", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-methods", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "name": "7:panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-tls-sessions.json b/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-tls-sessions.json deleted file mode 100755 index 876601f994..0000000000 --- a/packages/network_traffic/1.0.1/kibana/dashboard/network_traffic-tls-sessions.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "[Network Packet Capture] TLS Sessions", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"8\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":12,\"x\":12,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":12,\"x\":0,\"y\":16},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"12\",\"w\":12,\"x\":24,\"y\":28},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":12,\"x\":36,\"y\":28},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":28},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":36,\"x\":12,\"y\":16},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-tls-sessions", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index afb21d2457..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 67be55b24a..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.ja3\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.ja3\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Fingerprint", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index 6d16385a7d..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] HTTP Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 438de0c09a..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"event.duration\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Handshake Latency", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index b2320634bf..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.server.x509.public_key_size\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.server.x509.public_key_size\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Server Public Key Size", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json deleted file mode 100755 index 7851d8f875..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.server_name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.server_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Server Name Indication", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json deleted file mode 100755 index 44b4e814c2..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "dhcpv4.transaction_id", - "dhcpv4.op_code", - "dhcpv4.option.message_type", - "source.ip", - "destination.ip", - "dhcpv4.client_mac", - "dhcpv4.option.hostname", - "dhcpv4.option.class_identifier" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json deleted file mode 100755 index 48114ab869..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.detailed.version\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.detailed.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Version", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-cassandra-queryview.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-cassandra-queryview.json deleted file mode 100755 index 4da4785f32..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-cassandra-queryview.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "cassandra.request.query", - "cassandra.response.result.rows.meta.keyspace", - "cassandra.response.result.rows.meta.table", - "cassandra.response.result.rows.num_rows" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cassandra.request.headers.op\",\"negate\":false,\"params\":{\"query\":\"QUERY\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra.request.headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"cassandra.response.headers.op\",\"negate\":true,\"params\":{\"query\":\"ERROR\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR\"},\"query\":{\"match\":{\"cassandra.response.headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Query Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-queryview", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json deleted file mode 100755 index e042ed47b0..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "server.ip", - "destination.ip", - "dns.question.name", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"dns\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"dns\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"dns\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DNS Protocol", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json deleted file mode 100755 index adda40afe3..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json deleted file mode 100755 index 54ccb16243..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":\"TLS sessions\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-flows-search.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-flows-search.json deleted file mode 100755 index 94bf5f31c0..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-flows-search.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "type", - "event.start", - "event.end", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "source.bytes", - "destination.bytes" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.flow\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Flows Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json deleted file mode 100755 index f3f1e907c0..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb and request: \\\"writeConcern w 0\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB transactions with write concern 0", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions.json deleted file mode 100755 index 71fb0f7d06..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mongodb-transactions.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB Transaction Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-errors.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-errors.json deleted file mode 100755 index e6696d3dfe..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-transactions.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-transactions.json deleted file mode 100755 index 035e4af69f..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-mysql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs-errors-search.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs-errors-search.json deleted file mode 100755 index 234a135c17..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs-errors-search.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFSERR_NOENT\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFS_OK\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Error Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs.json deleted file mode 100755 index 637ab8785a..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-nfs.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-errors.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-errors.json deleted file mode 100755 index e1e696c06b..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-transactions.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-transactions.json deleted file mode 100755 index 4cf83e438b..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-pgsql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-search.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-search.json deleted file mode 100755 index b8dcde28ff..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-search.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-errors.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-errors.json deleted file mode 100755 index 4ada45ff68..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-transactions.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-transactions.json deleted file mode 100755 index d561697995..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-thrift-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/search/network_traffic-transactions-errors.json b/packages/network_traffic/1.0.1/kibana/search/network_traffic-transactions-errors.json deleted file mode 100755 index 26f67d32a2..0000000000 --- a/packages/network_traffic/1.0.1/kibana/search/network_traffic-transactions-errors.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Transactions Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-transactions-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json deleted file mode 100755 index 72cce261f0..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Sessions", - "uiStateJSON": "{\"vis\":{\"colors\":{\"false\":\"#E24D42\",\"true\":\"#7EB26D\"},\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sessions per minute\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Handshake completed\",\"field\":\"tls.established\",\"json\":\"\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Sessions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index 428c808c1b..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] Total Number of TLS Sessions", - "uiStateJSON": "{\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total Number of TLS Sessions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 3d5fc5d68c..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.server.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Organization\",\"field\":\"tls.server.x509.subject.organization\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Server Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index a9a6b6d585..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Versions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TLS version\",\"field\":\"tls.detailed.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Versions\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json deleted file mode 100755 index 5c709d21ab..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Client Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique MACs\",\"field\":\"dhcpv4.client_mac\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Client Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 238ff5fe1b..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Session Resume", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"tls.detailed.resumption_method\",\"json\":\"{\\n\\\"missing\\\": \\\"none\\\"\\n}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Session Resume\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index 28758eb761..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Message Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Op Code\",\"field\":\"dhcpv4.op_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message Type\",\"field\":\"dhcpv4.option.message_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DHCPv4 Message Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json deleted file mode 100755 index dfd0b9c2df..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Cipher", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cipher\",\"field\":\"tls.cipher\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Cipher\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json deleted file mode 100755 index 69216a897d..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"dhcpv4.option.message_type:nak OR dhcpv4.option.message_type:decline\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 NAK and Decline Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":57,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 NAK and Decline Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index e347b89b8e..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Avg Response Time (ns)\":\"#629E51\",\"Max Response Time (ns)\":\"#E24D42\",\"Min Response Time (ns)\":\"#70DBED\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Max Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"4\",\"label\":\"Min Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Max Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Average event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 27390bc2a6..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"}}" - }, - "title": "[Network Packet Capture] DHCPv4 Message Types over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"c2cf4410-8ba8-11e8-ae15-bdcba81344e6\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"type:dhcpv4\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"ignore_global_filter\":0,\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"NOT dhcpv4.option.message_type:nak NOT dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"8abe6eb0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"Response\",\"line_width\":1,\"metrics\":[{\"id\":\"8abe6eb1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"dhcpv4.option.message_type\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:nak\"},\"formatter\":\"number\",\"id\":\"ae5610d0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"nak\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"ae5610d1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"cf7ba180-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"decline\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"cf7ba181-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"[Network Packet Capture] DHCPv4 Message Types over Time\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 23e4ad24db..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Client Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.client.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Signature Algorithm\",\"field\":\"tls.client.x509.signature_algorithm\",\"json\":\"{ \\\"missing\\\": \\\"N/A\\\" }\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Client Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index e100d4e38f..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Name Indication", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Name Indication\",\"field\":\"tls.client.server_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"hideLabel\":false,\"maxFontSize\":64,\"minFontSize\":14,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"[Network Packet Capture] TLS Server Name Indication\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 204f509a93..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Fingerprint", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"JA3 Fingerprint\",\"field\":\"tls.client.ja3\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Fingerprint\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index c8ca05e364..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Public Key Size", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Public Key Size\",\"field\":\"tls.server.x509.public_key_size\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] Server Public Key Size\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 7d805b99d1..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Client and Servers Pie Chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Client and Servers Pie Chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json deleted file mode 100755 index 6b89c0127d..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-bytes-transferred-per-domain.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Bytes Transferred per Domain", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Bytes In\":\"#F2C96D\",\"Bytes Out\":\"#629E51\",\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Bytes Out\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Bytes In\"},\"mode\":\"normal\",\"show\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"grouped\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Bytes Transferred per Domain\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bytes-transferred-per-domain", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json deleted file mode 100755 index 1b5f21f993..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"exists\\\":{\\\"field\\\":\\\"tls\\\"}}\"},\"query\":{\"exists\":{\"field\":\"tls\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] TLS Alerts", - "uiStateJSON": "{\"vis\":{\"colors\":{\"None\":\"#7EB26D\",\"handshake_failure\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"tls.detailed.alert_types\",\"include\":\".*\",\"json\":\"{\\\"missing\\\": \\\"None\\\"}\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Alerts\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-ops.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-ops.json deleted file mode 100755 index fcdb742965..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-ops.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra Ops", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra Ops\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-ops", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcount.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcount.json deleted file mode 100755 index ac31b1fa2f..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcount.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCount", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCount\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcount", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json deleted file mode 100755 index be3352be29..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":\"13\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json deleted file mode 100755 index 9e1ebf6056..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json deleted file mode 100755 index 17a71a0e30..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"radiusRatio\":\"15\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra: ResponseCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json deleted file mode 100755 index ee9d47e2f6..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json deleted file mode 100755 index 2f203d6dd9..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsekeyspace.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseKeyspace", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.keyspace\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.table\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseKeyspace\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsekeyspace", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetime.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetime.json deleted file mode 100755 index 152ebf53ef..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetime.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseTime", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[5,25,50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseTime\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetime", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetype.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetype.json deleted file mode 100755 index 85c2b4d398..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-cassandra-responsetype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseType\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-connections-over-time.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-connections-over-time.json deleted file mode 100755 index 97d4affdf5..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-connections-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Connections over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Flows\",\"field\":\"flow.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique Flows\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Connections over time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-connections-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index d8cedfb7c3..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Transaction Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Transactions\",\"field\":\"dhcpv4.transaction_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Transaction Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 856211710f..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"params\":{\"gte\":0,\"lt\":1000000000},\"type\":\"range\",\"value\":\"0 to 1,000,000,000\"},\"range\":{\"event.duration\":{\"gte\":0,\"lt\":1000000000}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Handshake Latency", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Handshake Latency (ns)\",\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":2000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Handshake Latency\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-db-transactions.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-db-transactions.json deleted file mode 100755 index 475882f60d..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-db-transactions.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.type\",\"negate\":true,\"params\":{\"query\":\"flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"flow\"},\"query\":{\"match\":{\"event.type\":{\"query\":\"flow\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"}}" - }, - "title": "[Network Packet Capture] Transaction Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.dataset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Transaction Types\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-db-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json deleted file mode 100755 index 333052a373..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"}}" - }, - "title": "[Network Packet Capture] Top Domains by Data Volume", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top Domains by Data Volume\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-query-summary.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-query-summary.json deleted file mode 100755 index 1898c984d8..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-query-summary.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Query Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"17\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":28,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DNS Query Summary\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-query-summary", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-question-types.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-question-types.json deleted file mode 100755 index b2a975b430..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-question-types.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Question Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Question Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-question-types", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-request-status-over-time.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-request-status-over-time.json deleted file mode 100755 index 53c1b991c8..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-request-status-over-time.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Request Status Over Time", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#890F02\",\"OK\":\"#0A50A1\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] DNS Request Status Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-request-status-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-response-codes.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-response-codes.json deleted file mode 100755 index b9edd3cab4..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-response-codes.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Response Codes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"dns.response_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Response Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-response-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-top-10-questions.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-top-10-questions.json deleted file mode 100755 index d86db94a8d..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-dns-top-10-questions.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":false,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Top 10 Questions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Question\",\"field\":\"dns.question.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Top 10 Questions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-top-10-questions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json deleted file mode 100755 index b89d822540..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":3.5,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Avg Response Time\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Transactions\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-count-over-time.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-count-over-time.json deleted file mode 100755 index 5582bc6c67..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-count-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors count over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"30s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] New Visualization\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-count-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-transactions-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json deleted file mode 100755 index c3ac23f5a7..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-errors-vs-successful-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors vs successful transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"percentage\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"percentage\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Errors vs successful transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-vs-successful-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json deleted file mode 100755 index c0d680e520..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Data Transfer", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Requests\",\"field\":\"client.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Responses\",\"field\":\"server.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":24,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Data Transfer\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json deleted file mode 100755 index d8885cd43f..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP status codes for the top queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Query\",\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":false,\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] HTTP status codes for the top queries\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-codes-for-the-top-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes-evolution.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes-evolution.json deleted file mode 100755 index 479733a2af..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes-evolution.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"http.response.status_code\",\"negate\":true,\"params\":{\"gte\":200,\"lt\":299},\"type\":\"range\",\"value\":\"200 to 299\"},\"range\":{\"http.response.status_code\":{\"gte\":200,\"lte\":299}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes evolution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes evolution\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes-evolution", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes.json deleted file mode 100755 index 1cb90080fc..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-http-error-codes.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"type\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http and http.response.status_code \\u003e= 300\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"type\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique count of type\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-latency-histogram.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-latency-histogram.json deleted file mode 100755 index 34aa0f3d11..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-latency-histogram.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Latency Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Latency Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-latency-histogram", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-commands.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-commands.json deleted file mode 100755 index 87474df326..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-commands.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB Commands", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"silhouette\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"silhouette\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB Commands\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-commands", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json deleted file mode 100755 index ea23f3560f..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors-per-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors per collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors per collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors-per-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors.json deleted file mode 100755 index 183ec66ef3..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"row\":true,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json deleted file mode 100755 index 74b8a6fd64..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB in/out throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of source.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Sum of destination.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB in/out throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-in-slash-out-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json deleted file mode 100755 index 0346b7b1cd..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB response times by collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":false,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB response times by collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-response-times-by-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json deleted file mode 100755 index 08c27fcecf..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent MySQL queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"query\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true},\"title\":\"[Network Packet Capture] Most frequent MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json deleted file mode 100755 index 6ddc08eafb..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent PgSQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Most frequent PgSQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-errors.json deleted file mode 100755 index 25ded66860..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-methods.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-methods.json deleted file mode 100755 index 34e609f25b..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json deleted file mode 100755 index 4fece54090..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json deleted file mode 100755 index add1156167..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Mysql response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Mysql response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-throughput.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-throughput.json deleted file mode 100755 index fd67a3b714..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-mysql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] MySQL throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-navigation.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-navigation.json deleted file mode 100755 index 958a4a7a7c..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-navigation.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Network Packet Capture] Navigation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### Network Packet Capture:\\n\\n[Overview](#/dashboard/network_traffic-dashboard)\\n\\n[Network Flows](#/dashboard/network_traffic-flows)\\n\\n[DNS Overview](#/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e) | [Tunneling](#/dashboard/network_traffic-dns-unique-domains)\\n\\n[DHCPv4 Transactions](#/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb)\\n\\n[TLS Overview](#/dashboard/network_traffic-tls-sessions)\\n\\n[HTTP transactions](#/dashboard/network_traffic-http)\\n\\nDatabases: [MySQL](#/dashboard/network_traffic-mysql-performance) | [PostgreSQL](#/dashboard/network_traffic-pgsql-performance) | [MongoDB](#/dashboard/network_traffic-mongodb-performance) | [Cassandra](#/dashboard/network_traffic-cassandra)\\n\\nRPC: [Thrift](#/dashboard/network_traffic-thrift-performance)\\n\\nStorage: [NFS](#/dashboard/network_traffic-nfs)\",\"openLinksInNewTab\":false},\"title\":\"[Network Packet Capture] Navigation\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-navigation", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json deleted file mode 100755 index 292355bbdf..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Traffic Between Hosts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Traffic Between Hosts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-network-traffic-between-your-hosts", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json deleted file mode 100755 index 8b550d78cf..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS Request / Response Sizes", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Sum of rpc.reply_size\":\"#7EB26D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Request Size\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Size\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Request Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Response Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS Request / Response Sizes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-bytes-in-slash-out", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json deleted file mode 100755 index 4272f7571e..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-clients-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS clients pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.machinename\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS clients pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-clients-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-errors.json deleted file mode 100755 index f407f4153d..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"nfs.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":12},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-errors-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operation-table.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operation-table.json deleted file mode 100755 index 56e28320c1..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operation-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operation table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Opcode\",\"field\":\"nfs.opcode\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] NFS operation table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operation-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json deleted file mode 100755 index 56cb538f8f..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-operations-area-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operations area chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"nfs.opcode\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":16},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS operations area chart\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operations-area-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-response-times.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-response-times.json deleted file mode 100755 index 2ffaacd816..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-response-times.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS response times", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[50]},\"schema\":\"metric\",\"type\":\"median\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Median event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Median event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS response times\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-response-times", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json deleted file mode 100755 index c1b2816c13..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top group pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.gid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top group pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-group-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json deleted file mode 100755 index 543bfe7058..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top users pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.uid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top users pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-users-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json deleted file mode 100755 index 770c776e13..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-errors.json deleted file mode 100755 index 88a19443ff..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-methods.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-methods.json deleted file mode 100755 index e49215022c..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json deleted file mode 100755 index 60be8776dd..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json deleted file mode 100755 index 66eb8b3b8b..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-throughput.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-throughput.json deleted file mode 100755 index aba4ebafd0..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-pgsql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL Throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-percentiles.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-percentiles.json deleted file mode 100755 index f43cfc0233..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,95,99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-repartition.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-repartition.json deleted file mode 100755 index 2271bdb9a7..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-response-times-repartition.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times repartition", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"group\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times repartition\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-repartition", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-mysql-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-mysql-queries.json deleted file mode 100755 index 9194c62aaa..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest MySQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json deleted file mode 100755 index ce2d661459..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest PgSQL Queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Average Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest PgSQL Queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json deleted file mode 100755 index 777f4d7abe..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest Thrift RPC methods", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest Thrift RPC methods\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json deleted file mode 100755 index e9dee7461a..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-requests-per-minute.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift requests per minute", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift requests per minute\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-requests-per-minute", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json deleted file mode 100755 index 835ee06280..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Thrift response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-rpc-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-rpc-errors.json deleted file mode 100755 index 37e3e901fc..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-thrift-rpc-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift RPC Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift RPC Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-rpc-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-10-http-requests.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-10-http-requests.json deleted file mode 100755 index bb5c71dbfe..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-10-http-requests.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top 10 HTTP requests", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top 10 HTTP requests\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-10-http-requests", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json deleted file mode 100755 index 842f9f29ec..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-creating-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Creating Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Source Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Creating Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-creating-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json deleted file mode 100755 index 34f9d74be2..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Receiving Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Receiving Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-receiving-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json deleted file mode 100755 index e39b39b7f9..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top slowest MongoDB queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top slowest MongoDB queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-slowest-mongodb-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json deleted file mode 100755 index 3f7aee4851..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC calls with errors", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"shareYAxis\":true},\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json deleted file mode 100755 index 8add979f7b..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-top-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC methods ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Thrift-RPC methods\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json deleted file mode 100755 index 77e8f9b41a..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-total-number-of-http-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Total number of HTTP transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"37\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total number of HTTP transactions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-total-number-of-http-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json deleted file mode 100755 index 93a9d62de2..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1 Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Unique Domains\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1 Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json deleted file mode 100755 index e94d78a938..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Subdomain Count\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-web-transactions.json b/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-web-transactions.json deleted file mode 100755 index 354ec98cef..0000000000 --- a/packages/network_traffic/1.0.1/kibana/visualization/network_traffic-web-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP Transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-web-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.1/manifest.yml b/packages/network_traffic/1.0.1/manifest.yml deleted file mode 100755 index b880e36b61..0000000000 --- a/packages/network_traffic/1.0.1/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -format_version: 1.0.0 -name: network_traffic -title: Network Packet Capture -version: 1.0.1 -license: basic -description: Capture and analyze network traffic from a host with Elastic Agent. -type: integration -categories: - - web -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -policy_templates: - - name: network - title: Network Packet Capture - description: Capture network traffic - inputs: - - type: packet - title: Capture network traffic - description: Collecting network traffic - vars: - - name: interface - type: text - title: Interface - required: false - show_user: false - - name: processes - type: text - multi: true - title: Processes - description: Processes to monitor (this will act as a command line grep) - required: false - show_user: false -owner: - github: elastic/security-external-integrations diff --git a/packages/network_traffic/1.0.2/changelog.yml b/packages/network_traffic/1.0.2/changelog.yml deleted file mode 100755 index 96ea05032b..0000000000 --- a/packages/network_traffic/1.0.2/changelog.yml +++ /dev/null @@ -1,134 +0,0 @@ -# newer versions go on top -- version: "1.0.2" - changes: - - description: Remove invalid value from `event.category` for TLS and Thrift - type: bugfix - link: https://github.com/elastic/integrations/pull/3409 -- version: "1.0.1" - changes: - - description: Remove invalid value from `event.category`. - type: bugfix - link: https://github.com/elastic/integrations/pull/3384 -- version: "1.0.0" - changes: - - description: Release as GA. - type: enhancement - link: https://github.com/elastic/integrations/pull/3355 -- version: "0.10.1" - changes: - - description: Remove invalid value from `event.category` in SIP data set. - type: bugfix - link: https://github.com/elastic/integrations/pull/3343 -- version: "0.10.0" - changes: - - description: Add configuration options for each protocol. - type: enhancement - link: https://github.com/elastic/integrations/pull/3157 -- version: "0.9.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.8.2" - changes: - - description: Add missing field mappings to DNS and TLS data streams. - type: bugfix - link: https://github.com/elastic/integrations/pull/3078 -- version: "0.8.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.8.0" - changes: - - description: Change release stability to beta. - type: enhancement - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.1" - changes: - - description: Fix mapping for tls.detailed.client_certificate_chain. - type: bugfix - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.0" - changes: - - description: Add dashboards. Update the Kibana constraint to require 7.17.0 or 8.0.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/2762 -- version: "0.6.3" - changes: - - description: Add license note to README. - type: bugfix - link: https://github.com/elastic/integrations/pull/2809 -- version: "0.6.2" - changes: - - description: Add fields for TLS random data and OCSP status. - type: enhancement - link: https://github.com/elastic/integrations/pull/2703 -- version: "0.6.1" - changes: - - description: Remove unused field metadata. - type: enhancement - link: https://github.com/elastic/integrations/pull/2648 -- version: "0.6.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2426 -- version: "0.5.1" - changes: - - description: Fix mapping for tls.detailed.server_certificate_chain - type: bugfix - link: https://github.com/elastic/integrations/pull/2517 -- version: "0.5.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2224 -- version: "0.4.2" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2097 -- version: "0.4.1" - changes: - - description: Update Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1975 -- version: "0.4.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1669 -- version: "0.3.0" - changes: - - description: Change title to Network Packet Capture. Added timeout/period config to flows data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1764 -- version: "0.2.2" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.2.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/21 diff --git a/packages/network_traffic/1.0.2/data_stream/amqp/agent/stream/amqp.yml.hbs b/packages/network_traffic/1.0.2/data_stream/amqp/agent/stream/amqp.yml.hbs deleted file mode 100755 index 22fb1883a0..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/amqp/agent/stream/amqp.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: amqp -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_body_length}} -max_body_length: {{max_body_length}} -{{/if}} -{{#if parse_headers}} -parse_headers: {{parse_headers}} -{{/if}} -{{#if parse_arguments}} -parse_arguments: {{parse_arguments}} -{{/if}} -{{#if hide_connection_information}} -hide_connection_information: {{hide_connection_information}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index dd8f95ef44..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing amqp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/amqp/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/amqp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/amqp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/amqp/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/amqp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/amqp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/amqp/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/amqp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/amqp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/amqp/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/amqp/fields/ecs.yml deleted file mode 100755 index da1822dec9..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/amqp/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/amqp/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/amqp/fields/protocol.yml deleted file mode 100755 index 4b87cf176c..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/amqp/fields/protocol.yml +++ /dev/null @@ -1,202 +0,0 @@ -- name: amqp - type: group - fields: - - name: reply-code - type: long - description: > - AMQP reply code to an error, similar to http reply-code - - example: 404 - - name: reply-text - type: keyword - description: > - Text explaining the error. - - - name: class-id - type: long - description: > - Failing method class. - - - name: method-id - type: long - description: > - Failing method ID. - - - name: exchange - type: keyword - description: > - Name of the exchange. - - - name: exchange-type - type: keyword - description: > - Exchange type. - - example: fanout - - name: passive - type: boolean - description: > - If set, do not create exchange/queue. - - - name: durable - type: boolean - description: > - If set, request a durable exchange/queue. - - - name: exclusive - type: boolean - description: > - If set, request an exclusive queue. - - - name: auto-delete - type: boolean - description: > - If set, auto-delete queue when unused. - - - name: no-wait - type: boolean - description: > - If set, the server will not respond to the method. - - - name: consumer-tag - type: keyword - description: > - Identifier for the consumer, valid within the current channel. - - - name: delivery-tag - type: long - description: > - The server-assigned and channel-specific delivery tag. - - - name: message-count - type: long - description: > - The number of messages in the queue, which will be zero for newly-declared queues. - - - name: consumer-count - type: long - description: > - The number of consumers of a queue. - - - name: routing-key - type: keyword - description: > - Message routing key. - - - name: no-ack - type: boolean - description: > - If set, the server does not expect acknowledgements for messages. - - - name: no-local - type: boolean - description: > - If set, the server will not send messages to the connection that published them. - - - name: if-unused - type: boolean - description: > - Delete only if unused. - - - name: if-empty - type: boolean - description: > - Delete only if empty. - - - name: queue - type: keyword - description: > - The queue name identifies the queue within the vhost. - - - name: redelivered - type: boolean - description: > - Indicates that the message has been previously delivered to this or another client. - - - name: multiple - type: boolean - description: > - Acknowledge multiple messages. - - - name: arguments - type: object - description: > - Optional additional arguments passed to some methods. Can be of various types. - - - name: mandatory - type: boolean - description: > - Indicates mandatory routing. - - - name: immediate - type: boolean - description: > - Request immediate delivery. - - - name: content-type - type: keyword - description: > - MIME content type. - - example: text/plain - - name: content-encoding - type: keyword - description: > - MIME content encoding. - - - name: headers - type: object - object_type: keyword - description: > - Message header field table. - - - name: delivery-mode - type: keyword - description: > - Non-persistent (1) or persistent (2). - - - name: priority - type: long - description: > - Message priority, 0 to 9. - - - name: correlation-id - type: keyword - description: > - Application correlation identifier. - - - name: reply-to - type: keyword - description: > - Address to reply to. - - - name: expiration - type: keyword - description: > - Message expiration specification. - - - name: message-id - type: keyword - description: > - Application message identifier. - - - name: timestamp - type: keyword - description: > - Message timestamp. - - - name: type - type: keyword - description: > - Message type name. - - - name: user-id - type: keyword - description: > - Creating user id. - - - name: app-id - type: keyword - description: > - Creating application id. - diff --git a/packages/network_traffic/1.0.2/data_stream/amqp/manifest.yml b/packages/network_traffic/1.0.2/data_stream/amqp/manifest.yml deleted file mode 100755 index 392448511a..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/amqp/manifest.yml +++ /dev/null @@ -1,105 +0,0 @@ -title: AMQP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5672] - - name: max_body_length - type: integer - title: Max Body Length - description: |- - Truncate messages that are published and avoid huge messages being - indexed. - Default: 1000 - show_user: false - multi: false - required: false - - name: parse_headers - type: bool - title: Parse Headers - description: |- - Hide the header fields in header frames. - Default: false - show_user: false - multi: false - required: false - - name: parse_arguments - type: bool - title: Parse Arguments - description: |- - Hide the additional arguments of method frames. - Default: false - show_user: false - multi: false - required: false - - name: hide_connection_information - type: bool - title: Hide Connection Information - description: |- - Hide all methods relative to connection negotiation between server and - client. - Default: true - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: AMQP - description: Capture AMQP Traffic - template_path: amqp.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/amqp/sample_event.json b/packages/network_traffic/1.0.2/data_stream/amqp/sample_event.json deleted file mode 100755 index 9ef02f389f..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/amqp/sample_event.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/cassandra/agent/stream/cassandra.yml.hbs b/packages/network_traffic/1.0.2/data_stream/cassandra/agent/stream/cassandra.yml.hbs deleted file mode 100755 index 9c4ec167d1..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/cassandra/agent/stream/cassandra.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: cassandra -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_request_header}} -send_request_header: {{send_request_header}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if send_response_header}} -send_response_header: {{send_response_header}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if compressor}} -compressor: {{compressor}} -{{/if}} -{{#if ignored_ops}} -ignored_ops: -{{#each ignored_ops as |ignored_op|}} - - {{ignored_op}} -{{/each}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2860fd7f9e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing cassandra traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/cassandra/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/cassandra/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/cassandra/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/cassandra/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/cassandra/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/cassandra/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/cassandra/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/cassandra/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/cassandra/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/cassandra/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/cassandra/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/cassandra/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/cassandra/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/cassandra/fields/protocol.yml deleted file mode 100755 index 58a2f6c12d..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/cassandra/fields/protocol.yml +++ /dev/null @@ -1,283 +0,0 @@ -- name: cassandra - type: group - description: Information about the Cassandra request and response. - fields: - - name: no_request - type: boolean - description: > - Indicates that there is no request because this is a PUSH message. - - - name: request - type: group - description: Cassandra request. - fields: - - name: headers - type: group - description: Cassandra request headers. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: query - type: keyword - description: The CQL query which client send to cassandra. - - name: response - type: group - description: Cassandra response. - fields: - - name: headers - type: group - description: Cassandra response headers, the structure is as same as request's header. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: result - type: group - description: Details about the returned result. - fields: - - name: type - type: keyword - description: Cassandra result type. - - name: rows - type: group - description: Details about the rows. - fields: - - name: num_rows - type: long - description: Representing the number of rows present in this result. - - name: meta - type: group - description: Composed of result metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: keyspace - type: keyword - description: Indicating the name of the keyspace that has been set. - - name: schema_change - type: group - description: The result to a schema_change message. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: prepared - type: group - description: The result to a PREPARE message. - fields: - - name: prepared_id - type: keyword - description: Representing the prepared query ID. - - name: req_meta - type: group - description: This describes the request metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: resp_meta - type: group - description: This describes the metadata for the result set. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: supported - type: flattened - description: Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. - - name: authentication - type: group - description: Indicates that the server requires authentication, and which authentication mechanism to use. - fields: - - name: class - type: keyword - description: Indicates the full class name of the IAuthenticator in use - - name: warnings - type: keyword - description: The text of the warnings, only occur when Warning flag was set. - - name: event - type: group - description: Event pushed by the server. A client will only receive events for the types it has REGISTERed to. - fields: - - name: type - type: keyword - description: Representing the event type. - - name: change - type: keyword - description: The message corresponding respectively to the type of change followed by the address of the new/removed node. - - name: host - type: keyword - description: Representing the node ip. - - name: port - type: long - description: Representing the node port. - - name: schema_change - type: group - description: The events details related to schema change. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: error - type: group - description: Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. - fields: - - name: code - type: long - description: The error code of the Cassandra response. - - name: msg - type: keyword - description: The error message of the Cassandra response. - - name: type - type: keyword - description: The error type of the Cassandra response. - - name: details - type: group - description: The details of the error. - fields: - - name: read_consistency - type: keyword - description: Representing the consistency level of the query that triggered the exception. - - name: required - type: long - description: Representing the number of nodes that should be alive to respect consistency level. - - name: alive - type: long - description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). - - name: received - type: long - description: Representing the number of nodes having acknowledged the request. - - name: blockfor - type: long - description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. - - name: write_type - type: keyword - description: Describe the type of the write that timed out. - - name: data_present - type: boolean - description: It means the replica that was asked for data had responded. - - name: keyspace - type: keyword - description: The keyspace of the failed function. - - name: table - type: keyword - description: The keyspace of the failed function. - - name: stmt_id - type: keyword - description: Representing the unknown ID. - - name: num_failures - type: keyword - description: Representing the number of nodes that experience a failure while executing the request. - - name: function - type: keyword - description: The name of the failed function. - - name: arg_types - type: keyword - description: One string for each argument type (as CQL type) of the failed function. diff --git a/packages/network_traffic/1.0.2/data_stream/cassandra/manifest.yml b/packages/network_traffic/1.0.2/data_stream/cassandra/manifest.yml deleted file mode 100755 index b05f2d1e4e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/cassandra/manifest.yml +++ /dev/null @@ -1,92 +0,0 @@ -title: Cassandra -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9042] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`cassandra_request` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_request_header - type: bool - title: Send Request Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field) - is included in published events. The default is true. enable `send_request` first before enable this option. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`cassandra_response` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_response_header - type: bool - title: Send Response Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field) - is included in published events. The default is true. enable `send_response` first before enable this option. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: compressor - type: text - title: Compressor - description: |- - Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured. - By default no compressor is configured. - show_user: false - multi: false - required: false - - name: ignored_ops - type: text - title: Ignored Ops - description: This option indicates which Operator/Operators will be ignored. - show_user: false - multi: true - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Cassandra - description: Capture Cassandra Traffic - template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/cassandra/sample_event.json b/packages/network_traffic/1.0.2/data_stream/cassandra/sample_event.json deleted file mode 100755 index aa2d587c11..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/cassandra/sample_event.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/1.0.2/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs deleted file mode 100755 index 2c56638255..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -type: dhcpv4 -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a0f2d285e8..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: dhcpv4.client_mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: dhcpv4.client_mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: dhcpv4.client_mac - ignore_missing: true -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/protocol.yml deleted file mode 100755 index 0180691a5b..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dhcpv4/fields/protocol.yml +++ /dev/null @@ -1,177 +0,0 @@ -- name: dhcpv4 - type: group - fields: - - name: transaction_id - type: keyword - description: | - Transaction ID, a random number chosen by the - client, used by the client and server to associate - messages and responses between a client and a - server. - - name: seconds - type: long - description: | - Number of seconds elapsed since client began address acquisition or - renewal process. - - name: flags - type: keyword - description: | - Flags are set by the client to indicate how the DHCP server should - its reply -- either unicast or broadcast. - - name: client_ip - type: ip - description: The current IP address of the client. - - name: assigned_ip - type: ip - description: | - The IP address that the DHCP server is assigning to the client. - This field is also known as "your" IP address. - - name: server_ip - type: ip - description: | - The IP address of the DHCP server that the client should use for the - next step in the bootstrap process. - - name: relay_ip - type: ip - description: | - The relay IP address used by the client to contact the server - (i.e. a DHCP relay server). - - name: client_mac - type: keyword - description: The client's MAC address (layer two). - - name: server_name - type: keyword - description: | - The name of the server sending the message. Optional. Used in - DHCPOFFER or DHCPACK messages. - - name: op_code - type: keyword - example: bootreply - description: | - The message op code (bootrequest or bootreply). - - name: hops - type: long - description: The number of hops the DHCP message went through. - - name: hardware_type - type: keyword - description: | - The type of hardware used for the local network (Ethernet, - LocalTalk, etc). - - name: option - type: group - fields: - - name: message_type - type: keyword - example: ack - description: | - The specific type of DHCP message being sent (e.g. discover, - offer, request, decline, ack, nak, release, inform). - - name: parameter_request_list - type: keyword - description: | - This option is used by a DHCP client to request values for - specified configuration parameters. - - name: requested_ip_address - type: ip - description: | - This option is used in a client request (DHCPDISCOVER) to allow - the client to request that a particular IP address be assigned. - - name: server_identifier - type: ip - description: | - IP address of the individual DHCP server which handled this - message. - - name: broadcast_address - type: ip - description: | - This option specifies the broadcast address in use on the - client's subnet. - - name: max_dhcp_message_size - type: long - description: | - This option specifies the maximum length DHCP message that the - client is willing to accept. - - name: class_identifier - type: keyword - description: | - This option is used by DHCP clients to optionally identify the - vendor type and configuration of a DHCP client. Vendors may - choose to define specific vendor class identifiers to convey - particular configuration or other identification information - about a client. For example, the identifier may encode the - client's hardware configuration. - - name: domain_name - type: keyword - description: | - This option specifies the domain name that client should use - when resolving hostnames via the Domain Name System. - - name: dns_servers - type: ip - description: | - The domain name server option specifies a list of Domain Name - System servers available to the client. - - name: vendor_identifying_options - type: object - description: | - A DHCP client may use this option to unambiguously identify the - vendor that manufactured the hardware on which the client is - running, the software in use, or an industry consortium to which - the vendor belongs. This field is described in RFC 3925. - - name: subnet_mask - type: ip - description: | - The subnet mask that the client should use on the currnet - network. - - name: utc_time_offset_sec - type: long - description: | - The time offset field specifies the offset of the client's - subnet in seconds from Coordinated Universal Time (UTC). - - name: router - type: ip - description: | - The router option specifies a list of IP addresses for routers - on the client's subnet. - - name: time_servers - type: ip - description: | - The time server option specifies a list of RFC 868 time servers - available to the client. - - name: ntp_servers - type: ip - description: | - This option specifies a list of IP addresses indicating NTP - servers available to the client. - - name: hostname - type: keyword - description: | - This option specifies the name of the client. - - name: ip_address_lease_time_sec - type: long - description: | - This option is used in a client request (DHCPDISCOVER or - DHCPREQUEST) to allow the client to request a lease time for the - IP address. In a server reply (DHCPOFFER), a DHCP server uses - this option to specify the lease time it is willing to offer. - - name: message - type: text - description: | - This option is used by a DHCP server to provide an error message - to a DHCP client in a DHCPNAK message in the event of a failure. - A client may use this option in a DHCPDECLINE message to - indicate the why the client declined the offered parameters. - - name: renewal_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the RENEWING state. - - name: rebinding_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the REBINDING state. - - name: boot_file_name - type: keyword - description: | - This option is used to identify a bootfile when the 'file' field - in the DHCP header has been used for DHCP options. diff --git a/packages/network_traffic/1.0.2/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/1.0.2/data_stream/dhcpv4/manifest.yml deleted file mode 100755 index fc09a92781..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dhcpv4/manifest.yml +++ /dev/null @@ -1,40 +0,0 @@ -title: DHCP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [67, 68] - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DHCP - description: Capture DHCP Traffic - template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/dhcpv4/sample_event.json b/packages/network_traffic/1.0.2/data_stream/dhcpv4/sample_event.json deleted file mode 100755 index 59ab870695..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dhcpv4/sample_event.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/dns/agent/stream/dns.yml.hbs b/packages/network_traffic/1.0.2/data_stream/dns/agent/stream/dns.yml.hbs deleted file mode 100755 index e68885b2f8..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dns/agent/stream/dns.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: dns -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if include_authorities}} -include_authorities: {{include_authorities}} -{{/if}} -{{#if include_additionals}} -include_additionals: {{include_additionals}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 70d49c51b6..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/dns/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/dns/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/dns/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/dns/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dns/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/dns/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/dns/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dns/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/dns/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/dns/fields/ecs.yml deleted file mode 100755 index e2ea6f338f..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,200 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - Array of 2 letter DNS header flags. - Expected values are: AA, TC, RD, RA, AD, CD, DO. - name: dns.header_flags - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/dns/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/dns/fields/protocol.yml deleted file mode 100755 index 28d506b996..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dns/fields/protocol.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: dns - type: group - fields: - - name: flags.authoritative - type: boolean - description: > - A DNS flag specifying that the responding server is an authority for the domain name used in the question. - - - name: flags.recursion_available - type: boolean - description: > - A DNS flag specifying whether recursive query support is available in the name server. - - - name: flags.recursion_desired - type: boolean - description: > - A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. - - - name: flags.authentic_data - type: boolean - description: > - A DNS flag specifying that the recursive server considers the response authentic. - - - name: flags.checking_disabled - type: boolean - description: > - A DNS flag specifying that the client disables the server signature validation of the query. - - - name: flags.truncated_response - type: boolean - description: > - A DNS flag specifying that only the first 512 bytes of the reply were returned. - - - name: question.etld_plus_one - type: keyword - description: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. - example: amazon.co.uk. - - name: answers_count - type: long - description: > - The number of resource records contained in the `dns.answers` field. - - - name: authorities - type: object - description: > - An array containing a dictionary for each authority section from the answer. - - - name: authorities_count - type: long - description: > - The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. - - - name: authorities.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: authorities.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: authorities.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals - type: object - description: > - An array containing a dictionary for each additional section from the answer. - - - name: additionals_count - type: long - description: > - The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. - - - name: additionals.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: additionals.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: additionals.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals.ttl - description: > - The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - type: long - - name: additionals.data - type: keyword - description: > - The data describing the resource. The meaning of this data depends on the type and class of the resource record. - - - name: opt.version - type: keyword - description: The EDNS version. - example: "0" - - name: opt.do - type: boolean - description: If set, the transaction uses DNSSEC. - - name: opt.ext_rcode - type: keyword - description: Extended response code field. - example: "BADVERS" - - name: opt.udp_size - type: long - description: Requestor's UDP payload size (in bytes). diff --git a/packages/network_traffic/1.0.2/data_stream/dns/manifest.yml b/packages/network_traffic/1.0.2/data_stream/dns/manifest.yml deleted file mode 100755 index cc5476bfad..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dns/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: DNS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [53] - - name: include_authorities - type: bool - title: Include Authorities - description: |- - include_authorities controls whether or not the dns.authorities field - (authority resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: include_additionals - type: bool - title: Include Additionals - description: |- - include_additionals controls whether or not the dns.additionals field - (additional resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - send_request controls whether or not the stringified DNS - request messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - send_response controls whether or not the stringified DNS - response messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DNS - description: Capture DNS Traffic - template_path: dns.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/dns/sample_event.json b/packages/network_traffic/1.0.2/data_stream/dns/sample_event.json deleted file mode 100755 index 476a880555..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/dns/sample_event.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/flow/agent/stream/flow.yml.hbs b/packages/network_traffic/1.0.2/data_stream/flow/agent/stream/flow.yml.hbs deleted file mode 100755 index 80f2a27460..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/flow/agent/stream/flow.yml.hbs +++ /dev/null @@ -1,23 +0,0 @@ -type: flow -{{#if timeout}} -flows.timeout: '{{timeout}}' -{{/if}} -{{#if period}} -flows.period: '{{period}}' -{{/if}} -{{#if processes}} -procs: - enabled: true - monitored: - {{#each processes}} - - cmdline_grep: {{this}} - {{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/flow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8a45c554fd..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/flow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing traffic flows -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/flow/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/flow/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/flow/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/flow/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/flow/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/flow/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/flow/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/flow/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/flow/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/flow/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/flow/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/flow/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/flow/manifest.yml b/packages/network_traffic/1.0.2/data_stream/flow/manifest.yml deleted file mode 100755 index 4f455c6f25..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/flow/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Flows -release: beta -type: logs -streams: - - input: packet - title: Flows - description: Track Network Flows - template_path: flow.yml.hbs - vars: - - name: period - type: text - title: Period - required: false - show_user: false - description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1. If disabled, flows are still reported once being timed out. - default: '10s' - - name: timeout - type: text - title: Flow timeout - description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. - required: false - show_user: false - default: '30s' diff --git a/packages/network_traffic/1.0.2/data_stream/http/agent/stream/http.yml.hbs b/packages/network_traffic/1.0.2/data_stream/http/agent/stream/http.yml.hbs deleted file mode 100755 index 4c2aecad10..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/http/agent/stream/http.yml.hbs +++ /dev/null @@ -1,85 +0,0 @@ -type: http -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if hide_keywords}} -hide_keywords: -{{#each hide_keywords as |hide_keyword|}} - - {{hide_keyword}} -{{/each}} -{{/if}} -{{#if send_headers}} -send_headers: {{send_headers}} -{{/if}} -{{#if send_all_headers}} -send_all_headers: {{send_all_headers}} -{{/if}} -{{#if redact_headers}} -redact_headers: -{{#each redact_headers as |redact_header|}} - - {{redact_header}} -{{/each}} -{{/if}} -{{#if include_body_for}} -include_body_for: -{{#each include_body_for as |include_body_for_elem|}} - - {{include_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_request_body_for}} -include_request_body_for: -{{#each include_request_body_for as |include_request_body_for_elem|}} - - {{include_request_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_response_body_for}} -include_response_body_for: -{{#each include_response_body_for as |include_response_body_for_elem|}} - - {{include_response_body_for_elem}} -{{/each}} -{{/if}} -{{#if decode_body}} -decode_body: {{decode_body}} -{{/if}} -{{#if split_cookie}} -split_cookie: {{split_cookie}} -{{/if}} -{{#if real_ip_header}} -real_ip_header: {{real_ip_header}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if max_message_size}} -max_message_size: {{max_message_size}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/http/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e0cbf2bf88..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/http/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing http traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/http/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/http/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/http/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/http/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/http/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/http/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/http/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/http/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/http/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/http/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/http/fields/ecs.yml deleted file mode 100755 index d003c7093e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/http/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/network_traffic/1.0.2/data_stream/http/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/http/fields/protocol.yml deleted file mode 100755 index 51b73ae344..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/http/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: http - type: group - description: Information about the HTTP request and response. - fields: - - name: request - description: HTTP request - type: group - fields: - - name: headers - type: flattened - description: > - A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - - - name: response - description: HTTP response - type: group - fields: - - name: status_phrase - type: keyword - description: The HTTP status phrase. - example: Not Found - - name: headers - type: flattened - description: > - A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - diff --git a/packages/network_traffic/1.0.2/data_stream/http/manifest.yml b/packages/network_traffic/1.0.2/data_stream/http/manifest.yml deleted file mode 100755 index f16188331c..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/http/manifest.yml +++ /dev/null @@ -1,173 +0,0 @@ -title: HTTP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [80, 8080, 8000, 5000, 8002] - - name: hide_keywords - type: text - title: Hide Keywords - description: |- - Uncomment the following to hide certain parameters in URL or forms attached - to HTTP requests. The names of the parameters are case insensitive. - The value of the parameters will be replaced with the 'xxxxx' string. - This is generally useful for avoiding storing user passwords or other - sensitive information. - Only query parameters and top level form parameters are replaced. - show_user: false - multi: true - required: false - - name: send_headers - type: bool - title: Send Headers - description: |- - A list of header names to capture and send to Elasticsearch. These headers - are placed under the `headers` dictionary in the resulting JSON. - show_user: false - multi: false - required: false - - name: send_all_headers - type: bool - title: Send All Headers - description: |- - Instead of sending a white list of headers to Elasticsearch, you can send - all headers by setting this option to true. The default is false. - show_user: false - multi: false - required: false - - name: redact_headers - type: text - title: Redact Headers - description: |- - A list of headers to redact if present in the HTTP request. This will keep - the header field present, but will redact it's value to show the headers - presence. - show_user: false - multi: true - required: false - - name: include_body_for - type: text - title: Include Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - payload. If the request's or response's Content-Type matches any on this - list, the full body will be included under the request or response field. - show_user: false - multi: true - required: false - - name: include_request_body_for - type: text - title: Include Request Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - request payload. - show_user: false - multi: true - required: false - - name: include_response_body_for - type: text - title: Include Response Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - response payload. - show_user: false - multi: true - required: false - - name: decode_body - type: bool - title: Decode Body - description: |- - Whether the body of a request must be decoded when a content-encoding - or transfer-encoding has been applied. - show_user: false - multi: false - required: false - - name: split_cookie - type: bool - title: Split Cookie - description: |- - If the Cookie or Set-Cookie headers are sent, this option controls whether - they are split into individual values. - show_user: false - multi: false - required: false - - name: real_ip_header - type: bool - title: Real Ip Header - description: |- - The header field to extract the real IP from. This setting is useful when - you want to capture traffic behind a reverse proxy, but you want to get the - geo-location information. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: max_message_size - type: integer - title: Max Message Size - description: |- - Maximum message size. If an HTTP message is larger than this, it will - be trimmed to this size. Default is 10 MB. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: HTTP - description: Capture HTTP Traffic - template_path: http.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/http/sample_event.json b/packages/network_traffic/1.0.2/data_stream/http/sample_event.json deleted file mode 100755 index f07301394b..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/http/sample_event.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/icmp/agent/stream/icmp.yml.hbs b/packages/network_traffic/1.0.2/data_stream/icmp/agent/stream/icmp.yml.hbs deleted file mode 100755 index f550ca79fa..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/icmp/agent/stream/icmp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -type: icmp -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1ae74a0692..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing icmp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/icmp/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/icmp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/icmp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/icmp/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/icmp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/icmp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/icmp/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/icmp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/icmp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/icmp/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/icmp/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/icmp/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/icmp/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/icmp/fields/protocol.yml deleted file mode 100755 index 5aef1deaf4..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/icmp/fields/protocol.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: icmp - type: group - fields: - - name: version - type: long - description: The version of the ICMP protocol. - possible_values: - - 4 - - 6 - - name: request.message - type: keyword - description: A human readable form of the request. - - name: request.type - type: long - description: The request type. - - name: request.code - type: long - description: The request code. - - name: response.message - type: keyword - description: A human readable form of the response. - - name: response.type - type: long - description: The response type. - - name: response.code - type: long - description: The response code. diff --git a/packages/network_traffic/1.0.2/data_stream/icmp/manifest.yml b/packages/network_traffic/1.0.2/data_stream/icmp/manifest.yml deleted file mode 100755 index ca911dc8e0..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/icmp/manifest.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: ICMP -release: beta -type: logs -streams: - - input: packet - title: ICMP - description: Capture ICMP Traffic - template_path: icmp.yml.hbs - vars: - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false diff --git a/packages/network_traffic/1.0.2/data_stream/icmp/sample_event.json b/packages/network_traffic/1.0.2/data_stream/icmp/sample_event.json deleted file mode 100755 index 6dfd5d97d4..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/icmp/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/memcached/agent/stream/memcached.yml.hbs b/packages/network_traffic/1.0.2/data_stream/memcached/agent/stream/memcached.yml.hbs deleted file mode 100755 index 136c8ad877..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/memcached/agent/stream/memcached.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: memcache -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parseunknown}} -parseunknown: {{parseunknown}} -{{/if}} -{{#if maxvalues}} -maxvalues: {{maxvalues}} -{{/if}} -{{#if maxbytespervalue}} -maxbytespervalue: {{maxbytespervalue}} -{{/if}} -{{#if udptransactiontimeout}} -udptransactiontimeout: {{udptransactiontimeout}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 79d3c2cf54..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing memcached traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/memcached/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/memcached/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/memcached/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/memcached/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/memcached/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/memcached/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/memcached/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/memcached/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/memcached/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/memcached/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/memcached/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/memcached/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/memcached/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/memcached/fields/protocol.yml deleted file mode 100755 index 4d1c281dde..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/memcached/fields/protocol.yml +++ /dev/null @@ -1,215 +0,0 @@ -- name: memcache - type: group - fields: - - name: protocol_type - type: keyword - description: > - The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. - - - name: request.line - type: keyword - description: > - The raw command line for unknown commands ONLY. - - - name: request.command - type: keyword - description: > - The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. - - - name: response.command - type: keyword - description: > - Either the text based protocol response message type or the name of the originating request if binary protocol is used. - - - name: request.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". - - - name: response.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). - - - name: response.error_msg - type: keyword - description: > - The optional error message in the memcache response (text based protocol only). - - - name: request.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: response.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: request.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: response.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: request.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: response.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: request.vbucket - type: long - description: > - The vbucket index sent in the binary message. - - - name: response.status - type: keyword - description: > - The textual representation of the response error code (binary protocol only). - - - name: response.status_code - type: long - description: > - The status code value returned in the response (binary protocol only). - - - name: request.keys - type: array - description: > - The list of keys sent in the store or load commands. - - - name: response.keys - type: array - description: > - The list of keys returned for the load command (if present). - - - name: request.count_values - type: long - description: > - The number of values found in the memcache request message. If the command does not send any data, this field is missing. - - - name: response.count_values - type: long - description: > - The number of values found in the memcache response message. If the command does not send any data, this field is missing. - - - name: request.values - type: array - description: > - The list of base64 encoded values sent with the request (if present). - - - name: response.values - type: array - description: > - The list of base64 encoded values sent with the response (if present). - - - name: request.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: response.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: request.delta - type: long - description: > - The counter increment/decrement delta value. - - - name: request.initial - type: long - description: > - The counter increment/decrement initial value parameter (binary protocol only). - - - name: request.verbosity - type: long - description: > - The value of the memcache "verbosity" command. - - - name: request.raw_args - type: keyword - description: > - The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. - - - name: request.source_class - type: long - description: > - The source class id in 'slab reassign' command. - - - name: request.dest_class - type: long - description: > - The destination class id in 'slab reassign' command. - - - name: request.automove - type: keyword - description: > - The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. - - - name: request.flags - type: long - description: > - The memcache command flags sent in the request (if present). - - - name: response.flags - type: long - description: > - The memcache message flags sent in the response (if present). - - - name: request.exptime - type: long - description: > - The data expiry time in seconds sent with the memcache command (if present). If the value is `< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). - - - name: request.sleep_us - type: long - description: > - The sleep setting in microseconds for the 'lru_crawler sleep' command. - - - name: response.value - type: long - description: > - The counter value returned by a counter operation. - - - name: request.noreply - type: boolean - description: > - Set to true if noreply was set in the request. The `memcache.response` field will be missing. - - - name: request.quiet - type: boolean - description: > - Set to true if the binary protocol message is to be treated as a quiet message. - - - name: request.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier if present. - - - name: response.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). - - - name: response.stats - type: array - description: > - The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". - - - name: response.version - type: keyword - description: > - The returned memcache version string. - diff --git a/packages/network_traffic/1.0.2/data_stream/memcached/manifest.yml b/packages/network_traffic/1.0.2/data_stream/memcached/manifest.yml deleted file mode 100755 index 9120331b9d..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/memcached/manifest.yml +++ /dev/null @@ -1,116 +0,0 @@ -title: Memcached -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [11211] - - name: parseunknown - type: bool - title: Parseunknown - description: |- - Uncomment the parseunknown option to force the memcache text protocol parser - to accept unknown commands. - Note: All unknown commands MUST not contain any data parts! - Default: false - show_user: false - multi: false - required: false - - name: maxvalues - type: integer - title: Maxvalues - description: |- - Update the maxvalue option to store the values - base64 encoded - in the - json output. - possible values: - maxvalue: -1 store all values (text based protocol multi-get) - maxvalue: 0 store no values at all - maxvalue: N store up to N values - Default: 0 - show_user: false - multi: false - required: false - - name: maxbytespervalue - type: integer - title: Maxbytespervalue - description: |- - Use maxbytespervalue to limit the number of bytes to be copied per value element. - Note: Values will be base64 encoded, so actual size in json document - will be 4 times maxbytespervalue. - Default: unlimited - show_user: false - multi: false - required: false - - name: udptransactiontimeout - type: integer - title: Udptransactiontimeout - description: |- - UDP transaction timeout in milliseconds. - Note: Quiet messages in UDP binary protocol will get response only in error case. - The memcached analyzer will wait for udptransactiontimeout milliseconds - before publishing quiet messages. Non quiet messages or quiet requests with - error response will not have to wait for the timeout. - Default: 200 - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Memcached - description: Capture Memcached Traffic - template_path: memcached.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/memcached/sample_event.json b/packages/network_traffic/1.0.2/data_stream/memcached/sample_event.json deleted file mode 100755 index 4b4dc284f8..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/memcached/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/mongodb/agent/stream/mongodb.yml.hbs b/packages/network_traffic/1.0.2/data_stream/mongodb/agent/stream/mongodb.yml.hbs deleted file mode 100755 index fe92042bcc..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mongodb/agent/stream/mongodb.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: mongodb -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_docs}} -max_docs: {{max_docs}} -{{/if}} -{{#if max_doc_length}} -max_doc_length: {{max_doc_length}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 53b9f4a0df..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mongodb traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/mongodb/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/mongodb/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mongodb/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/mongodb/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/mongodb/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mongodb/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/mongodb/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/mongodb/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mongodb/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/mongodb/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/mongodb/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mongodb/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/mongodb/fields/protocol.yml deleted file mode 100755 index a84465c61e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mongodb/fields/protocol.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: mongodb - type: group - fields: - - name: error - type: keyword - description: > - If the MongoDB request has resulted in an error, this field contains the error message returned by the server. - - - name: fullCollectionName - type: keyword - description: > - The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. - - - name: numberToSkip - type: long - description: > - Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. - - - name: numberToReturn - type: long - description: > - The requested maximum number of documents to be returned. - - - name: numberReturned - type: long - description: > - The number of documents in the reply. - - - name: startingFrom - type: keyword - description: > - Where in the cursor this reply is starting. - - - name: query - type: keyword - description: > - A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. - - - name: returnFieldsSelector - type: keyword - description: > - A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. - - - name: selector - type: keyword - description: > - A BSON document that specifies the query for selecting the document to update or delete. - - - name: update - type: keyword - description: > - A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - - - name: cursorId - type: keyword - description: > - The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. - diff --git a/packages/network_traffic/1.0.2/data_stream/mongodb/manifest.yml b/packages/network_traffic/1.0.2/data_stream/mongodb/manifest.yml deleted file mode 100755 index 0ff11578a2..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mongodb/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: MongoDB -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [27017] - - name: max_docs - type: integer - title: Max Docs - description: |- - The maximum number of documents from the response to index in the `response` - field. The default is 10. - show_user: false - multi: false - required: false - - name: max_doc_length - type: integer - title: Max Doc Length - description: |- - The maximum number of characters in a single document indexed in the - `response` field. The default is 5000. You can set this to 0 to index an - unlimited number of characters per document. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MongoDB - description: Capture MongoDB Traffic - template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/mongodb/sample_event.json b/packages/network_traffic/1.0.2/data_stream/mongodb/sample_event.json deleted file mode 100755 index 4cfd576e4c..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mongodb/sample_event.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/mysql/agent/stream/mysql.yml.hbs b/packages/network_traffic/1.0.2/data_stream/mysql/agent/stream/mysql.yml.hbs deleted file mode 100755 index 85b82a47b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mysql/agent/stream/mysql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: mysql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 23ad4ad9d5..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mysql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/mysql/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/mysql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mysql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/mysql/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/mysql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mysql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/mysql/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/mysql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mysql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/mysql/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/mysql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mysql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/mysql/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/mysql/fields/protocol.yml deleted file mode 100755 index 64675f8d8e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mysql/fields/protocol.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: mysql - type: group - fields: - - name: affected_rows - type: long - description: > - If the MySQL command is successful, this field contains the affected number of rows of the last statement. - - - name: insert_id - type: keyword - description: > - If the INSERT query is successful, this field contains the id of the newly inserted row. - - - name: num_fields - type: long - description: > - If the SELECT query is successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query is successful, this field is set to the number of rows returned. - - - name: query - type: keyword - description: > - The row mysql query as read from the transaction's request. - - - name: error_code - type: long - description: > - The error code returned by MySQL. - - - name: error_message - type: keyword - description: > - The error info message returned by MySQL. - diff --git a/packages/network_traffic/1.0.2/data_stream/mysql/manifest.yml b/packages/network_traffic/1.0.2/data_stream/mysql/manifest.yml deleted file mode 100755 index c4655854f0..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mysql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: MySQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [3306, 3307] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MySQL - description: Capture MySQL Traffic - template_path: mysql.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/mysql/sample_event.json b/packages/network_traffic/1.0.2/data_stream/mysql/sample_event.json deleted file mode 100755 index 2c33116053..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/mysql/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/nfs/agent/stream/nfs.yml.hbs b/packages/network_traffic/1.0.2/data_stream/nfs/agent/stream/nfs.yml.hbs deleted file mode 100755 index c8349a7bcb..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/nfs/agent/stream/nfs.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: nfs -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cd66758ed4..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing nfs traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/nfs/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/nfs/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/nfs/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/nfs/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/nfs/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/nfs/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/nfs/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/nfs/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/nfs/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/nfs/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/nfs/fields/ecs.yml deleted file mode 100755 index 2b26a193f9..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/nfs/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/network_traffic/1.0.2/data_stream/nfs/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/nfs/fields/protocol.yml deleted file mode 100755 index 4bcf6fecec..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/nfs/fields/protocol.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: nfs - type: group - fields: - - name: version - type: long - description: NFS protocol version number. - - name: minor_version - type: long - description: NFS protocol minor version number. - - name: tag - type: keyword - description: NFS v4 COMPOUND operation tag. - - name: opcode - type: keyword - description: > - NFS operation name, or main operation name, in case of COMPOUND calls. - - - name: status - type: keyword - description: NFS operation reply status. -- name: rpc - type: group - description: ONC RPC specific event fields. - fields: - - name: xid - type: keyword - description: RPC message transaction identifier. - - name: status - type: keyword - description: RPC message reply status. - - name: auth_flavor - type: keyword - description: RPC authentication flavor. - - name: cred.uid - type: long - description: RPC caller's user id, in case of auth-unix. - - name: cred.gid - type: long - description: RPC caller's group id, in case of auth-unix. - - name: cred.gids - type: long - description: RPC caller's secondary group ids, in case of auth-unix. - - name: cred.stamp - type: long - description: Arbitrary ID which the caller machine may generate. - - name: cred.machinename - type: keyword - description: The name of the caller's machine. diff --git a/packages/network_traffic/1.0.2/data_stream/nfs/manifest.yml b/packages/network_traffic/1.0.2/data_stream/nfs/manifest.yml deleted file mode 100755 index 4e5323fa1e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/nfs/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: NFS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [2049] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: NFS - description: Capture NFS Traffic - template_path: nfs.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/nfs/sample_event.json b/packages/network_traffic/1.0.2/data_stream/nfs/sample_event.json deleted file mode 100755 index de4b4525e0..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/nfs/sample_event.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/pgsql/agent/stream/pgsql.yml.hbs b/packages/network_traffic/1.0.2/data_stream/pgsql/agent/stream/pgsql.yml.hbs deleted file mode 100755 index 8680c36b1a..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/pgsql/agent/stream/pgsql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: pgsql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7bd75120a7..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing pgsql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/pgsql/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/pgsql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/pgsql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/pgsql/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/pgsql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/pgsql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/pgsql/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/pgsql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/pgsql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/pgsql/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/pgsql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/pgsql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/pgsql/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/pgsql/fields/protocol.yml deleted file mode 100755 index 4fd03e12cb..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/pgsql/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: pgsql - type: group - fields: - - name: error_code - description: The PostgreSQL error code. - type: keyword - - name: error_message - type: keyword - description: The PostgreSQL error message. - - name: error_severity - type: keyword - description: The PostgreSQL error severity. - possible_values: - - ERROR - - FATAL - - PANIC - - name: num_fields - type: long - description: > - If the SELECT query if successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query if successful, this field is set to the number of rows returned. - diff --git a/packages/network_traffic/1.0.2/data_stream/pgsql/manifest.yml b/packages/network_traffic/1.0.2/data_stream/pgsql/manifest.yml deleted file mode 100755 index eb205cd837..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/pgsql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: PostgreSQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5432] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: PostgreSQL - description: Capture PostgreSQL Traffic - template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/pgsql/sample_event.json b/packages/network_traffic/1.0.2/data_stream/pgsql/sample_event.json deleted file mode 100755 index 462f734f42..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/pgsql/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/redis/agent/stream/redis.yml.hbs b/packages/network_traffic/1.0.2/data_stream/redis/agent/stream/redis.yml.hbs deleted file mode 100755 index f357ca3a6d..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/redis/agent/stream/redis.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: redis -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if queue_max_bytes}} -queue_max_bytes: {{queue_max_bytes}} -{{/if}} -{{#if queue_max_messages}} -queue_max_messages: {{queue_max_messages}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/redis/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/redis/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a2af2349ac..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/redis/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing redis traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/redis/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/redis/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/redis/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/redis/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/redis/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/redis/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/redis/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/redis/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/redis/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/redis/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/redis/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/redis/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/redis/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/redis/fields/protocol.yml deleted file mode 100755 index 4982b2c2d3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/redis/fields/protocol.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: redis - type: group - fields: - - name: return_value - type: keyword - description: > - The return value of the Redis command in a human readable format. - - - name: error - type: keyword - description: > - If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. - diff --git a/packages/network_traffic/1.0.2/data_stream/redis/manifest.yml b/packages/network_traffic/1.0.2/data_stream/redis/manifest.yml deleted file mode 100755 index 9fe0ce4e18..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/redis/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: Redis -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [6379] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: queue_max_bytes - type: integer - title: Queue Max Bytes - description: |- - Max size for per-session message queue. This places a limit on the memory - that can be used to buffer requests and responses for correlation. - show_user: false - multi: false - required: false - - name: queue_max_messages - type: integer - title: Queue Max Messages - description: |- - Max number of messages for per-session message queue. This limits the number - of requests or responses that can be buffered for correlation. Set a value - large enough to allow for pipelining. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Redis - description: Capture Redis Traffic - template_path: redis.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/redis/sample_event.json b/packages/network_traffic/1.0.2/data_stream/redis/sample_event.json deleted file mode 100755 index 7ce644c935..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/redis/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/sip/agent/stream/sip.yml.hbs b/packages/network_traffic/1.0.2/data_stream/sip/agent/stream/sip.yml.hbs deleted file mode 100755 index 935ea011ee..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/sip/agent/stream/sip.yml.hbs +++ /dev/null @@ -1,34 +0,0 @@ -type: sip -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parse_authorization}} -parse_authorization: {{parse_authorization}} -{{/if}} -{{#if parse_body}} -parse_body: {{parse_body}} -{{/if}} -{{#if keep_original}} -keep_original: {{keep_original}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/sip/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c20207afdd..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/sip/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for processing sip traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -# Remove invalid "protocol" term added by packetbeat prior to v7.17.4/8.2.1. -- script: - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "protocol") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/sip/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/sip/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/sip/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/sip/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/sip/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/sip/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/sip/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/sip/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/sip/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/sip/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/sip/fields/ecs.yml deleted file mode 100755 index c2a147238b..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/sip/fields/ecs.yml +++ /dev/null @@ -1,174 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/network_traffic/1.0.2/data_stream/sip/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/sip/fields/protocol.yml deleted file mode 100755 index 5b25d9df6d..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/sip/fields/protocol.yml +++ /dev/null @@ -1,231 +0,0 @@ -- name: sip - type: group - description: Information about SIP traffic. - fields: - - name: code - type: long - description: Response status code. - - name: method - type: keyword - description: Request method. - - name: status - type: keyword - description: Response status phrase. - - name: type - type: keyword - description: Either request or response. - - name: version - type: keyword - description: SIP protocol version. - - name: uri.original - type: keyword - description: The original URI. - multi_fields: - - name: text - type: text - norms: false - - name: uri.scheme - type: keyword - description: The URI scheme. - - name: uri.username - type: keyword - description: The URI user name. - - name: uri.host - type: keyword - description: The URI host. - - name: uri.port - type: long - description: The URI port. - - name: accept - type: keyword - description: Accept header value. - - name: allow - type: keyword - description: Allowed methods. - - name: call_id - type: keyword - description: Call ID. - - name: content_length - type: long - - name: content_type - type: keyword - - name: max_forwards - type: long - - name: supported - type: keyword - description: Supported methods. - - name: user_agent.original - type: keyword - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.original - type: keyword - description: Private original URI. - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.scheme - type: keyword - description: Private URI scheme. - - name: private.uri.username - type: keyword - description: Private URI user name. - - name: private.uri.host - type: keyword - description: Private URI host. - - name: private.uri.port - type: long - description: Private URI port. - - name: cseq.code - type: long - description: Sequence code. - - name: cseq.method - type: keyword - description: Sequence method. - - name: via.original - type: keyword - description: The original Via value. - multi_fields: - - name: text - type: text - norms: false - - name: to.display_info - type: keyword - description: "To display info" - - name: to.uri.original - type: keyword - description: "To original URI" - multi_fields: - - name: text - type: text - norms: false - - name: to.uri.scheme - type: keyword - description: "To URI scheme" - - name: to.uri.username - type: keyword - description: "To URI user name" - - name: to.uri.host - type: keyword - description: "To URI host" - - name: to.uri.port - type: long - description: "To URI port" - - name: to.tag - type: keyword - description: "To tag" - - name: from.display_info - type: keyword - description: "From display info" - - name: from.uri.original - type: keyword - description: "From original URI" - multi_fields: - - name: text - type: text - norms: false - - name: from.uri.scheme - type: keyword - description: "From URI scheme" - - name: from.uri.username - type: keyword - description: "From URI user name" - - name: from.uri.host - type: keyword - description: "From URI host" - - name: from.uri.port - type: long - description: "From URI port" - - name: from.tag - type: keyword - description: "From tag" - - name: contact.display_info - type: keyword - description: "Contact display info" - - name: contact.uri.original - type: keyword - description: "Contact original URI" - multi_fields: - - name: text - type: text - norms: false - - name: contact.uri.scheme - type: keyword - description: "Contat URI scheme" - - name: contact.uri.username - type: keyword - description: "Contact URI user name" - - name: contact.uri.host - type: keyword - description: "Contact URI host" - - name: contact.uri.port - type: long - description: "Contact URI port" - - name: contact.transport - type: keyword - description: "Contact transport" - - name: contact.line - type: keyword - description: "Contact line" - - name: contact.expires - type: keyword - description: "Contact expires" - - name: contact.q - type: keyword - description: "Contact Q" - - name: auth.scheme - type: keyword - description: "Auth scheme" - - name: auth.realm - type: keyword - description: "Auth realm" - - name: auth.uri.original - type: keyword - description: "Auth original URI" - multi_fields: - - name: text - type: text - norms: false - - name: auth.uri.scheme - type: keyword - description: "Auth URI scheme" - - name: auth.uri.host - type: keyword - description: "Auth URI host" - - name: auth.uri.port - type: long - description: "Auth URI port" - - name: sdp.version - type: keyword - description: "SDP version" - - name: sdp.owner.username - type: keyword - description: "SDP owner user name" - - name: sdp.owner.session_id - type: keyword - description: "SDP owner session ID" - - name: sdp.owner.version - type: keyword - description: "SDP owner version" - - name: sdp.owner.ip - type: ip - description: "SDP owner IP" - - name: sdp.session.name - type: keyword - description: "SDP session name" - - name: sdp.connection.info - type: keyword - description: "SDP connection info" - - name: sdp.connection.address - type: keyword - description: "SDP connection address" - - name: sdp.body.original - type: keyword - description: "SDP original body" - multi_fields: - - name: text - type: text - norms: false diff --git a/packages/network_traffic/1.0.2/data_stream/sip/manifest.yml b/packages/network_traffic/1.0.2/data_stream/sip/manifest.yml deleted file mode 100755 index 79dd27ea52..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/sip/manifest.yml +++ /dev/null @@ -1,54 +0,0 @@ -title: SIP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5060] - - name: parse_authorization - type: bool - title: Parse Authorization - description: Parse the authorization headers - show_user: false - multi: false - required: false - - name: parse_body - type: bool - title: Parse Body - description: Parse body contents (only when body is SDP) - show_user: false - multi: false - required: false - - name: keep_original - type: bool - title: Keep Original - description: Preserve original contents in event.original - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: SIP - description: Capture SIP Traffic - template_path: sip.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/sip/sample_event.json b/packages/network_traffic/1.0.2/data_stream/sip/sample_event.json deleted file mode 100755 index 5a36041d5a..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/sip/sample_event.json +++ /dev/null @@ -1,174 +0,0 @@ -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/thrift/agent/stream/thrift.yml.hbs b/packages/network_traffic/1.0.2/data_stream/thrift/agent/stream/thrift.yml.hbs deleted file mode 100755 index d6d9604253..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/thrift/agent/stream/thrift.yml.hbs +++ /dev/null @@ -1,64 +0,0 @@ -type: thrift -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if transport_type}} -transport_type: {{transport_type}} -{{/if}} -{{#if protocol_type}} -protocol_type: {{protocol_type}} -{{/if}} -{{#if idl_files}} -idl_files: -{{#each idl_files as |idl_file|}} - - {{idl_file}} -{{/each}} -{{/if}} -{{#if string_max_size}} -string_max_size: {{string_max_size}} -{{/if}} -{{#if collection_max_size}} -collection_max_size: {{collection_max_size}} -{{/if}} -{{#if capture_reply}} -capture_reply: {{capture_reply}} -{{/if}} -{{#if obfuscate_strings}} -obfuscate_strings: {{obfuscate_strings}} -{{/if}} -{{#if drop_after_n_struct_fields}} -drop_after_n_struct_fields: {{drop_after_n_struct_fields}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 987bedd730..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing thrift traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/thrift/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/thrift/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/thrift/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/thrift/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/thrift/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/thrift/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/thrift/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/thrift/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/thrift/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/thrift/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/thrift/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/thrift/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.0.2/data_stream/thrift/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/thrift/fields/protocol.yml deleted file mode 100755 index dd097f61ee..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/thrift/fields/protocol.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: thrift - type: group - fields: - - name: params - type: keyword - description: > - The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. - - - name: service - type: keyword - description: > - The name of the Thrift-RPC service as defined in the IDL files. - - - name: return_value - type: keyword - description: > - The value returned by the Thrift-RPC call. This is encoded in a human readable format. - - - name: exceptions - type: keyword - description: > - If the call resulted in exceptions, this field contains the exceptions in a human readable format. - diff --git a/packages/network_traffic/1.0.2/data_stream/thrift/manifest.yml b/packages/network_traffic/1.0.2/data_stream/thrift/manifest.yml deleted file mode 100755 index 29eabbeb19..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/thrift/manifest.yml +++ /dev/null @@ -1,141 +0,0 @@ -title: Thrift -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9090] - - name: transport_type - type: text - title: Transport Type - description: |- - The Thrift transport type. Currently this option accepts the values socket - for TSocket, which is the default Thrift transport, and framed for the - TFramed Thrift transport. The default is socket. - show_user: false - multi: false - required: false - - name: protocol_type - type: text - title: Protocol Type - description: |- - The Thrift protocol type. Currently the only accepted value is binary for - the TBinary protocol, which is the default Thrift protocol. - show_user: false - multi: false - required: false - - name: idl_files - type: text - title: Idl Files - description: |- - The Thrift interface description language (IDL) files for the service that - Packetbeat is monitoring. Providing the IDL enables Packetbeat to include - parameter and exception names. - show_user: false - multi: true - required: false - - name: string_max_size - type: integer - title: String Max Size - description: |- - The maximum length for strings in parameters or return values. If a string - is longer than this value, the string is automatically truncated to this - length. - show_user: false - multi: false - required: false - - name: collection_max_size - type: integer - title: Collection Max Size - description: The maximum number of elements in a Thrift list, set, map, or structure. - show_user: false - multi: false - required: false - - name: capture_reply - type: bool - title: Capture Reply - description: |- - If this option is set to false, Packetbeat decodes the method name from the - reply and simply skips the rest of the response message. - show_user: false - multi: false - required: false - - name: obfuscate_strings - type: bool - title: Obfuscate Strings - description: |- - If this option is set to true, Packetbeat replaces all strings found in - method parameters, return codes, or exception structures with the "*" - string. - show_user: false - multi: false - required: false - - name: drop_after_n_struct_fields - type: integer - title: Drop After N Struct Fields - description: |- - The maximum number of fields that a structure can have before Packetbeat - ignores the whole transaction. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Thrift - description: Capture Thrift Traffic - template_path: thrift.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/thrift/sample_event.json b/packages/network_traffic/1.0.2/data_stream/thrift/sample_event.json deleted file mode 100755 index 523e6958a6..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/thrift/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-05-23T10:59:35.668Z", - "agent": { - "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1275700, - "end": "2022-05-23T10:59:35.669Z", - "ingested": "2022-05-23T10:59:36Z", - "kind": "event", - "start": "2022-05-23T10:59:35.668Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/data_stream/tls/agent/stream/tls.yml.hbs b/packages/network_traffic/1.0.2/data_stream/tls/agent/stream/tls.yml.hbs deleted file mode 100755 index 877a553bfd..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/tls/agent/stream/tls.yml.hbs +++ /dev/null @@ -1,40 +0,0 @@ -type: tls -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if fingerprints}} -fingerprints: -{{#each fingerprints as |fingerprint|}} - - {{fingerprint}} -{{/each}} -{{/if}} -{{#if send_certificates}} -send_certificates: {{send_certificates}} -{{/if}} -{{#if include_raw_certificates}} -include_raw_certificates: {{include_raw_certificates}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.0.2/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.0.2/data_stream/tls/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index bd7f3b2b61..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/tls/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- -description: Pipeline for processing tls traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true - -## -# Make tls.{client,server}.x509.version_number a string as per ECS. -## -- convert: - field: tls.client.x509.version_number - type: string - ignore_missing: true -- convert: - field: tls.server.x509.version_number - type: string - ignore_missing: true - -## -# This handles legacy TLS fields from Packetbeat 7.17. -## -- remove: - description: Remove legacy fields from Packetbeat 7.17 that are duplicated. - field: - - tls.client.x509.issuer.province # Duplicated as tls.client.x509.issuer.state_or_province. - - tls.client.x509.subject.province # Duplicated as tls.client.x509.subject.state_or_province. - - tls.client.x509.version # Duplicated as tls.client.x509.version_number. - - tls.detailed.client_certificate # Duplicated as tls.client.x509. - - tls.detailed.server_certificate # Duplicated as tls.server.x509. - - tls.server.x509.issuer.province # Duplicated as tls.server.x509.issuer.state_or_province. - - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province. - - tls.server.x509.version # Duplicated as tls.server.x509.version_number. - ignore_missing: true - -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.0.2/data_stream/tls/fields/agent.yml b/packages/network_traffic/1.0.2/data_stream/tls/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/tls/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.0.2/data_stream/tls/fields/base.yml b/packages/network_traffic/1.0.2/data_stream/tls/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/tls/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.0.2/data_stream/tls/fields/beats.yml b/packages/network_traffic/1.0.2/data_stream/tls/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/tls/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.0.2/data_stream/tls/fields/ecs.yml b/packages/network_traffic/1.0.2/data_stream/tls/fields/ecs.yml deleted file mode 100755 index 49c713858d..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/tls/fields/ecs.yml +++ /dev/null @@ -1,368 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - name: tls.client.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - name: tls.client.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha256 - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: Array of ciphers offered by the client during the client hello. - name: tls.client.supported_ciphers - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.client.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.client.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.client.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.client.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.client.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.client.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.client.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.client.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.client.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.client.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.client.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.client.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.client.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.client.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.client.x509.version_number - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - name: tls.next_protocol - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - name: tls.server.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - name: tls.server.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha256 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.server.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.server.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.server.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.server.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.server.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.server.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.server.x509.version_number - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/network_traffic/1.0.2/data_stream/tls/fields/protocol.yml b/packages/network_traffic/1.0.2/data_stream/tls/fields/protocol.yml deleted file mode 100755 index d8264468d4..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/tls/fields/protocol.yml +++ /dev/null @@ -1,173 +0,0 @@ -- name: tls - type: group - fields: - - name: detailed - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol used. - - example: "TLS 1.3" - - name: resumption_method - type: keyword - description: > - If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. - - - name: client_certificate_requested - type: boolean - description: > - Whether the server has requested the client to authenticate itself using a client certificate. - - - name: ocsp_response - type: keyword - description: > - The result of an OCSP request. - - - name: client_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol by which the client wishes to communicate during this session. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: supported_compression_methods - type: keyword - description: > - The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml - - - name: extensions - type: group - description: The hello extensions provided by the client. - fields: - - name: server_name_indication - type: keyword - description: List of hostnames - - name: application_layer_protocol_negotiation - type: keyword - description: > - List of application-layer protocols the client is willing to use. - - - name: session_ticket - type: keyword - description: > - Length of the session ticket, if provided, or an empty string to advertise support for tickets. - - - name: supported_versions - type: keyword - description: > - List of TLS versions that the client is willing to use. - - - name: supported_groups - type: keyword - description: > - List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. - - - name: signature_algorithms - type: keyword - description: > - List of signature algorithms that may be use in digital signatures. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: type - type: keyword - description: The type of the status request. Always "ocsp" if present. - - name: responder_id_list_length - type: short - description: The length of the list of trusted responders. - - name: request_extensions - type: short - description: The number of certificate extensions for the request. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: selected_compression_method - type: keyword - description: > - The compression method selected by the server from the list provided in the client hello. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: extensions - type: group - description: The hello extensions provided by the server. - fields: - - name: application_layer_protocol_negotiation - type: keyword - description: Negotiated application layer protocol - - name: session_ticket - type: keyword - description: > - Used to announce that a session ticket will be provided by the server. Always an empty string. - - - name: supported_versions - type: keyword - description: > - Negotiated TLS version to be used. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: response - type: boolean - description: Whether a certificate status request response was made. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_certificate_chain - type: array - description: Chain of trust for the server certificate. - - name: client_certificate_chain - type: array - description: Chain of trust for the client certificate. - - name: alert_types - type: keyword - description: > - An array containing the TLS alert type for every alert received. - diff --git a/packages/network_traffic/1.0.2/data_stream/tls/manifest.yml b/packages/network_traffic/1.0.2/data_stream/tls/manifest.yml deleted file mode 100755 index d2b8f403da..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/tls/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: TLS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [443, 993, 995, 5223, 8443, 8883, 9243] - - name: fingerprints - type: text - title: Fingerprints - description: |- - List of hash algorithms to use to calculate certificates' fingerprints. - Valid values are `sha1`, `sha256` and `md5`. - show_user: false - multi: true - required: false - - name: send_certificates - type: bool - title: Send Certificates - description: |- - If this option is enabled, the client and server certificates and - certificate chains are sent to Elasticsearch. The default is true. - show_user: false - multi: false - required: false - - name: include_raw_certificates - type: bool - title: Include Raw Certificates - description: |- - If this option is enabled, the raw certificates will be stored - in PEM format under the `raw` key. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: TLS - description: Capture TLS Traffic - template_path: tls.yml.hbs diff --git a/packages/network_traffic/1.0.2/data_stream/tls/sample_event.json b/packages/network_traffic/1.0.2/data_stream/tls/sample_event.json deleted file mode 100755 index 6c9779651e..0000000000 --- a/packages/network_traffic/1.0.2/data_stream/tls/sample_event.json +++ /dev/null @@ -1,302 +0,0 @@ -{ - "@timestamp": "2022-05-23T11:01:14.376Z", - "agent": { - "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "192.168.1.35", - "port": 59455 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 365887700, - "end": "2022-05-23T11:01:14.741Z", - "ingested": "2022-05-23T11:01:17Z", - "kind": "event", - "start": "2022-05-23T11:01:14.376Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.35", - "93.184.216.34" - ] - }, - "server": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "source": { - "ip": "192.168.1.35", - "port": 59455 - }, - "status": "OK", - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "client": { - "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", - "server_name": "example.net", - "supported_ciphers": [ - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "(unknown:0xff85)", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_GOSTR341001_WITH_28147_CNT_IMIT", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "example.net" - ], - "signature_algorithms": [ - "rsa_pkcs1_sha512", - "ecdsa_secp521r1_sha512", - "(unknown:0xefef)", - "rsa_pkcs1_sha384", - "ecdsa_secp384r1_sha384", - "rsa_pkcs1_sha256", - "ecdsa_secp256r1_sha256", - "(unknown:0xeeee)", - "(unknown:0xeded)", - "(unknown:0x0301)", - "(unknown:0x0303)", - "rsa_pkcs1_sha1", - "ecdsa_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1" - ] - }, - "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "server_certificate_chain": [ - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2023-03-08T12:00:00.000Z", - "not_before": "2013-03-08T12:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "version_number": 3 - }, - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2031-11-10T00:00:00.000Z", - "not_before": "2006-11-10T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", - "signature_algorithm": "SHA1-RSA", - "subject": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "version_number": 3 - } - ], - "server_hello": { - "extensions": { - "_unparsed_": [ - "renegotiation_info", - "server_name_indication" - ], - "application_layer_protocol_negotiation": [ - "h2" - ], - "ec_points_formats": [ - "uncompressed", - "ansiX962_compressed_prime", - "ansiX962_compressed_char2" - ] - }, - "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", - "selected_compression_method": "NULL", - "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", - "version": "3.3" - }, - "version": "TLS 1.2" - }, - "established": true, - "next_protocol": "h2", - "resumed": false, - "server": { - "hash": { - "sha1": "7BB698386970363D2919CC5772846984FFD4A889" - }, - "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "x509": { - "alternative_names": [ - "www.example.org", - "example.com", - "example.edu", - "example.net", - "example.org", - "www.example.com", - "www.example.edu", - "www.example.net" - ], - "issuer": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "21020869104500376438182461249190639870", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "www.example.org", - "country": "US", - "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "locality": "Los Angeles", - "organization": "Internet Corporation for Assigned Names and Numbers", - "organizational_unit": "Technology", - "state_or_province": "California" - }, - "version_number": "3" - } - }, - "version": "1.2", - "version_protocol": "tls" - }, - "type": "tls" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/docs/README.md b/packages/network_traffic/1.0.2/docs/README.md deleted file mode 100755 index ce006deddc..0000000000 --- a/packages/network_traffic/1.0.2/docs/README.md +++ /dev/null @@ -1,4066 +0,0 @@ -# Network Packet Capture Integration - -This integration sniffs network packets on a host and dissects -known protocols. - -## Network Flows - -Overall flow information about the network connections on a -host. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -## Protocols - -### AMQP - -Fields published for AMQP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| amqp.app-id | Creating application id. | keyword | -| amqp.arguments | Optional additional arguments passed to some methods. Can be of various types. | object | -| amqp.auto-delete | If set, auto-delete queue when unused. | boolean | -| amqp.class-id | Failing method class. | long | -| amqp.consumer-count | The number of consumers of a queue. | long | -| amqp.consumer-tag | Identifier for the consumer, valid within the current channel. | keyword | -| amqp.content-encoding | MIME content encoding. | keyword | -| amqp.content-type | MIME content type. | keyword | -| amqp.correlation-id | Application correlation identifier. | keyword | -| amqp.delivery-mode | Non-persistent (1) or persistent (2). | keyword | -| amqp.delivery-tag | The server-assigned and channel-specific delivery tag. | long | -| amqp.durable | If set, request a durable exchange/queue. | boolean | -| amqp.exchange | Name of the exchange. | keyword | -| amqp.exchange-type | Exchange type. | keyword | -| amqp.exclusive | If set, request an exclusive queue. | boolean | -| amqp.expiration | Message expiration specification. | keyword | -| amqp.headers | Message header field table. | object | -| amqp.if-empty | Delete only if empty. | boolean | -| amqp.if-unused | Delete only if unused. | boolean | -| amqp.immediate | Request immediate delivery. | boolean | -| amqp.mandatory | Indicates mandatory routing. | boolean | -| amqp.message-count | The number of messages in the queue, which will be zero for newly-declared queues. | long | -| amqp.message-id | Application message identifier. | keyword | -| amqp.method-id | Failing method ID. | long | -| amqp.multiple | Acknowledge multiple messages. | boolean | -| amqp.no-ack | If set, the server does not expect acknowledgements for messages. | boolean | -| amqp.no-local | If set, the server will not send messages to the connection that published them. | boolean | -| amqp.no-wait | If set, the server will not respond to the method. | boolean | -| amqp.passive | If set, do not create exchange/queue. | boolean | -| amqp.priority | Message priority, 0 to 9. | long | -| amqp.queue | The queue name identifies the queue within the vhost. | keyword | -| amqp.redelivered | Indicates that the message has been previously delivered to this or another client. | boolean | -| amqp.reply-code | AMQP reply code to an error, similar to http reply-code | long | -| amqp.reply-text | Text explaining the error. | keyword | -| amqp.reply-to | Address to reply to. | keyword | -| amqp.routing-key | Message routing key. | keyword | -| amqp.timestamp | Message timestamp. | keyword | -| amqp.type | Message type name. | keyword | -| amqp.user-id | Creating user id. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `amqp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} -``` - -### Cassandra - -Fields published for Apache Cassandra packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cassandra.no_request | Indicates that there is no request because this is a PUSH message. | boolean | -| cassandra.request.headers.flags | Flags applying to this frame. | keyword | -| cassandra.request.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.request.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.request.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.request.headers.version | The version of the protocol. | keyword | -| cassandra.request.query | The CQL query which client send to cassandra. | keyword | -| cassandra.response.authentication.class | Indicates the full class name of the IAuthenticator in use | keyword | -| cassandra.response.error.code | The error code of the Cassandra response. | long | -| cassandra.response.error.details.alive | Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). | long | -| cassandra.response.error.details.arg_types | One string for each argument type (as CQL type) of the failed function. | keyword | -| cassandra.response.error.details.blockfor | Representing the number of replicas whose acknowledgement is required to achieve consistency level. | long | -| cassandra.response.error.details.data_present | It means the replica that was asked for data had responded. | boolean | -| cassandra.response.error.details.function | The name of the failed function. | keyword | -| cassandra.response.error.details.keyspace | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.num_failures | Representing the number of nodes that experience a failure while executing the request. | keyword | -| cassandra.response.error.details.read_consistency | Representing the consistency level of the query that triggered the exception. | keyword | -| cassandra.response.error.details.received | Representing the number of nodes having acknowledged the request. | long | -| cassandra.response.error.details.required | Representing the number of nodes that should be alive to respect consistency level. | long | -| cassandra.response.error.details.stmt_id | Representing the unknown ID. | keyword | -| cassandra.response.error.details.table | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.write_type | Describe the type of the write that timed out. | keyword | -| cassandra.response.error.msg | The error message of the Cassandra response. | keyword | -| cassandra.response.error.type | The error type of the Cassandra response. | keyword | -| cassandra.response.event.change | The message corresponding respectively to the type of change followed by the address of the new/removed node. | keyword | -| cassandra.response.event.host | Representing the node ip. | keyword | -| cassandra.response.event.port | Representing the node port. | long | -| cassandra.response.event.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.event.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.event.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.event.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.event.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.event.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.event.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.event.type | Representing the event type. | keyword | -| cassandra.response.headers.flags | Flags applying to this frame. | keyword | -| cassandra.response.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.response.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.response.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.response.headers.version | The version of the protocol. | keyword | -| cassandra.response.result.keyspace | Indicating the name of the keyspace that has been set. | keyword | -| cassandra.response.result.prepared.prepared_id | Representing the prepared query ID. | keyword | -| cassandra.response.result.prepared.req_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.req_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.req_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.req_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.req_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.req_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.prepared.resp_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.resp_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.resp_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.resp_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.resp_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.resp_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.rows.meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.rows.meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.rows.meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.rows.meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.rows.meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.num_rows | Representing the number of rows present in this result. | long | -| cassandra.response.result.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.result.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.result.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.result.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.result.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.result.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.result.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.result.type | Cassandra result type. | keyword | -| cassandra.response.supported | Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. | flattened | -| cassandra.response.warnings | The text of the warnings, only occur when Warning flag was set. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `cassandra` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} -``` - -### DHCP - -Fields published for DHCPv4 packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dhcpv4.assigned_ip | The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. | ip | -| dhcpv4.client_ip | The current IP address of the client. | ip | -| dhcpv4.client_mac | The client's MAC address (layer two). | keyword | -| dhcpv4.flags | Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. | keyword | -| dhcpv4.hardware_type | The type of hardware used for the local network (Ethernet, LocalTalk, etc). | keyword | -| dhcpv4.hops | The number of hops the DHCP message went through. | long | -| dhcpv4.op_code | The message op code (bootrequest or bootreply). | keyword | -| dhcpv4.option.boot_file_name | This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. | keyword | -| dhcpv4.option.broadcast_address | This option specifies the broadcast address in use on the client's subnet. | ip | -| dhcpv4.option.class_identifier | This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. | keyword | -| dhcpv4.option.dns_servers | The domain name server option specifies a list of Domain Name System servers available to the client. | ip | -| dhcpv4.option.domain_name | This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. | keyword | -| dhcpv4.option.hostname | This option specifies the name of the client. | keyword | -| dhcpv4.option.ip_address_lease_time_sec | This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. | long | -| dhcpv4.option.max_dhcp_message_size | This option specifies the maximum length DHCP message that the client is willing to accept. | long | -| dhcpv4.option.message | This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. | text | -| dhcpv4.option.message_type | The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). | keyword | -| dhcpv4.option.ntp_servers | This option specifies a list of IP addresses indicating NTP servers available to the client. | ip | -| dhcpv4.option.parameter_request_list | This option is used by a DHCP client to request values for specified configuration parameters. | keyword | -| dhcpv4.option.rebinding_time_sec | This option specifies the time interval from address assignment until the client transitions to the REBINDING state. | long | -| dhcpv4.option.renewal_time_sec | This option specifies the time interval from address assignment until the client transitions to the RENEWING state. | long | -| dhcpv4.option.requested_ip_address | This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. | ip | -| dhcpv4.option.router | The router option specifies a list of IP addresses for routers on the client's subnet. | ip | -| dhcpv4.option.server_identifier | IP address of the individual DHCP server which handled this message. | ip | -| dhcpv4.option.subnet_mask | The subnet mask that the client should use on the currnet network. | ip | -| dhcpv4.option.time_servers | The time server option specifies a list of RFC 868 time servers available to the client. | ip | -| dhcpv4.option.utc_time_offset_sec | The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). | long | -| dhcpv4.option.vendor_identifying_options | A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. | object | -| dhcpv4.relay_ip | The relay IP address used by the client to contact the server (i.e. a DHCP relay server). | ip | -| dhcpv4.seconds | Number of seconds elapsed since client began address acquisition or renewal process. | long | -| dhcpv4.server_ip | The IP address of the DHCP server that the client should use for the next step in the bootstrap process. | ip | -| dhcpv4.server_name | The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. | keyword | -| dhcpv4.transaction_id | Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dhcpv4` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} -``` - -### DNS - -Fields published for DNS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.additionals | An array containing a dictionary for each additional section from the answer. | object | -| dns.additionals.class | The class of DNS data contained in this resource record. | keyword | -| dns.additionals.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.additionals.name | The domain name to which this resource record pertains. | keyword | -| dns.additionals.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.additionals.type | The type of data contained in this resource record. | keyword | -| dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | -| dns.authorities | An array containing a dictionary for each authority section from the answer. | object | -| dns.authorities.class | The class of DNS data contained in this resource record. | keyword | -| dns.authorities.name | The domain name to which this resource record pertains. | keyword | -| dns.authorities.type | The type of data contained in this resource record. | keyword | -| dns.authorities_count | The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.flags.authentic_data | A DNS flag specifying that the recursive server considers the response authentic. | boolean | -| dns.flags.authoritative | A DNS flag specifying that the responding server is an authority for the domain name used in the question. | boolean | -| dns.flags.checking_disabled | A DNS flag specifying that the client disables the server signature validation of the query. | boolean | -| dns.flags.recursion_available | A DNS flag specifying whether recursive query support is available in the name server. | boolean | -| dns.flags.recursion_desired | A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. | boolean | -| dns.flags.truncated_response | A DNS flag specifying that only the first 512 bytes of the reply were returned. | boolean | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.opt.do | If set, the transaction uses DNSSEC. | boolean | -| dns.opt.ext_rcode | Extended response code field. | keyword | -| dns.opt.udp_size | Requestor's UDP payload size (in bytes). | long | -| dns.opt.version | The EDNS version. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.etld_plus_one | The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} -``` - -### HTTP - -Fields published for HTTP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.headers | A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.headers | A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.response.status_code | HTTP response status code. | long | -| http.response.status_phrase | The HTTP status phrase. | keyword | -| http.version | HTTP version. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `http` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} -``` - -### ICMP - -Fields published for ICMP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| icmp.request.code | The request code. | long | -| icmp.request.message | A human readable form of the request. | keyword | -| icmp.request.type | The request type. | long | -| icmp.response.code | The response code. | long | -| icmp.response.message | A human readable form of the response. | keyword | -| icmp.response.type | The response type. | long | -| icmp.version | The version of the ICMP protocol. | long | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `icmp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} -``` - -### Memcached - -Fields published for Memcached packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| memcache.protocol_type | The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. | keyword | -| memcache.request.automove | The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. | keyword | -| memcache.request.bytes | The byte count of the values being transferred. | long | -| memcache.request.cas_unique | The CAS (compare-and-swap) identifier if present. | long | -| memcache.request.command | The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. | keyword | -| memcache.request.count_values | The number of values found in the memcache request message. If the command does not send any data, this field is missing. | long | -| memcache.request.delta | The counter increment/decrement delta value. | long | -| memcache.request.dest_class | The destination class id in 'slab reassign' command. | long | -| memcache.request.exptime | The data expiry time in seconds sent with the memcache command (if present). If the value is `\< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). | long | -| memcache.request.flags | The memcache command flags sent in the request (if present). | long | -| memcache.request.initial | The counter increment/decrement initial value parameter (binary protocol only). | long | -| memcache.request.keys | The list of keys sent in the store or load commands. | array | -| memcache.request.line | The raw command line for unknown commands ONLY. | keyword | -| memcache.request.noreply | Set to true if noreply was set in the request. The `memcache.response` field will be missing. | boolean | -| memcache.request.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.request.opcode | The binary protocol message opcode name. | keyword | -| memcache.request.opcode_value | The binary protocol message opcode value. | long | -| memcache.request.quiet | Set to true if the binary protocol message is to be treated as a quiet message. | boolean | -| memcache.request.raw_args | The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. | keyword | -| memcache.request.sleep_us | The sleep setting in microseconds for the 'lru_crawler sleep' command. | long | -| memcache.request.source_class | The source class id in 'slab reassign' command. | long | -| memcache.request.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". | keyword | -| memcache.request.values | The list of base64 encoded values sent with the request (if present). | array | -| memcache.request.vbucket | The vbucket index sent in the binary message. | long | -| memcache.request.verbosity | The value of the memcache "verbosity" command. | long | -| memcache.response.bytes | The byte count of the values being transferred. | long | -| memcache.response.cas_unique | The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). | long | -| memcache.response.command | Either the text based protocol response message type or the name of the originating request if binary protocol is used. | keyword | -| memcache.response.count_values | The number of values found in the memcache response message. If the command does not send any data, this field is missing. | long | -| memcache.response.error_msg | The optional error message in the memcache response (text based protocol only). | keyword | -| memcache.response.flags | The memcache message flags sent in the response (if present). | long | -| memcache.response.keys | The list of keys returned for the load command (if present). | array | -| memcache.response.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.response.opcode | The binary protocol message opcode name. | keyword | -| memcache.response.opcode_value | The binary protocol message opcode value. | long | -| memcache.response.stats | The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". | array | -| memcache.response.status | The textual representation of the response error code (binary protocol only). | keyword | -| memcache.response.status_code | The status code value returned in the response (binary protocol only). | long | -| memcache.response.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). | keyword | -| memcache.response.value | The counter value returned by a counter operation. | long | -| memcache.response.values | The list of base64 encoded values sent with the response (if present). | array | -| memcache.response.version | The returned memcache version string. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `memcached` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} -``` - -### MongoDB - -Fields published for MongoDB packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | -| mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | -| mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | -| mongodb.numberReturned | The number of documents in the reply. | long | -| mongodb.numberToReturn | The requested maximum number of documents to be returned. | long | -| mongodb.numberToSkip | Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. | long | -| mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | -| mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | -| mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | -| mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mongodb` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} -``` - -### MySQL - -Fields published for MySQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mysql.affected_rows | If the MySQL command is successful, this field contains the affected number of rows of the last statement. | long | -| mysql.error_code | The error code returned by MySQL. | long | -| mysql.error_message | The error info message returned by MySQL. | keyword | -| mysql.insert_id | If the INSERT query is successful, this field contains the id of the newly inserted row. | keyword | -| mysql.num_fields | If the SELECT query is successful, this field is set to the number of fields returned. | long | -| mysql.num_rows | If the SELECT query is successful, this field is set to the number of rows returned. | long | -| mysql.query | The row mysql query as read from the transaction's request. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mysql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} -``` - -### NFS - -Fields published for NFS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| nfs.minor_version | NFS protocol minor version number. | long | -| nfs.opcode | NFS operation name, or main operation name, in case of COMPOUND calls. | keyword | -| nfs.status | NFS operation reply status. | keyword | -| nfs.tag | NFS v4 COMPOUND operation tag. | keyword | -| nfs.version | NFS protocol version number. | long | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| rpc.auth_flavor | RPC authentication flavor. | keyword | -| rpc.cred.gid | RPC caller's group id, in case of auth-unix. | long | -| rpc.cred.gids | RPC caller's secondary group ids, in case of auth-unix. | long | -| rpc.cred.machinename | The name of the caller's machine. | keyword | -| rpc.cred.stamp | Arbitrary ID which the caller machine may generate. | long | -| rpc.cred.uid | RPC caller's user id, in case of auth-unix. | long | -| rpc.status | RPC message reply status. | keyword | -| rpc.xid | RPC message transaction identifier. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -An example event for `nfs` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} -``` - -### PostgreSQL - -Fields published for PostgreSQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| pgsql.error_code | The PostgreSQL error code. | keyword | -| pgsql.error_message | The PostgreSQL error message. | keyword | -| pgsql.error_severity | The PostgreSQL error severity. | keyword | -| pgsql.num_fields | If the SELECT query if successful, this field is set to the number of fields returned. | long | -| pgsql.num_rows | If the SELECT query if successful, this field is set to the number of rows returned. | long | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `pgsql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} -``` - -### Redis - -Fields published for Redis packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| redis.error | If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. | keyword | -| redis.return_value | The return value of the Redis command in a human readable format. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `redis` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} -``` - -### SIP - -Fields published for SIP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| sip.accept | Accept header value. | keyword | -| sip.allow | Allowed methods. | keyword | -| sip.auth.realm | Auth realm | keyword | -| sip.auth.scheme | Auth scheme | keyword | -| sip.auth.uri.host | Auth URI host | keyword | -| sip.auth.uri.original | Auth original URI | keyword | -| sip.auth.uri.original.text | Multi-field of `sip.auth.uri.original`. | text | -| sip.auth.uri.port | Auth URI port | long | -| sip.auth.uri.scheme | Auth URI scheme | keyword | -| sip.call_id | Call ID. | keyword | -| sip.code | Response status code. | long | -| sip.contact.display_info | Contact display info | keyword | -| sip.contact.expires | Contact expires | keyword | -| sip.contact.line | Contact line | keyword | -| sip.contact.q | Contact Q | keyword | -| sip.contact.transport | Contact transport | keyword | -| sip.contact.uri.host | Contact URI host | keyword | -| sip.contact.uri.original | Contact original URI | keyword | -| sip.contact.uri.original.text | Multi-field of `sip.contact.uri.original`. | text | -| sip.contact.uri.port | Contact URI port | long | -| sip.contact.uri.scheme | Contat URI scheme | keyword | -| sip.contact.uri.username | Contact URI user name | keyword | -| sip.content_length | | long | -| sip.content_type | | keyword | -| sip.cseq.code | Sequence code. | long | -| sip.cseq.method | Sequence method. | keyword | -| sip.from.display_info | From display info | keyword | -| sip.from.tag | From tag | keyword | -| sip.from.uri.host | From URI host | keyword | -| sip.from.uri.original | From original URI | keyword | -| sip.from.uri.original.text | Multi-field of `sip.from.uri.original`. | text | -| sip.from.uri.port | From URI port | long | -| sip.from.uri.scheme | From URI scheme | keyword | -| sip.from.uri.username | From URI user name | keyword | -| sip.max_forwards | | long | -| sip.method | Request method. | keyword | -| sip.private.uri.host | Private URI host. | keyword | -| sip.private.uri.original | Private original URI. | keyword | -| sip.private.uri.original.text | Multi-field of `sip.private.uri.original`. | text | -| sip.private.uri.port | Private URI port. | long | -| sip.private.uri.scheme | Private URI scheme. | keyword | -| sip.private.uri.username | Private URI user name. | keyword | -| sip.sdp.body.original | SDP original body | keyword | -| sip.sdp.body.original.text | Multi-field of `sip.sdp.body.original`. | text | -| sip.sdp.connection.address | SDP connection address | keyword | -| sip.sdp.connection.info | SDP connection info | keyword | -| sip.sdp.owner.ip | SDP owner IP | ip | -| sip.sdp.owner.session_id | SDP owner session ID | keyword | -| sip.sdp.owner.username | SDP owner user name | keyword | -| sip.sdp.owner.version | SDP owner version | keyword | -| sip.sdp.session.name | SDP session name | keyword | -| sip.sdp.version | SDP version | keyword | -| sip.status | Response status phrase. | keyword | -| sip.supported | Supported methods. | keyword | -| sip.to.display_info | To display info | keyword | -| sip.to.tag | To tag | keyword | -| sip.to.uri.host | To URI host | keyword | -| sip.to.uri.original | To original URI | keyword | -| sip.to.uri.original.text | Multi-field of `sip.to.uri.original`. | text | -| sip.to.uri.port | To URI port | long | -| sip.to.uri.scheme | To URI scheme | keyword | -| sip.to.uri.username | To URI user name | keyword | -| sip.type | Either request or response. | keyword | -| sip.uri.host | The URI host. | keyword | -| sip.uri.original | The original URI. | keyword | -| sip.uri.original.text | Multi-field of `sip.uri.original`. | text | -| sip.uri.port | The URI port. | long | -| sip.uri.scheme | The URI scheme. | keyword | -| sip.uri.username | The URI user name. | keyword | -| sip.user_agent.original | | keyword | -| sip.user_agent.original.text | Multi-field of `sip.user_agent.original`. | text | -| sip.version | SIP protocol version. | keyword | -| sip.via.original | The original Via value. | keyword | -| sip.via.original.text | Multi-field of `sip.via.original`. | text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `sip` looks as following: - -```json -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} -``` - -### Thrift - -Fields published for Thrift packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| thrift.exceptions | If the call resulted in exceptions, this field contains the exceptions in a human readable format. | keyword | -| thrift.params | The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. | keyword | -| thrift.return_value | The value returned by the Thrift-RPC call. This is encoded in a human readable format. | keyword | -| thrift.service | The name of the Thrift-RPC service as defined in the IDL files. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `thrift` looks as following: - -```json -{ - "@timestamp": "2022-05-23T10:59:35.668Z", - "agent": { - "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1275700, - "end": "2022-05-23T10:59:35.669Z", - "ingested": "2022-05-23T10:59:36Z", - "kind": "event", - "start": "2022-05-23T10:59:35.668Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} -``` - -### TLS - -Fields published for TLS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | -| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country (C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.detailed.alert_types | An array containing the TLS alert type for every alert received. | keyword | -| tls.detailed.client_certificate_chain | Chain of trust for the client certificate. | array | -| tls.detailed.client_certificate_requested | Whether the server has requested the client to authenticate itself using a client certificate. | boolean | -| tls.detailed.client_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.client_hello.extensions.application_layer_protocol_negotiation | List of application-layer protocols the client is willing to use. | keyword | -| tls.detailed.client_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. | keyword | -| tls.detailed.client_hello.extensions.server_name_indication | List of hostnames | keyword | -| tls.detailed.client_hello.extensions.session_ticket | Length of the session ticket, if provided, or an empty string to advertise support for tickets. | keyword | -| tls.detailed.client_hello.extensions.signature_algorithms | List of signature algorithms that may be use in digital signatures. | keyword | -| tls.detailed.client_hello.extensions.status_request.request_extensions | The number of certificate extensions for the request. | short | -| tls.detailed.client_hello.extensions.status_request.responder_id_list_length | The length of the list of trusted responders. | short | -| tls.detailed.client_hello.extensions.status_request.type | The type of the status request. Always "ocsp" if present. | keyword | -| tls.detailed.client_hello.extensions.supported_groups | List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. | keyword | -| tls.detailed.client_hello.extensions.supported_versions | List of TLS versions that the client is willing to use. | keyword | -| tls.detailed.client_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.client_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.client_hello.supported_compression_methods | The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml | keyword | -| tls.detailed.client_hello.version | The version of the TLS protocol by which the client wishes to communicate during this session. | keyword | -| tls.detailed.ocsp_response | The result of an OCSP request. | keyword | -| tls.detailed.resumption_method | If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. | keyword | -| tls.detailed.server_certificate_chain | Chain of trust for the server certificate. | array | -| tls.detailed.server_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.server_hello.extensions.application_layer_protocol_negotiation | Negotiated application layer protocol | keyword | -| tls.detailed.server_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. | keyword | -| tls.detailed.server_hello.extensions.session_ticket | Used to announce that a session ticket will be provided by the server. Always an empty string. | keyword | -| tls.detailed.server_hello.extensions.status_request.response | Whether a certificate status request response was made. | boolean | -| tls.detailed.server_hello.extensions.supported_versions | Negotiated TLS version to be used. | keyword | -| tls.detailed.server_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.server_hello.selected_compression_method | The compression method selected by the server from the list provided in the client hello. | keyword | -| tls.detailed.server_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.server_hello.version | The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. | keyword | -| tls.detailed.version | The version of the TLS protocol used. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | -| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `tls` looks as following: - -```json -{ - "@timestamp": "2022-05-23T11:01:14.376Z", - "agent": { - "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "192.168.1.35", - "port": 59455 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 365887700, - "end": "2022-05-23T11:01:14.741Z", - "ingested": "2022-05-23T11:01:17Z", - "kind": "event", - "start": "2022-05-23T11:01:14.376Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.35", - "93.184.216.34" - ] - }, - "server": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "source": { - "ip": "192.168.1.35", - "port": 59455 - }, - "status": "OK", - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "client": { - "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", - "server_name": "example.net", - "supported_ciphers": [ - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "(unknown:0xff85)", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_GOSTR341001_WITH_28147_CNT_IMIT", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "example.net" - ], - "signature_algorithms": [ - "rsa_pkcs1_sha512", - "ecdsa_secp521r1_sha512", - "(unknown:0xefef)", - "rsa_pkcs1_sha384", - "ecdsa_secp384r1_sha384", - "rsa_pkcs1_sha256", - "ecdsa_secp256r1_sha256", - "(unknown:0xeeee)", - "(unknown:0xeded)", - "(unknown:0x0301)", - "(unknown:0x0303)", - "rsa_pkcs1_sha1", - "ecdsa_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1" - ] - }, - "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "server_certificate_chain": [ - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2023-03-08T12:00:00.000Z", - "not_before": "2013-03-08T12:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "version_number": 3 - }, - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2031-11-10T00:00:00.000Z", - "not_before": "2006-11-10T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", - "signature_algorithm": "SHA1-RSA", - "subject": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "version_number": 3 - } - ], - "server_hello": { - "extensions": { - "_unparsed_": [ - "renegotiation_info", - "server_name_indication" - ], - "application_layer_protocol_negotiation": [ - "h2" - ], - "ec_points_formats": [ - "uncompressed", - "ansiX962_compressed_prime", - "ansiX962_compressed_char2" - ] - }, - "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", - "selected_compression_method": "NULL", - "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", - "version": "3.3" - }, - "version": "TLS 1.2" - }, - "established": true, - "next_protocol": "h2", - "resumed": false, - "server": { - "hash": { - "sha1": "7BB698386970363D2919CC5772846984FFD4A889" - }, - "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "x509": { - "alternative_names": [ - "www.example.org", - "example.com", - "example.edu", - "example.net", - "example.org", - "www.example.com", - "www.example.edu", - "www.example.net" - ], - "issuer": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "21020869104500376438182461249190639870", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "www.example.org", - "country": "US", - "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "locality": "Los Angeles", - "organization": "Internet Corporation for Assigned Names and Numbers", - "organizational_unit": "Technology", - "state_or_province": "California" - }, - "version_number": "3" - } - }, - "version": "1.2", - "version_protocol": "tls" - }, - "type": "tls" -} -``` - -## Licensing for Windows Systems - -The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 16f534dd5e..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Overview of DNS request and response metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":13,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":11,\"x\":13,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-65120940-1454-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-dns-query-summary", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-dns-request-status-over-time", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-dns-question-types", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dns-top-10-questions", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-dns-response-codes", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 7562508a09..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "DHCPv4 Overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":13,\"x\":24,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "5:panel_5", - "type": "search" - }, - { - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-cassandra.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-cassandra.json deleted file mode 100755 index 489417c609..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-cassandra.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":36,\"y\":8},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":8},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":12,\"x\":12,\"y\":8},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"cassandra.request.query\",\"cassandra.response.result.rows.meta.keyspace\",\"cassandra.response.result.rows.meta.table\",\"cassandra.response.result.rows.num_rows\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"search\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Cassandra", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-cassandra-responsekeyspace", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetype", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetime", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcount", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-ops", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountstackbytype", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountstackbytype", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountbytype", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountbytype", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-queryview", - "name": "20:panel_20", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-dashboard.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-dashboard.json deleted file mode 100755 index c1dee3dfea..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-dashboard.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Network Packet Capture overview dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":12,\"x\":24,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"3f5bc195-da9d-4ec8-a68f-896db321a54b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9638dc3f-f85a-4e68-8e14-25654df43f8e\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"client.geo.location\\\",\\\"id\\\":\\\"220c104b-34a8-4aa7-a3d6-7b56ad4d3b9e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":2.4,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"agent.type:packetbeat\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"[Network Packet Capture] Map 2\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":90,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":2.4},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"title\":\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dashboard", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-db-transactions", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-errors-count-over-time", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-errors-vs-successful-transactions", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-latency-histogram", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-repartition", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "92e797bb-1975-4320-9d19-9b7f11e9e538:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-dns-unique-domains.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-dns-unique-domains.json deleted file mode 100755 index d6f50f2545..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-dns-unique-domains.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "Detecting tunneling over DNS.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"NOT dns.question.type:PTR\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique Subdomain Count\":\"#EF843C\",\"Unique count of dns.question.name\":\"#E0752D\"},\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Tunneling", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-unique-domains", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-unique-fqdns-per-etld-1", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-bytes-transferred-per-domain", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-flows.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-flows.json deleted file mode 100755 index 13b51d1106..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-flows.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"3\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":35,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Network Flows", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-top-hosts-creating-traffic", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-connections-over-time", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-top-hosts-receiving-traffic", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-network-traffic-between-your-hosts", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-http.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-http.json deleted file mode 100755 index 0699eb175a..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-http.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":36,\"x\":12,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] HTTP", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes-evolution", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-total-number-of-http-transactions", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-http-codes-for-the-top-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-10-http-requests", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-mongodb-performance.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-mongodb-performance.json deleted file mode 100755 index 76b41ed6ac..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-mongodb-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6\",\"w\":32,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":35},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MongoDB", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-commands", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors-per-collection", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-in-slash-out-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-response-times-by-collection", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-slowest-mongodb-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-mysql-performance.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-mysql-performance.json deleted file mode 100755 index 6e51b19d93..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-mysql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MySQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-methods", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-throughput", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-mysql-queries", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-mysql-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-response-times-percentiles", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-reads-vs-writes", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-nfs.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-nfs.json deleted file mode 100755 index 2b9bfc8b82..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-nfs.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "NFSv3 and NFSv4 transactions over TCP.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":25,\"i\":\"1\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":10},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":30,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"9\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"10\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_8\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] NFS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-clients-pie-chart", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operations-area-chart", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-group-pie-chart", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-users-pie-chart", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-response-times", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-errors", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operation-table", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-bytes-in-slash-out", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-pgsql-performance.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-pgsql-performance.json deleted file mode 100755 index 462ad7a8be..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-pgsql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Postgres database query performance.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] PgSQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-methods", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-response-times-percentiles", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-reads-vs-writes", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-pgsql-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-pgsql-queries", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-thrift-performance.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-thrift-performance.json deleted file mode 100755 index fe50a1efbd..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-thrift-performance.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Thrift performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-requests-per-minute", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-rpc-errors", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-thrift-rpc-methods", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-methods", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "name": "7:panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-tls-sessions.json b/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-tls-sessions.json deleted file mode 100755 index 876601f994..0000000000 --- a/packages/network_traffic/1.0.2/kibana/dashboard/network_traffic-tls-sessions.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "[Network Packet Capture] TLS Sessions", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"8\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":12,\"x\":12,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":12,\"x\":0,\"y\":16},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"12\",\"w\":12,\"x\":24,\"y\":28},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":12,\"x\":36,\"y\":28},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":28},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":36,\"x\":12,\"y\":16},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-tls-sessions", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index afb21d2457..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 67be55b24a..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.ja3\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.ja3\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Fingerprint", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index 6d16385a7d..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] HTTP Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 438de0c09a..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"event.duration\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Handshake Latency", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index b2320634bf..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.server.x509.public_key_size\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.server.x509.public_key_size\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Server Public Key Size", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json deleted file mode 100755 index 7851d8f875..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.server_name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.server_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Server Name Indication", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json deleted file mode 100755 index 44b4e814c2..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "dhcpv4.transaction_id", - "dhcpv4.op_code", - "dhcpv4.option.message_type", - "source.ip", - "destination.ip", - "dhcpv4.client_mac", - "dhcpv4.option.hostname", - "dhcpv4.option.class_identifier" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json deleted file mode 100755 index 48114ab869..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.detailed.version\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.detailed.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Version", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-cassandra-queryview.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-cassandra-queryview.json deleted file mode 100755 index 4da4785f32..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-cassandra-queryview.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "cassandra.request.query", - "cassandra.response.result.rows.meta.keyspace", - "cassandra.response.result.rows.meta.table", - "cassandra.response.result.rows.num_rows" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cassandra.request.headers.op\",\"negate\":false,\"params\":{\"query\":\"QUERY\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra.request.headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"cassandra.response.headers.op\",\"negate\":true,\"params\":{\"query\":\"ERROR\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR\"},\"query\":{\"match\":{\"cassandra.response.headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Query Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-queryview", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json deleted file mode 100755 index e042ed47b0..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "server.ip", - "destination.ip", - "dns.question.name", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"dns\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"dns\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"dns\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DNS Protocol", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json deleted file mode 100755 index adda40afe3..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json deleted file mode 100755 index 54ccb16243..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":\"TLS sessions\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-flows-search.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-flows-search.json deleted file mode 100755 index 94bf5f31c0..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-flows-search.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "type", - "event.start", - "event.end", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "source.bytes", - "destination.bytes" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.flow\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Flows Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json deleted file mode 100755 index f3f1e907c0..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb and request: \\\"writeConcern w 0\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB transactions with write concern 0", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-mongodb-transactions.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-mongodb-transactions.json deleted file mode 100755 index 71fb0f7d06..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-mongodb-transactions.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB Transaction Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-mysql-errors.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-mysql-errors.json deleted file mode 100755 index e6696d3dfe..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-mysql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-mysql-transactions.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-mysql-transactions.json deleted file mode 100755 index 035e4af69f..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-mysql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-nfs-errors-search.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-nfs-errors-search.json deleted file mode 100755 index 234a135c17..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-nfs-errors-search.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFSERR_NOENT\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFS_OK\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Error Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-nfs.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-nfs.json deleted file mode 100755 index 637ab8785a..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-nfs.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-pgsql-errors.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-pgsql-errors.json deleted file mode 100755 index e1e696c06b..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-pgsql-transactions.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-pgsql-transactions.json deleted file mode 100755 index 4cf83e438b..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-pgsql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-search.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-search.json deleted file mode 100755 index b8dcde28ff..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-search.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-thrift-errors.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-thrift-errors.json deleted file mode 100755 index 4ada45ff68..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-thrift-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-thrift-transactions.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-thrift-transactions.json deleted file mode 100755 index d561697995..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-thrift-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/search/network_traffic-transactions-errors.json b/packages/network_traffic/1.0.2/kibana/search/network_traffic-transactions-errors.json deleted file mode 100755 index 26f67d32a2..0000000000 --- a/packages/network_traffic/1.0.2/kibana/search/network_traffic-transactions-errors.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Transactions Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-transactions-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json deleted file mode 100755 index 72cce261f0..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Sessions", - "uiStateJSON": "{\"vis\":{\"colors\":{\"false\":\"#E24D42\",\"true\":\"#7EB26D\"},\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sessions per minute\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Handshake completed\",\"field\":\"tls.established\",\"json\":\"\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Sessions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index 428c808c1b..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] Total Number of TLS Sessions", - "uiStateJSON": "{\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total Number of TLS Sessions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 3d5fc5d68c..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.server.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Organization\",\"field\":\"tls.server.x509.subject.organization\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Server Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index a9a6b6d585..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Versions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TLS version\",\"field\":\"tls.detailed.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Versions\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json deleted file mode 100755 index 5c709d21ab..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Client Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique MACs\",\"field\":\"dhcpv4.client_mac\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Client Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 238ff5fe1b..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Session Resume", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"tls.detailed.resumption_method\",\"json\":\"{\\n\\\"missing\\\": \\\"none\\\"\\n}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Session Resume\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index 28758eb761..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Message Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Op Code\",\"field\":\"dhcpv4.op_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message Type\",\"field\":\"dhcpv4.option.message_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DHCPv4 Message Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json deleted file mode 100755 index dfd0b9c2df..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Cipher", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cipher\",\"field\":\"tls.cipher\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Cipher\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json deleted file mode 100755 index 69216a897d..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"dhcpv4.option.message_type:nak OR dhcpv4.option.message_type:decline\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 NAK and Decline Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":57,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 NAK and Decline Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index e347b89b8e..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Avg Response Time (ns)\":\"#629E51\",\"Max Response Time (ns)\":\"#E24D42\",\"Min Response Time (ns)\":\"#70DBED\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Max Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"4\",\"label\":\"Min Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Max Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Average event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 27390bc2a6..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"}}" - }, - "title": "[Network Packet Capture] DHCPv4 Message Types over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"c2cf4410-8ba8-11e8-ae15-bdcba81344e6\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"type:dhcpv4\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"ignore_global_filter\":0,\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"NOT dhcpv4.option.message_type:nak NOT dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"8abe6eb0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"Response\",\"line_width\":1,\"metrics\":[{\"id\":\"8abe6eb1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"dhcpv4.option.message_type\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:nak\"},\"formatter\":\"number\",\"id\":\"ae5610d0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"nak\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"ae5610d1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"cf7ba180-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"decline\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"cf7ba181-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"[Network Packet Capture] DHCPv4 Message Types over Time\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 23e4ad24db..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Client Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.client.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Signature Algorithm\",\"field\":\"tls.client.x509.signature_algorithm\",\"json\":\"{ \\\"missing\\\": \\\"N/A\\\" }\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Client Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index e100d4e38f..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Name Indication", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Name Indication\",\"field\":\"tls.client.server_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"hideLabel\":false,\"maxFontSize\":64,\"minFontSize\":14,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"[Network Packet Capture] TLS Server Name Indication\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 204f509a93..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Fingerprint", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"JA3 Fingerprint\",\"field\":\"tls.client.ja3\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Fingerprint\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index c8ca05e364..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Public Key Size", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Public Key Size\",\"field\":\"tls.server.x509.public_key_size\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] Server Public Key Size\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 7d805b99d1..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Client and Servers Pie Chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Client and Servers Pie Chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-bytes-transferred-per-domain.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-bytes-transferred-per-domain.json deleted file mode 100755 index 6b89c0127d..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-bytes-transferred-per-domain.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Bytes Transferred per Domain", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Bytes In\":\"#F2C96D\",\"Bytes Out\":\"#629E51\",\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Bytes Out\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Bytes In\"},\"mode\":\"normal\",\"show\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"grouped\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Bytes Transferred per Domain\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bytes-transferred-per-domain", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json deleted file mode 100755 index 1b5f21f993..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"exists\\\":{\\\"field\\\":\\\"tls\\\"}}\"},\"query\":{\"exists\":{\"field\":\"tls\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] TLS Alerts", - "uiStateJSON": "{\"vis\":{\"colors\":{\"None\":\"#7EB26D\",\"handshake_failure\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"tls.detailed.alert_types\",\"include\":\".*\",\"json\":\"{\\\"missing\\\": \\\"None\\\"}\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Alerts\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-ops.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-ops.json deleted file mode 100755 index fcdb742965..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-ops.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra Ops", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra Ops\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-ops", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-requestcount.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-requestcount.json deleted file mode 100755 index ac31b1fa2f..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-requestcount.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCount", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCount\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcount", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-requestcountbytype.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-requestcountbytype.json deleted file mode 100755 index be3352be29..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-requestcountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":\"13\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json deleted file mode 100755 index 9e1ebf6056..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsecountbytype.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsecountbytype.json deleted file mode 100755 index 17a71a0e30..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsecountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"radiusRatio\":\"15\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra: ResponseCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json deleted file mode 100755 index ee9d47e2f6..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsekeyspace.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsekeyspace.json deleted file mode 100755 index 2f203d6dd9..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsekeyspace.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseKeyspace", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.keyspace\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.table\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseKeyspace\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsekeyspace", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsetime.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsetime.json deleted file mode 100755 index 152ebf53ef..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsetime.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseTime", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[5,25,50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseTime\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetime", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsetype.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsetype.json deleted file mode 100755 index 85c2b4d398..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-cassandra-responsetype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseType\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-connections-over-time.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-connections-over-time.json deleted file mode 100755 index 97d4affdf5..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-connections-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Connections over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Flows\",\"field\":\"flow.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique Flows\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Connections over time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-connections-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index d8cedfb7c3..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Transaction Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Transactions\",\"field\":\"dhcpv4.transaction_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Transaction Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 856211710f..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"params\":{\"gte\":0,\"lt\":1000000000},\"type\":\"range\",\"value\":\"0 to 1,000,000,000\"},\"range\":{\"event.duration\":{\"gte\":0,\"lt\":1000000000}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Handshake Latency", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Handshake Latency (ns)\",\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":2000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Handshake Latency\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-db-transactions.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-db-transactions.json deleted file mode 100755 index 475882f60d..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-db-transactions.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.type\",\"negate\":true,\"params\":{\"query\":\"flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"flow\"},\"query\":{\"match\":{\"event.type\":{\"query\":\"flow\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"}}" - }, - "title": "[Network Packet Capture] Transaction Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.dataset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Transaction Types\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-db-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json deleted file mode 100755 index 333052a373..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"}}" - }, - "title": "[Network Packet Capture] Top Domains by Data Volume", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top Domains by Data Volume\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-query-summary.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-query-summary.json deleted file mode 100755 index 1898c984d8..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-query-summary.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Query Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"17\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":28,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DNS Query Summary\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-query-summary", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-question-types.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-question-types.json deleted file mode 100755 index b2a975b430..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-question-types.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Question Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Question Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-question-types", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-request-status-over-time.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-request-status-over-time.json deleted file mode 100755 index 53c1b991c8..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-request-status-over-time.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Request Status Over Time", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#890F02\",\"OK\":\"#0A50A1\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] DNS Request Status Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-request-status-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-response-codes.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-response-codes.json deleted file mode 100755 index b9edd3cab4..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-response-codes.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Response Codes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"dns.response_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Response Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-response-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-top-10-questions.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-top-10-questions.json deleted file mode 100755 index d86db94a8d..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-dns-top-10-questions.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":false,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Top 10 Questions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Question\",\"field\":\"dns.question.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Top 10 Questions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-top-10-questions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json deleted file mode 100755 index b89d822540..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":3.5,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Avg Response Time\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Transactions\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-errors-count-over-time.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-errors-count-over-time.json deleted file mode 100755 index 5582bc6c67..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-errors-count-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors count over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"30s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] New Visualization\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-count-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-transactions-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-errors-vs-successful-transactions.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-errors-vs-successful-transactions.json deleted file mode 100755 index c3ac23f5a7..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-errors-vs-successful-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors vs successful transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"percentage\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"percentage\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Errors vs successful transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-vs-successful-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json deleted file mode 100755 index c0d680e520..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Data Transfer", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Requests\",\"field\":\"client.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Responses\",\"field\":\"server.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":24,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Data Transfer\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json deleted file mode 100755 index d8885cd43f..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP status codes for the top queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Query\",\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":false,\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] HTTP status codes for the top queries\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-codes-for-the-top-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-http-error-codes-evolution.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-http-error-codes-evolution.json deleted file mode 100755 index 479733a2af..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-http-error-codes-evolution.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"http.response.status_code\",\"negate\":true,\"params\":{\"gte\":200,\"lt\":299},\"type\":\"range\",\"value\":\"200 to 299\"},\"range\":{\"http.response.status_code\":{\"gte\":200,\"lte\":299}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes evolution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes evolution\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes-evolution", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-http-error-codes.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-http-error-codes.json deleted file mode 100755 index 1cb90080fc..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-http-error-codes.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"type\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http and http.response.status_code \\u003e= 300\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"type\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique count of type\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-latency-histogram.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-latency-histogram.json deleted file mode 100755 index 34aa0f3d11..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-latency-histogram.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Latency Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Latency Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-latency-histogram", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-commands.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-commands.json deleted file mode 100755 index 87474df326..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-commands.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB Commands", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"silhouette\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"silhouette\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB Commands\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-commands", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-errors-per-collection.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-errors-per-collection.json deleted file mode 100755 index ea23f3560f..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-errors-per-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors per collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors per collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors-per-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-errors.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-errors.json deleted file mode 100755 index 183ec66ef3..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"row\":true,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json deleted file mode 100755 index 74b8a6fd64..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB in/out throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of source.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Sum of destination.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB in/out throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-in-slash-out-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json deleted file mode 100755 index 0346b7b1cd..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB response times by collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":false,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB response times by collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-response-times-by-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-most-frequent-mysql-queries.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-most-frequent-mysql-queries.json deleted file mode 100755 index 08c27fcecf..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-most-frequent-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent MySQL queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"query\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true},\"title\":\"[Network Packet Capture] Most frequent MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json deleted file mode 100755 index 6ddc08eafb..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent PgSQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Most frequent PgSQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-errors.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-errors.json deleted file mode 100755 index 25ded66860..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-methods.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-methods.json deleted file mode 100755 index 34e609f25b..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-reads-vs-writes.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-reads-vs-writes.json deleted file mode 100755 index 4fece54090..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-response-times-percentiles.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-response-times-percentiles.json deleted file mode 100755 index add1156167..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Mysql response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Mysql response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-throughput.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-throughput.json deleted file mode 100755 index fd67a3b714..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-mysql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] MySQL throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-navigation.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-navigation.json deleted file mode 100755 index 958a4a7a7c..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-navigation.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Network Packet Capture] Navigation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### Network Packet Capture:\\n\\n[Overview](#/dashboard/network_traffic-dashboard)\\n\\n[Network Flows](#/dashboard/network_traffic-flows)\\n\\n[DNS Overview](#/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e) | [Tunneling](#/dashboard/network_traffic-dns-unique-domains)\\n\\n[DHCPv4 Transactions](#/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb)\\n\\n[TLS Overview](#/dashboard/network_traffic-tls-sessions)\\n\\n[HTTP transactions](#/dashboard/network_traffic-http)\\n\\nDatabases: [MySQL](#/dashboard/network_traffic-mysql-performance) | [PostgreSQL](#/dashboard/network_traffic-pgsql-performance) | [MongoDB](#/dashboard/network_traffic-mongodb-performance) | [Cassandra](#/dashboard/network_traffic-cassandra)\\n\\nRPC: [Thrift](#/dashboard/network_traffic-thrift-performance)\\n\\nStorage: [NFS](#/dashboard/network_traffic-nfs)\",\"openLinksInNewTab\":false},\"title\":\"[Network Packet Capture] Navigation\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-navigation", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json deleted file mode 100755 index 292355bbdf..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Traffic Between Hosts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Traffic Between Hosts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-network-traffic-between-your-hosts", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json deleted file mode 100755 index 8b550d78cf..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS Request / Response Sizes", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Sum of rpc.reply_size\":\"#7EB26D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Request Size\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Size\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Request Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Response Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS Request / Response Sizes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-bytes-in-slash-out", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-clients-pie-chart.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-clients-pie-chart.json deleted file mode 100755 index 4272f7571e..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-clients-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS clients pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.machinename\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS clients pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-clients-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-errors.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-errors.json deleted file mode 100755 index f407f4153d..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"nfs.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":12},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-errors-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-operation-table.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-operation-table.json deleted file mode 100755 index 56e28320c1..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-operation-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operation table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Opcode\",\"field\":\"nfs.opcode\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] NFS operation table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operation-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-operations-area-chart.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-operations-area-chart.json deleted file mode 100755 index 56cb538f8f..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-operations-area-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operations area chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"nfs.opcode\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":16},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS operations area chart\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operations-area-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-response-times.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-response-times.json deleted file mode 100755 index 2ffaacd816..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-response-times.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS response times", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[50]},\"schema\":\"metric\",\"type\":\"median\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Median event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Median event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS response times\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-response-times", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json deleted file mode 100755 index c1b2816c13..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top group pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.gid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top group pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-group-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json deleted file mode 100755 index 543bfe7058..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top users pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.uid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top users pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-users-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json deleted file mode 100755 index 770c776e13..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-errors.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-errors.json deleted file mode 100755 index 88a19443ff..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-methods.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-methods.json deleted file mode 100755 index e49215022c..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json deleted file mode 100755 index 60be8776dd..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json deleted file mode 100755 index 66eb8b3b8b..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-throughput.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-throughput.json deleted file mode 100755 index aba4ebafd0..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-pgsql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL Throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-response-times-percentiles.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-response-times-percentiles.json deleted file mode 100755 index f43cfc0233..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,95,99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-response-times-repartition.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-response-times-repartition.json deleted file mode 100755 index 2271bdb9a7..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-response-times-repartition.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times repartition", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"group\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times repartition\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-repartition", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-slowest-mysql-queries.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-slowest-mysql-queries.json deleted file mode 100755 index 9194c62aaa..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-slowest-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest MySQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-slowest-pgsql-queries.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-slowest-pgsql-queries.json deleted file mode 100755 index ce2d661459..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-slowest-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest PgSQL Queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Average Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest PgSQL Queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json deleted file mode 100755 index 777f4d7abe..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest Thrift RPC methods", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest Thrift RPC methods\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-thrift-requests-per-minute.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-thrift-requests-per-minute.json deleted file mode 100755 index e9dee7461a..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-thrift-requests-per-minute.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift requests per minute", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift requests per minute\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-requests-per-minute", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-thrift-response-times-percentiles.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-thrift-response-times-percentiles.json deleted file mode 100755 index 835ee06280..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-thrift-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Thrift response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-thrift-rpc-errors.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-thrift-rpc-errors.json deleted file mode 100755 index 37e3e901fc..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-thrift-rpc-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift RPC Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift RPC Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-rpc-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-10-http-requests.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-10-http-requests.json deleted file mode 100755 index bb5c71dbfe..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-10-http-requests.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top 10 HTTP requests", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top 10 HTTP requests\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-10-http-requests", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-hosts-creating-traffic.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-hosts-creating-traffic.json deleted file mode 100755 index 842f9f29ec..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-hosts-creating-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Creating Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Source Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Creating Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-creating-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json deleted file mode 100755 index 34f9d74be2..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Receiving Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Receiving Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-receiving-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json deleted file mode 100755 index e39b39b7f9..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top slowest MongoDB queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top slowest MongoDB queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-slowest-mongodb-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json deleted file mode 100755 index 3f7aee4851..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC calls with errors", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"shareYAxis\":true},\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-thrift-rpc-methods.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-thrift-rpc-methods.json deleted file mode 100755 index 8add979f7b..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-top-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC methods ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Thrift-RPC methods\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-total-number-of-http-transactions.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-total-number-of-http-transactions.json deleted file mode 100755 index 77e8f9b41a..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-total-number-of-http-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Total number of HTTP transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"37\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total number of HTTP transactions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-total-number-of-http-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json deleted file mode 100755 index 93a9d62de2..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1 Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Unique Domains\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1 Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json deleted file mode 100755 index e94d78a938..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Subdomain Count\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-web-transactions.json b/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-web-transactions.json deleted file mode 100755 index 354ec98cef..0000000000 --- a/packages/network_traffic/1.0.2/kibana/visualization/network_traffic-web-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP Transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-web-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.0.2/manifest.yml b/packages/network_traffic/1.0.2/manifest.yml deleted file mode 100755 index a6f662b05d..0000000000 --- a/packages/network_traffic/1.0.2/manifest.yml +++ /dev/null @@ -1,35 +0,0 @@ -format_version: 1.0.0 -name: network_traffic -title: Network Packet Capture -version: 1.0.2 -license: basic -description: Capture and analyze network traffic from a host with Elastic Agent. -type: integration -categories: - - web -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -policy_templates: - - name: network - title: Network Packet Capture - description: Capture network traffic - inputs: - - type: packet - title: Capture network traffic - description: Collecting network traffic - vars: - - name: interface - type: text - title: Interface - required: false - show_user: false - - name: processes - type: text - multi: true - title: Processes - description: Processes to monitor (this will act as a command line grep) - required: false - show_user: false -owner: - github: elastic/security-external-integrations diff --git a/packages/network_traffic/1.1.0/changelog.yml b/packages/network_traffic/1.1.0/changelog.yml deleted file mode 100755 index 9e9d88dd7b..0000000000 --- a/packages/network_traffic/1.1.0/changelog.yml +++ /dev/null @@ -1,139 +0,0 @@ -# newer versions go on top -- version: "1.1.0" - changes: - - description: Add configuration documentation. - type: enhancement - link: https://github.com/elastic/integrations/pull/3371 -- version: "1.0.2" - changes: - - description: Remove invalid value from `event.category` for TLS and Thrift - type: bugfix - link: https://github.com/elastic/integrations/pull/3409 -- version: "1.0.1" - changes: - - description: Remove invalid value from `event.category`. - type: bugfix - link: https://github.com/elastic/integrations/pull/3384 -- version: "1.0.0" - changes: - - description: Release as GA. - type: enhancement - link: https://github.com/elastic/integrations/pull/3355 -- version: "0.10.1" - changes: - - description: Remove invalid value from `event.category` in SIP data set. - type: bugfix - link: https://github.com/elastic/integrations/pull/3343 -- version: "0.10.0" - changes: - - description: Add configuration options for each protocol. - type: enhancement - link: https://github.com/elastic/integrations/pull/3157 -- version: "0.9.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.8.2" - changes: - - description: Add missing field mappings to DNS and TLS data streams. - type: bugfix - link: https://github.com/elastic/integrations/pull/3078 -- version: "0.8.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.8.0" - changes: - - description: Change release stability to beta. - type: enhancement - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.1" - changes: - - description: Fix mapping for tls.detailed.client_certificate_chain. - type: bugfix - link: https://github.com/elastic/integrations/pull/2793 -- version: "0.7.0" - changes: - - description: Add dashboards. Update the Kibana constraint to require 7.17.0 or 8.0.0. - type: enhancement - link: https://github.com/elastic/integrations/pull/2762 -- version: "0.6.3" - changes: - - description: Add license note to README. - type: bugfix - link: https://github.com/elastic/integrations/pull/2809 -- version: "0.6.2" - changes: - - description: Add fields for TLS random data and OCSP status. - type: enhancement - link: https://github.com/elastic/integrations/pull/2703 -- version: "0.6.1" - changes: - - description: Remove unused field metadata. - type: enhancement - link: https://github.com/elastic/integrations/pull/2648 -- version: "0.6.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2426 -- version: "0.5.1" - changes: - - description: Fix mapping for tls.detailed.server_certificate_chain - type: bugfix - link: https://github.com/elastic/integrations/pull/2517 -- version: "0.5.0" - changes: - - description: Add 8.0.0 version constraint - type: enhancement - link: https://github.com/elastic/integrations/pull/2224 -- version: "0.4.2" - changes: - - description: Uniform with guidelines - type: enhancement - link: https://github.com/elastic/integrations/pull/2097 -- version: "0.4.1" - changes: - - description: Update Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 - - description: Update Title and Description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1975 -- version: "0.4.0" - changes: - - description: Update to ECS 1.12.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/1669 -- version: "0.3.0" - changes: - - description: Change title to Network Packet Capture. Added timeout/period config to flows data stream. - type: enhancement - link: https://github.com/elastic/integrations/pull/1764 -- version: "0.2.2" - changes: - - description: Requires version 7.14.1 of the stack - type: bugfix - link: https://github.com/elastic/integrations/pull/1541 -- version: "0.2.1" - changes: - - description: Escape special characters in docs - type: enhancement - link: https://github.com/elastic/integrations/pull/1405 -- version: "0.2.0" - changes: - - description: Update documentation to fit mdx spec - type: enhancement - link: https://github.com/elastic/integrations/pull/1401 -- version: "0.1.0" - changes: - - description: Update integration description - type: enhancement - link: https://github.com/elastic/integrations/pull/1364 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/21 diff --git a/packages/network_traffic/1.1.0/data_stream/amqp/agent/stream/amqp.yml.hbs b/packages/network_traffic/1.1.0/data_stream/amqp/agent/stream/amqp.yml.hbs deleted file mode 100755 index 22fb1883a0..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/amqp/agent/stream/amqp.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: amqp -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_body_length}} -max_body_length: {{max_body_length}} -{{/if}} -{{#if parse_headers}} -parse_headers: {{parse_headers}} -{{/if}} -{{#if parse_arguments}} -parse_arguments: {{parse_arguments}} -{{/if}} -{{#if hide_connection_information}} -hide_connection_information: {{hide_connection_information}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index dd8f95ef44..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/amqp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing amqp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/amqp/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/amqp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/amqp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/amqp/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/amqp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/amqp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/amqp/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/amqp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/amqp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/amqp/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/amqp/fields/ecs.yml deleted file mode 100755 index da1822dec9..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/amqp/fields/ecs.yml +++ /dev/null @@ -1,128 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/amqp/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/amqp/fields/protocol.yml deleted file mode 100755 index 4b87cf176c..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/amqp/fields/protocol.yml +++ /dev/null @@ -1,202 +0,0 @@ -- name: amqp - type: group - fields: - - name: reply-code - type: long - description: > - AMQP reply code to an error, similar to http reply-code - - example: 404 - - name: reply-text - type: keyword - description: > - Text explaining the error. - - - name: class-id - type: long - description: > - Failing method class. - - - name: method-id - type: long - description: > - Failing method ID. - - - name: exchange - type: keyword - description: > - Name of the exchange. - - - name: exchange-type - type: keyword - description: > - Exchange type. - - example: fanout - - name: passive - type: boolean - description: > - If set, do not create exchange/queue. - - - name: durable - type: boolean - description: > - If set, request a durable exchange/queue. - - - name: exclusive - type: boolean - description: > - If set, request an exclusive queue. - - - name: auto-delete - type: boolean - description: > - If set, auto-delete queue when unused. - - - name: no-wait - type: boolean - description: > - If set, the server will not respond to the method. - - - name: consumer-tag - type: keyword - description: > - Identifier for the consumer, valid within the current channel. - - - name: delivery-tag - type: long - description: > - The server-assigned and channel-specific delivery tag. - - - name: message-count - type: long - description: > - The number of messages in the queue, which will be zero for newly-declared queues. - - - name: consumer-count - type: long - description: > - The number of consumers of a queue. - - - name: routing-key - type: keyword - description: > - Message routing key. - - - name: no-ack - type: boolean - description: > - If set, the server does not expect acknowledgements for messages. - - - name: no-local - type: boolean - description: > - If set, the server will not send messages to the connection that published them. - - - name: if-unused - type: boolean - description: > - Delete only if unused. - - - name: if-empty - type: boolean - description: > - Delete only if empty. - - - name: queue - type: keyword - description: > - The queue name identifies the queue within the vhost. - - - name: redelivered - type: boolean - description: > - Indicates that the message has been previously delivered to this or another client. - - - name: multiple - type: boolean - description: > - Acknowledge multiple messages. - - - name: arguments - type: object - description: > - Optional additional arguments passed to some methods. Can be of various types. - - - name: mandatory - type: boolean - description: > - Indicates mandatory routing. - - - name: immediate - type: boolean - description: > - Request immediate delivery. - - - name: content-type - type: keyword - description: > - MIME content type. - - example: text/plain - - name: content-encoding - type: keyword - description: > - MIME content encoding. - - - name: headers - type: object - object_type: keyword - description: > - Message header field table. - - - name: delivery-mode - type: keyword - description: > - Non-persistent (1) or persistent (2). - - - name: priority - type: long - description: > - Message priority, 0 to 9. - - - name: correlation-id - type: keyword - description: > - Application correlation identifier. - - - name: reply-to - type: keyword - description: > - Address to reply to. - - - name: expiration - type: keyword - description: > - Message expiration specification. - - - name: message-id - type: keyword - description: > - Application message identifier. - - - name: timestamp - type: keyword - description: > - Message timestamp. - - - name: type - type: keyword - description: > - Message type name. - - - name: user-id - type: keyword - description: > - Creating user id. - - - name: app-id - type: keyword - description: > - Creating application id. - diff --git a/packages/network_traffic/1.1.0/data_stream/amqp/manifest.yml b/packages/network_traffic/1.1.0/data_stream/amqp/manifest.yml deleted file mode 100755 index 392448511a..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/amqp/manifest.yml +++ /dev/null @@ -1,105 +0,0 @@ -title: AMQP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5672] - - name: max_body_length - type: integer - title: Max Body Length - description: |- - Truncate messages that are published and avoid huge messages being - indexed. - Default: 1000 - show_user: false - multi: false - required: false - - name: parse_headers - type: bool - title: Parse Headers - description: |- - Hide the header fields in header frames. - Default: false - show_user: false - multi: false - required: false - - name: parse_arguments - type: bool - title: Parse Arguments - description: |- - Hide the additional arguments of method frames. - Default: false - show_user: false - multi: false - required: false - - name: hide_connection_information - type: bool - title: Hide Connection Information - description: |- - Hide all methods relative to connection negotiation between server and - client. - Default: true - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: AMQP - description: Capture AMQP Traffic - template_path: amqp.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/amqp/sample_event.json b/packages/network_traffic/1.1.0/data_stream/amqp/sample_event.json deleted file mode 100755 index 9ef02f389f..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/amqp/sample_event.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs b/packages/network_traffic/1.1.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs deleted file mode 100755 index 9c4ec167d1..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/cassandra/agent/stream/cassandra.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: cassandra -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_request_header}} -send_request_header: {{send_request_header}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if send_response_header}} -send_response_header: {{send_response_header}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if compressor}} -compressor: {{compressor}} -{{/if}} -{{#if ignored_ops}} -ignored_ops: -{{#each ignored_ops as |ignored_op|}} - - {{ignored_op}} -{{/each}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2860fd7f9e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/cassandra/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing cassandra traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/cassandra/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/cassandra/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/cassandra/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/cassandra/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/cassandra/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/cassandra/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/cassandra/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/cassandra/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/cassandra/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/cassandra/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/cassandra/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/cassandra/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/cassandra/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/cassandra/fields/protocol.yml deleted file mode 100755 index 58a2f6c12d..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/cassandra/fields/protocol.yml +++ /dev/null @@ -1,283 +0,0 @@ -- name: cassandra - type: group - description: Information about the Cassandra request and response. - fields: - - name: no_request - type: boolean - description: > - Indicates that there is no request because this is a PUSH message. - - - name: request - type: group - description: Cassandra request. - fields: - - name: headers - type: group - description: Cassandra request headers. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: query - type: keyword - description: The CQL query which client send to cassandra. - - name: response - type: group - description: Cassandra response. - fields: - - name: headers - type: group - description: Cassandra response headers, the structure is as same as request's header. - fields: - - name: version - type: keyword - description: The version of the protocol. - - name: flags - type: keyword - description: Flags applying to this frame. - - name: stream - type: keyword - description: A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. - - name: op - type: keyword - description: An operation type that distinguishes the actual message. - - name: length - type: long - description: A integer representing the length of the body of the frame (a frame is limited to 256MB in length). - - name: result - type: group - description: Details about the returned result. - fields: - - name: type - type: keyword - description: Cassandra result type. - - name: rows - type: group - description: Details about the rows. - fields: - - name: num_rows - type: long - description: Representing the number of rows present in this result. - - name: meta - type: group - description: Composed of result metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: keyspace - type: keyword - description: Indicating the name of the keyspace that has been set. - - name: schema_change - type: group - description: The result to a schema_change message. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: prepared - type: group - description: The result to a PREPARE message. - fields: - - name: prepared_id - type: keyword - description: Representing the prepared query ID. - - name: req_meta - type: group - description: This describes the request metadata. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: resp_meta - type: group - description: This describes the metadata for the result set. - fields: - - name: keyspace - type: keyword - description: Only present after set Global_tables_spec, the keyspace name. - - name: table - type: keyword - description: Only present after set Global_tables_spec, the table name. - - name: flags - type: keyword - description: Provides information on the formatting of the remaining information. - - name: col_count - type: long - description: Representing the number of columns selected by the query that produced this result. - - name: pkey_columns - type: long - description: Representing the PK columns index and counts. - - name: paging_state - type: keyword - description: The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. - - name: supported - type: flattened - description: Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. - - name: authentication - type: group - description: Indicates that the server requires authentication, and which authentication mechanism to use. - fields: - - name: class - type: keyword - description: Indicates the full class name of the IAuthenticator in use - - name: warnings - type: keyword - description: The text of the warnings, only occur when Warning flag was set. - - name: event - type: group - description: Event pushed by the server. A client will only receive events for the types it has REGISTERed to. - fields: - - name: type - type: keyword - description: Representing the event type. - - name: change - type: keyword - description: The message corresponding respectively to the type of change followed by the address of the new/removed node. - - name: host - type: keyword - description: Representing the node ip. - - name: port - type: long - description: Representing the node port. - - name: schema_change - type: group - description: The events details related to schema change. - fields: - - name: change - type: keyword - description: Representing the type of changed involved. - - name: keyspace - type: keyword - description: This describes which keyspace has changed. - - name: table - type: keyword - description: This describes which table has changed. - - name: object - type: keyword - description: This describes the name of said affected object (either the table, user type, function, or aggregate name). - - name: target - type: keyword - description: Target could be "FUNCTION" or "AGGREGATE", multiple arguments. - - name: name - type: keyword - description: The function/aggregate name. - - name: args - type: keyword - description: One string for each argument type (as CQL type). - - name: error - type: group - description: Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. - fields: - - name: code - type: long - description: The error code of the Cassandra response. - - name: msg - type: keyword - description: The error message of the Cassandra response. - - name: type - type: keyword - description: The error type of the Cassandra response. - - name: details - type: group - description: The details of the error. - fields: - - name: read_consistency - type: keyword - description: Representing the consistency level of the query that triggered the exception. - - name: required - type: long - description: Representing the number of nodes that should be alive to respect consistency level. - - name: alive - type: long - description: Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). - - name: received - type: long - description: Representing the number of nodes having acknowledged the request. - - name: blockfor - type: long - description: Representing the number of replicas whose acknowledgement is required to achieve consistency level. - - name: write_type - type: keyword - description: Describe the type of the write that timed out. - - name: data_present - type: boolean - description: It means the replica that was asked for data had responded. - - name: keyspace - type: keyword - description: The keyspace of the failed function. - - name: table - type: keyword - description: The keyspace of the failed function. - - name: stmt_id - type: keyword - description: Representing the unknown ID. - - name: num_failures - type: keyword - description: Representing the number of nodes that experience a failure while executing the request. - - name: function - type: keyword - description: The name of the failed function. - - name: arg_types - type: keyword - description: One string for each argument type (as CQL type) of the failed function. diff --git a/packages/network_traffic/1.1.0/data_stream/cassandra/manifest.yml b/packages/network_traffic/1.1.0/data_stream/cassandra/manifest.yml deleted file mode 100755 index b05f2d1e4e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/cassandra/manifest.yml +++ /dev/null @@ -1,92 +0,0 @@ -title: Cassandra -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9042] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`cassandra_request` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_request_header - type: bool - title: Send Request Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_request.request_headers` field) - is included in published events. The default is true. enable `send_request` first before enable this option. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`cassandra_response` field) - is included in published events. The default is true. - show_user: false - multi: false - required: false - - name: send_response_header - type: bool - title: Send Response Header - description: |- - If this option is enabled, the raw message of the response (`cassandra_response.response_headers` field) - is included in published events. The default is true. enable `send_response` first before enable this option. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: compressor - type: text - title: Compressor - description: |- - Configures the default compression algorithm being used to uncompress compressed frames by name. Currently only `snappy` is can be configured. - By default no compressor is configured. - show_user: false - multi: false - required: false - - name: ignored_ops - type: text - title: Ignored Ops - description: This option indicates which Operator/Operators will be ignored. - show_user: false - multi: true - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Cassandra - description: Capture Cassandra Traffic - template_path: cassandra.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/cassandra/sample_event.json b/packages/network_traffic/1.1.0/data_stream/cassandra/sample_event.json deleted file mode 100755 index aa2d587c11..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/cassandra/sample_event.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs b/packages/network_traffic/1.1.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs deleted file mode 100755 index 2c56638255..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dhcpv4/agent/stream/dhcpv4.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -type: dhcpv4 -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a0f2d285e8..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dhcpv4/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: dhcpv4.client_mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: dhcpv4.client_mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: dhcpv4.client_mac - ignore_missing: true -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/protocol.yml deleted file mode 100755 index 0180691a5b..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dhcpv4/fields/protocol.yml +++ /dev/null @@ -1,177 +0,0 @@ -- name: dhcpv4 - type: group - fields: - - name: transaction_id - type: keyword - description: | - Transaction ID, a random number chosen by the - client, used by the client and server to associate - messages and responses between a client and a - server. - - name: seconds - type: long - description: | - Number of seconds elapsed since client began address acquisition or - renewal process. - - name: flags - type: keyword - description: | - Flags are set by the client to indicate how the DHCP server should - its reply -- either unicast or broadcast. - - name: client_ip - type: ip - description: The current IP address of the client. - - name: assigned_ip - type: ip - description: | - The IP address that the DHCP server is assigning to the client. - This field is also known as "your" IP address. - - name: server_ip - type: ip - description: | - The IP address of the DHCP server that the client should use for the - next step in the bootstrap process. - - name: relay_ip - type: ip - description: | - The relay IP address used by the client to contact the server - (i.e. a DHCP relay server). - - name: client_mac - type: keyword - description: The client's MAC address (layer two). - - name: server_name - type: keyword - description: | - The name of the server sending the message. Optional. Used in - DHCPOFFER or DHCPACK messages. - - name: op_code - type: keyword - example: bootreply - description: | - The message op code (bootrequest or bootreply). - - name: hops - type: long - description: The number of hops the DHCP message went through. - - name: hardware_type - type: keyword - description: | - The type of hardware used for the local network (Ethernet, - LocalTalk, etc). - - name: option - type: group - fields: - - name: message_type - type: keyword - example: ack - description: | - The specific type of DHCP message being sent (e.g. discover, - offer, request, decline, ack, nak, release, inform). - - name: parameter_request_list - type: keyword - description: | - This option is used by a DHCP client to request values for - specified configuration parameters. - - name: requested_ip_address - type: ip - description: | - This option is used in a client request (DHCPDISCOVER) to allow - the client to request that a particular IP address be assigned. - - name: server_identifier - type: ip - description: | - IP address of the individual DHCP server which handled this - message. - - name: broadcast_address - type: ip - description: | - This option specifies the broadcast address in use on the - client's subnet. - - name: max_dhcp_message_size - type: long - description: | - This option specifies the maximum length DHCP message that the - client is willing to accept. - - name: class_identifier - type: keyword - description: | - This option is used by DHCP clients to optionally identify the - vendor type and configuration of a DHCP client. Vendors may - choose to define specific vendor class identifiers to convey - particular configuration or other identification information - about a client. For example, the identifier may encode the - client's hardware configuration. - - name: domain_name - type: keyword - description: | - This option specifies the domain name that client should use - when resolving hostnames via the Domain Name System. - - name: dns_servers - type: ip - description: | - The domain name server option specifies a list of Domain Name - System servers available to the client. - - name: vendor_identifying_options - type: object - description: | - A DHCP client may use this option to unambiguously identify the - vendor that manufactured the hardware on which the client is - running, the software in use, or an industry consortium to which - the vendor belongs. This field is described in RFC 3925. - - name: subnet_mask - type: ip - description: | - The subnet mask that the client should use on the currnet - network. - - name: utc_time_offset_sec - type: long - description: | - The time offset field specifies the offset of the client's - subnet in seconds from Coordinated Universal Time (UTC). - - name: router - type: ip - description: | - The router option specifies a list of IP addresses for routers - on the client's subnet. - - name: time_servers - type: ip - description: | - The time server option specifies a list of RFC 868 time servers - available to the client. - - name: ntp_servers - type: ip - description: | - This option specifies a list of IP addresses indicating NTP - servers available to the client. - - name: hostname - type: keyword - description: | - This option specifies the name of the client. - - name: ip_address_lease_time_sec - type: long - description: | - This option is used in a client request (DHCPDISCOVER or - DHCPREQUEST) to allow the client to request a lease time for the - IP address. In a server reply (DHCPOFFER), a DHCP server uses - this option to specify the lease time it is willing to offer. - - name: message - type: text - description: | - This option is used by a DHCP server to provide an error message - to a DHCP client in a DHCPNAK message in the event of a failure. - A client may use this option in a DHCPDECLINE message to - indicate the why the client declined the offered parameters. - - name: renewal_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the RENEWING state. - - name: rebinding_time_sec - type: long - description: | - This option specifies the time interval from address assignment - until the client transitions to the REBINDING state. - - name: boot_file_name - type: keyword - description: | - This option is used to identify a bootfile when the 'file' field - in the DHCP header has been used for DHCP options. diff --git a/packages/network_traffic/1.1.0/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/1.1.0/data_stream/dhcpv4/manifest.yml deleted file mode 100755 index fc09a92781..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dhcpv4/manifest.yml +++ /dev/null @@ -1,40 +0,0 @@ -title: DHCP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [67, 68] - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DHCP - description: Capture DHCP Traffic - template_path: dhcpv4.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/dhcpv4/sample_event.json b/packages/network_traffic/1.1.0/data_stream/dhcpv4/sample_event.json deleted file mode 100755 index 59ab870695..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dhcpv4/sample_event.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/dns/agent/stream/dns.yml.hbs b/packages/network_traffic/1.1.0/data_stream/dns/agent/stream/dns.yml.hbs deleted file mode 100755 index e68885b2f8..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dns/agent/stream/dns.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: dns -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if include_authorities}} -include_authorities: {{include_authorities}} -{{/if}} -{{#if include_additionals}} -include_additionals: {{include_additionals}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 70d49c51b6..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing dhcpv4 traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/dns/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/dns/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/dns/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/dns/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dns/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/dns/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/dns/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dns/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/dns/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/dns/fields/ecs.yml deleted file mode 100755 index e2ea6f338f..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,200 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - An array containing an object for each answer section returned by the server. - The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. - Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. - name: dns.answers - type: object -- description: The class of DNS data contained in this resource record. - name: dns.answers.class - type: keyword -- description: |- - The data describing the resource. - The meaning of this data depends on the type and class of the resource record. - name: dns.answers.data - type: keyword -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - name: dns.answers.ttl - type: long -- description: The type of data contained in this resource record. - name: dns.answers.type - type: keyword -- description: |- - Array of 2 letter DNS header flags. - Expected values are: AA, TC, RD, RA, AD, CD, DO. - name: dns.header_flags - type: keyword -- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - name: dns.id - type: keyword -- description: The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. - name: dns.op_code - type: keyword -- description: The class of records being queried. - name: dns.question.class - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.example.com" is "example.com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - name: dns.question.registered_domain - type: keyword -- description: |- - The subdomain is all of the labels under the registered_domain. - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. - name: dns.question.subdomain - type: keyword -- description: |- - The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". - This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". - name: dns.question.top_level_domain - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - Array containing all IPs seen in `answers.data`. - The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - name: dns.resolved_ip - type: ip -- description: The DNS response code. - name: dns.response_code - type: keyword -- description: |- - The type of DNS event captured, query or answer. - If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. - If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. - name: dns.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/dns/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/dns/fields/protocol.yml deleted file mode 100755 index 28d506b996..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dns/fields/protocol.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: dns - type: group - fields: - - name: flags.authoritative - type: boolean - description: > - A DNS flag specifying that the responding server is an authority for the domain name used in the question. - - - name: flags.recursion_available - type: boolean - description: > - A DNS flag specifying whether recursive query support is available in the name server. - - - name: flags.recursion_desired - type: boolean - description: > - A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. - - - name: flags.authentic_data - type: boolean - description: > - A DNS flag specifying that the recursive server considers the response authentic. - - - name: flags.checking_disabled - type: boolean - description: > - A DNS flag specifying that the client disables the server signature validation of the query. - - - name: flags.truncated_response - type: boolean - description: > - A DNS flag specifying that only the first 512 bytes of the reply were returned. - - - name: question.etld_plus_one - type: keyword - description: The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. - example: amazon.co.uk. - - name: answers_count - type: long - description: > - The number of resource records contained in the `dns.answers` field. - - - name: authorities - type: object - description: > - An array containing a dictionary for each authority section from the answer. - - - name: authorities_count - type: long - description: > - The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. - - - name: authorities.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: authorities.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: authorities.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals - type: object - description: > - An array containing a dictionary for each additional section from the answer. - - - name: additionals_count - type: long - description: > - The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. - - - name: additionals.name - type: keyword - description: The domain name to which this resource record pertains. - example: example.com. - - name: additionals.type - type: keyword - description: The type of data contained in this resource record. - example: NS - - name: additionals.class - type: keyword - description: The class of DNS data contained in this resource record. - example: IN - - name: additionals.ttl - description: > - The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - - type: long - - name: additionals.data - type: keyword - description: > - The data describing the resource. The meaning of this data depends on the type and class of the resource record. - - - name: opt.version - type: keyword - description: The EDNS version. - example: "0" - - name: opt.do - type: boolean - description: If set, the transaction uses DNSSEC. - - name: opt.ext_rcode - type: keyword - description: Extended response code field. - example: "BADVERS" - - name: opt.udp_size - type: long - description: Requestor's UDP payload size (in bytes). diff --git a/packages/network_traffic/1.1.0/data_stream/dns/manifest.yml b/packages/network_traffic/1.1.0/data_stream/dns/manifest.yml deleted file mode 100755 index cc5476bfad..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dns/manifest.yml +++ /dev/null @@ -1,95 +0,0 @@ -title: DNS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [53] - - name: include_authorities - type: bool - title: Include Authorities - description: |- - include_authorities controls whether or not the dns.authorities field - (authority resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: include_additionals - type: bool - title: Include Additionals - description: |- - include_additionals controls whether or not the dns.additionals field - (additional resource records) is added to messages. - Default: false - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - send_request controls whether or not the stringified DNS - request messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - send_response controls whether or not the stringified DNS - response messages are added to the result. - Nearly all data about the request/response is available in the dns.* - fields, but this can be useful if you need visibility specifically - into the request or the response. - Default: false - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: DNS - description: Capture DNS Traffic - template_path: dns.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/dns/sample_event.json b/packages/network_traffic/1.1.0/data_stream/dns/sample_event.json deleted file mode 100755 index 476a880555..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/dns/sample_event.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/flow/agent/stream/flow.yml.hbs b/packages/network_traffic/1.1.0/data_stream/flow/agent/stream/flow.yml.hbs deleted file mode 100755 index 8759e465b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/flow/agent/stream/flow.yml.hbs +++ /dev/null @@ -1,15 +0,0 @@ -type: flow -{{#if timeout}} -flows.timeout: '{{timeout}}' -{{/if}} -{{#if period}} -flows.period: '{{period}}' -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 8a45c554fd..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/flow/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -description: Pipeline for processing traffic flows -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/flow/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/flow/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/flow/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/flow/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/flow/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/flow/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/flow/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/flow/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/flow/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/flow/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/flow/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/flow/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/flow/manifest.yml b/packages/network_traffic/1.1.0/data_stream/flow/manifest.yml deleted file mode 100755 index 4f455c6f25..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/flow/manifest.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Flows -release: beta -type: logs -streams: - - input: packet - title: Flows - description: Track Network Flows - template_path: flow.yml.hbs - vars: - - name: period - type: text - title: Period - required: false - show_user: false - description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1. If disabled, flows are still reported once being timed out. - default: '10s' - - name: timeout - type: text - title: Flow timeout - description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. - required: false - show_user: false - default: '30s' diff --git a/packages/network_traffic/1.1.0/data_stream/http/agent/stream/http.yml.hbs b/packages/network_traffic/1.1.0/data_stream/http/agent/stream/http.yml.hbs deleted file mode 100755 index 4c2aecad10..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/http/agent/stream/http.yml.hbs +++ /dev/null @@ -1,85 +0,0 @@ -type: http -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if hide_keywords}} -hide_keywords: -{{#each hide_keywords as |hide_keyword|}} - - {{hide_keyword}} -{{/each}} -{{/if}} -{{#if send_headers}} -send_headers: {{send_headers}} -{{/if}} -{{#if send_all_headers}} -send_all_headers: {{send_all_headers}} -{{/if}} -{{#if redact_headers}} -redact_headers: -{{#each redact_headers as |redact_header|}} - - {{redact_header}} -{{/each}} -{{/if}} -{{#if include_body_for}} -include_body_for: -{{#each include_body_for as |include_body_for_elem|}} - - {{include_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_request_body_for}} -include_request_body_for: -{{#each include_request_body_for as |include_request_body_for_elem|}} - - {{include_request_body_for_elem}} -{{/each}} -{{/if}} -{{#if include_response_body_for}} -include_response_body_for: -{{#each include_response_body_for as |include_response_body_for_elem|}} - - {{include_response_body_for_elem}} -{{/each}} -{{/if}} -{{#if decode_body}} -decode_body: {{decode_body}} -{{/if}} -{{#if split_cookie}} -split_cookie: {{split_cookie}} -{{/if}} -{{#if real_ip_header}} -real_ip_header: {{real_ip_header}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if max_message_size}} -max_message_size: {{max_message_size}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index e0cbf2bf88..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/http/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing http traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/http/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/http/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/http/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/http/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/http/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/http/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/http/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/http/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/http/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/http/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/http/fields/ecs.yml deleted file mode 100755 index d003c7093e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/http/fields/ecs.yml +++ /dev/null @@ -1,203 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: HTTP version. - name: http.version - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/network_traffic/1.1.0/data_stream/http/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/http/fields/protocol.yml deleted file mode 100755 index 51b73ae344..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/http/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: http - type: group - description: Information about the HTTP request and response. - fields: - - name: request - description: HTTP request - type: group - fields: - - name: headers - type: flattened - description: > - A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - - - name: response - description: HTTP response - type: group - fields: - - name: status_phrase - type: keyword - description: The HTTP status phrase. - example: Not Found - - name: headers - type: flattened - description: > - A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. - diff --git a/packages/network_traffic/1.1.0/data_stream/http/manifest.yml b/packages/network_traffic/1.1.0/data_stream/http/manifest.yml deleted file mode 100755 index f16188331c..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/http/manifest.yml +++ /dev/null @@ -1,173 +0,0 @@ -title: HTTP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [80, 8080, 8000, 5000, 8002] - - name: hide_keywords - type: text - title: Hide Keywords - description: |- - Uncomment the following to hide certain parameters in URL or forms attached - to HTTP requests. The names of the parameters are case insensitive. - The value of the parameters will be replaced with the 'xxxxx' string. - This is generally useful for avoiding storing user passwords or other - sensitive information. - Only query parameters and top level form parameters are replaced. - show_user: false - multi: true - required: false - - name: send_headers - type: bool - title: Send Headers - description: |- - A list of header names to capture and send to Elasticsearch. These headers - are placed under the `headers` dictionary in the resulting JSON. - show_user: false - multi: false - required: false - - name: send_all_headers - type: bool - title: Send All Headers - description: |- - Instead of sending a white list of headers to Elasticsearch, you can send - all headers by setting this option to true. The default is false. - show_user: false - multi: false - required: false - - name: redact_headers - type: text - title: Redact Headers - description: |- - A list of headers to redact if present in the HTTP request. This will keep - the header field present, but will redact it's value to show the headers - presence. - show_user: false - multi: true - required: false - - name: include_body_for - type: text - title: Include Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - payload. If the request's or response's Content-Type matches any on this - list, the full body will be included under the request or response field. - show_user: false - multi: true - required: false - - name: include_request_body_for - type: text - title: Include Request Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - request payload. - show_user: false - multi: true - required: false - - name: include_response_body_for - type: text - title: Include Response Body For - description: |- - The list of content types for which Packetbeat includes the full HTTP - response payload. - show_user: false - multi: true - required: false - - name: decode_body - type: bool - title: Decode Body - description: |- - Whether the body of a request must be decoded when a content-encoding - or transfer-encoding has been applied. - show_user: false - multi: false - required: false - - name: split_cookie - type: bool - title: Split Cookie - description: |- - If the Cookie or Set-Cookie headers are sent, this option controls whether - they are split into individual values. - show_user: false - multi: false - required: false - - name: real_ip_header - type: bool - title: Real Ip Header - description: |- - The header field to extract the real IP from. This setting is useful when - you want to capture traffic behind a reverse proxy, but you want to get the - geo-location information. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: max_message_size - type: integer - title: Max Message Size - description: |- - Maximum message size. If an HTTP message is larger than this, it will - be trimmed to this size. Default is 10 MB. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: HTTP - description: Capture HTTP Traffic - template_path: http.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/http/sample_event.json b/packages/network_traffic/1.1.0/data_stream/http/sample_event.json deleted file mode 100755 index f07301394b..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/http/sample_event.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/icmp/agent/stream/icmp.yml.hbs b/packages/network_traffic/1.1.0/data_stream/icmp/agent/stream/icmp.yml.hbs deleted file mode 100755 index f550ca79fa..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/icmp/agent/stream/icmp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -type: icmp -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1ae74a0692..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/icmp/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing icmp traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/icmp/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/icmp/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/icmp/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/icmp/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/icmp/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/icmp/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/icmp/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/icmp/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/icmp/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/icmp/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/icmp/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/icmp/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/icmp/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/icmp/fields/protocol.yml deleted file mode 100755 index 5aef1deaf4..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/icmp/fields/protocol.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: icmp - type: group - fields: - - name: version - type: long - description: The version of the ICMP protocol. - possible_values: - - 4 - - 6 - - name: request.message - type: keyword - description: A human readable form of the request. - - name: request.type - type: long - description: The request type. - - name: request.code - type: long - description: The request code. - - name: response.message - type: keyword - description: A human readable form of the response. - - name: response.type - type: long - description: The response type. - - name: response.code - type: long - description: The response code. diff --git a/packages/network_traffic/1.1.0/data_stream/icmp/manifest.yml b/packages/network_traffic/1.1.0/data_stream/icmp/manifest.yml deleted file mode 100755 index ca911dc8e0..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/icmp/manifest.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: ICMP -release: beta -type: logs -streams: - - input: packet - title: ICMP - description: Capture ICMP Traffic - template_path: icmp.yml.hbs - vars: - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false diff --git a/packages/network_traffic/1.1.0/data_stream/icmp/sample_event.json b/packages/network_traffic/1.1.0/data_stream/icmp/sample_event.json deleted file mode 100755 index 6dfd5d97d4..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/icmp/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/memcached/agent/stream/memcached.yml.hbs b/packages/network_traffic/1.1.0/data_stream/memcached/agent/stream/memcached.yml.hbs deleted file mode 100755 index 136c8ad877..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/memcached/agent/stream/memcached.yml.hbs +++ /dev/null @@ -1,49 +0,0 @@ -type: memcache -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parseunknown}} -parseunknown: {{parseunknown}} -{{/if}} -{{#if maxvalues}} -maxvalues: {{maxvalues}} -{{/if}} -{{#if maxbytespervalue}} -maxbytespervalue: {{maxbytespervalue}} -{{/if}} -{{#if udptransactiontimeout}} -udptransactiontimeout: {{udptransactiontimeout}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 79d3c2cf54..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/memcached/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing memcached traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/memcached/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/memcached/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/memcached/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/memcached/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/memcached/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/memcached/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/memcached/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/memcached/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/memcached/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/memcached/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/memcached/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/memcached/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/memcached/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/memcached/fields/protocol.yml deleted file mode 100755 index 4d1c281dde..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/memcached/fields/protocol.yml +++ /dev/null @@ -1,215 +0,0 @@ -- name: memcache - type: group - fields: - - name: protocol_type - type: keyword - description: > - The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. - - - name: request.line - type: keyword - description: > - The raw command line for unknown commands ONLY. - - - name: request.command - type: keyword - description: > - The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. - - - name: response.command - type: keyword - description: > - Either the text based protocol response message type or the name of the originating request if binary protocol is used. - - - name: request.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". - - - name: response.type - type: keyword - description: > - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). - - - name: response.error_msg - type: keyword - description: > - The optional error message in the memcache response (text based protocol only). - - - name: request.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: response.opcode - type: keyword - description: > - The binary protocol message opcode name. - - - name: request.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: response.opcode_value - type: long - description: > - The binary protocol message opcode value. - - - name: request.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: response.opaque - type: long - description: > - The binary protocol opaque header value used for correlating request with response messages. - - - name: request.vbucket - type: long - description: > - The vbucket index sent in the binary message. - - - name: response.status - type: keyword - description: > - The textual representation of the response error code (binary protocol only). - - - name: response.status_code - type: long - description: > - The status code value returned in the response (binary protocol only). - - - name: request.keys - type: array - description: > - The list of keys sent in the store or load commands. - - - name: response.keys - type: array - description: > - The list of keys returned for the load command (if present). - - - name: request.count_values - type: long - description: > - The number of values found in the memcache request message. If the command does not send any data, this field is missing. - - - name: response.count_values - type: long - description: > - The number of values found in the memcache response message. If the command does not send any data, this field is missing. - - - name: request.values - type: array - description: > - The list of base64 encoded values sent with the request (if present). - - - name: response.values - type: array - description: > - The list of base64 encoded values sent with the response (if present). - - - name: request.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: response.bytes - type: long - format: bytes - description: > - The byte count of the values being transferred. - - - name: request.delta - type: long - description: > - The counter increment/decrement delta value. - - - name: request.initial - type: long - description: > - The counter increment/decrement initial value parameter (binary protocol only). - - - name: request.verbosity - type: long - description: > - The value of the memcache "verbosity" command. - - - name: request.raw_args - type: keyword - description: > - The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. - - - name: request.source_class - type: long - description: > - The source class id in 'slab reassign' command. - - - name: request.dest_class - type: long - description: > - The destination class id in 'slab reassign' command. - - - name: request.automove - type: keyword - description: > - The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. - - - name: request.flags - type: long - description: > - The memcache command flags sent in the request (if present). - - - name: response.flags - type: long - description: > - The memcache message flags sent in the response (if present). - - - name: request.exptime - type: long - description: > - The data expiry time in seconds sent with the memcache command (if present). If the value is `< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). - - - name: request.sleep_us - type: long - description: > - The sleep setting in microseconds for the 'lru_crawler sleep' command. - - - name: response.value - type: long - description: > - The counter value returned by a counter operation. - - - name: request.noreply - type: boolean - description: > - Set to true if noreply was set in the request. The `memcache.response` field will be missing. - - - name: request.quiet - type: boolean - description: > - Set to true if the binary protocol message is to be treated as a quiet message. - - - name: request.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier if present. - - - name: response.cas_unique - type: long - description: > - The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). - - - name: response.stats - type: array - description: > - The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". - - - name: response.version - type: keyword - description: > - The returned memcache version string. - diff --git a/packages/network_traffic/1.1.0/data_stream/memcached/manifest.yml b/packages/network_traffic/1.1.0/data_stream/memcached/manifest.yml deleted file mode 100755 index 9120331b9d..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/memcached/manifest.yml +++ /dev/null @@ -1,116 +0,0 @@ -title: Memcached -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [11211] - - name: parseunknown - type: bool - title: Parseunknown - description: |- - Uncomment the parseunknown option to force the memcache text protocol parser - to accept unknown commands. - Note: All unknown commands MUST not contain any data parts! - Default: false - show_user: false - multi: false - required: false - - name: maxvalues - type: integer - title: Maxvalues - description: |- - Update the maxvalue option to store the values - base64 encoded - in the - json output. - possible values: - maxvalue: -1 store all values (text based protocol multi-get) - maxvalue: 0 store no values at all - maxvalue: N store up to N values - Default: 0 - show_user: false - multi: false - required: false - - name: maxbytespervalue - type: integer - title: Maxbytespervalue - description: |- - Use maxbytespervalue to limit the number of bytes to be copied per value element. - Note: Values will be base64 encoded, so actual size in json document - will be 4 times maxbytespervalue. - Default: unlimited - show_user: false - multi: false - required: false - - name: udptransactiontimeout - type: integer - title: Udptransactiontimeout - description: |- - UDP transaction timeout in milliseconds. - Note: Quiet messages in UDP binary protocol will get response only in error case. - The memcached analyzer will wait for udptransactiontimeout milliseconds - before publishing quiet messages. Non quiet messages or quiet requests with - error response will not have to wait for the timeout. - Default: 200 - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Memcached - description: Capture Memcached Traffic - template_path: memcached.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/memcached/sample_event.json b/packages/network_traffic/1.1.0/data_stream/memcached/sample_event.json deleted file mode 100755 index 4b4dc284f8..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/memcached/sample_event.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs b/packages/network_traffic/1.1.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs deleted file mode 100755 index fe92042bcc..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mongodb/agent/stream/mongodb.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: mongodb -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if max_docs}} -max_docs: {{max_docs}} -{{/if}} -{{#if max_doc_length}} -max_doc_length: {{max_doc_length}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 53b9f4a0df..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mongodb/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mongodb traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/mongodb/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/mongodb/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mongodb/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/mongodb/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/mongodb/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mongodb/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/mongodb/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/mongodb/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mongodb/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/mongodb/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/mongodb/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mongodb/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/mongodb/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/mongodb/fields/protocol.yml deleted file mode 100755 index a84465c61e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mongodb/fields/protocol.yml +++ /dev/null @@ -1,58 +0,0 @@ -- name: mongodb - type: group - fields: - - name: error - type: keyword - description: > - If the MongoDB request has resulted in an error, this field contains the error message returned by the server. - - - name: fullCollectionName - type: keyword - description: > - The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. - - - name: numberToSkip - type: long - description: > - Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. - - - name: numberToReturn - type: long - description: > - The requested maximum number of documents to be returned. - - - name: numberReturned - type: long - description: > - The number of documents in the reply. - - - name: startingFrom - type: keyword - description: > - Where in the cursor this reply is starting. - - - name: query - type: keyword - description: > - A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. - - - name: returnFieldsSelector - type: keyword - description: > - A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. - - - name: selector - type: keyword - description: > - A BSON document that specifies the query for selecting the document to update or delete. - - - name: update - type: keyword - description: > - A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. - - - name: cursorId - type: keyword - description: > - The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. - diff --git a/packages/network_traffic/1.1.0/data_stream/mongodb/manifest.yml b/packages/network_traffic/1.1.0/data_stream/mongodb/manifest.yml deleted file mode 100755 index 0ff11578a2..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mongodb/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: MongoDB -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [27017] - - name: max_docs - type: integer - title: Max Docs - description: |- - The maximum number of documents from the response to index in the `response` - field. The default is 10. - show_user: false - multi: false - required: false - - name: max_doc_length - type: integer - title: Max Doc Length - description: |- - The maximum number of characters in a single document indexed in the - `response` field. The default is 5000. You can set this to 0 to index an - unlimited number of characters per document. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MongoDB - description: Capture MongoDB Traffic - template_path: mongodb.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/mongodb/sample_event.json b/packages/network_traffic/1.1.0/data_stream/mongodb/sample_event.json deleted file mode 100755 index 4cfd576e4c..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mongodb/sample_event.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/mysql/agent/stream/mysql.yml.hbs b/packages/network_traffic/1.1.0/data_stream/mysql/agent/stream/mysql.yml.hbs deleted file mode 100755 index 85b82a47b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mysql/agent/stream/mysql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: mysql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 23ad4ad9d5..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing mysql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/mysql/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/mysql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mysql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/mysql/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/mysql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mysql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/mysql/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/mysql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mysql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/mysql/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/mysql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mysql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/mysql/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/mysql/fields/protocol.yml deleted file mode 100755 index 64675f8d8e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mysql/fields/protocol.yml +++ /dev/null @@ -1,38 +0,0 @@ -- name: mysql - type: group - fields: - - name: affected_rows - type: long - description: > - If the MySQL command is successful, this field contains the affected number of rows of the last statement. - - - name: insert_id - type: keyword - description: > - If the INSERT query is successful, this field contains the id of the newly inserted row. - - - name: num_fields - type: long - description: > - If the SELECT query is successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query is successful, this field is set to the number of rows returned. - - - name: query - type: keyword - description: > - The row mysql query as read from the transaction's request. - - - name: error_code - type: long - description: > - The error code returned by MySQL. - - - name: error_message - type: keyword - description: > - The error info message returned by MySQL. - diff --git a/packages/network_traffic/1.1.0/data_stream/mysql/manifest.yml b/packages/network_traffic/1.1.0/data_stream/mysql/manifest.yml deleted file mode 100755 index c4655854f0..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mysql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: MySQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [3306, 3307] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: MySQL - description: Capture MySQL Traffic - template_path: mysql.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/mysql/sample_event.json b/packages/network_traffic/1.1.0/data_stream/mysql/sample_event.json deleted file mode 100755 index 2c33116053..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/mysql/sample_event.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/nfs/agent/stream/nfs.yml.hbs b/packages/network_traffic/1.1.0/data_stream/nfs/agent/stream/nfs.yml.hbs deleted file mode 100755 index c8349a7bcb..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/nfs/agent/stream/nfs.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: nfs -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index cd66758ed4..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/nfs/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing nfs traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/nfs/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/nfs/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/nfs/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/nfs/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/nfs/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/nfs/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/nfs/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/nfs/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/nfs/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/nfs/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/nfs/fields/ecs.yml deleted file mode 100755 index 2b26a193f9..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/nfs/fields/ecs.yml +++ /dev/null @@ -1,144 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: |- - The domain name of the client system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: client.domain - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/network_traffic/1.1.0/data_stream/nfs/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/nfs/fields/protocol.yml deleted file mode 100755 index 4bcf6fecec..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/nfs/fields/protocol.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: nfs - type: group - fields: - - name: version - type: long - description: NFS protocol version number. - - name: minor_version - type: long - description: NFS protocol minor version number. - - name: tag - type: keyword - description: NFS v4 COMPOUND operation tag. - - name: opcode - type: keyword - description: > - NFS operation name, or main operation name, in case of COMPOUND calls. - - - name: status - type: keyword - description: NFS operation reply status. -- name: rpc - type: group - description: ONC RPC specific event fields. - fields: - - name: xid - type: keyword - description: RPC message transaction identifier. - - name: status - type: keyword - description: RPC message reply status. - - name: auth_flavor - type: keyword - description: RPC authentication flavor. - - name: cred.uid - type: long - description: RPC caller's user id, in case of auth-unix. - - name: cred.gid - type: long - description: RPC caller's group id, in case of auth-unix. - - name: cred.gids - type: long - description: RPC caller's secondary group ids, in case of auth-unix. - - name: cred.stamp - type: long - description: Arbitrary ID which the caller machine may generate. - - name: cred.machinename - type: keyword - description: The name of the caller's machine. diff --git a/packages/network_traffic/1.1.0/data_stream/nfs/manifest.yml b/packages/network_traffic/1.1.0/data_stream/nfs/manifest.yml deleted file mode 100755 index 4e5323fa1e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/nfs/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: NFS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [2049] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: NFS - description: Capture NFS Traffic - template_path: nfs.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/nfs/sample_event.json b/packages/network_traffic/1.1.0/data_stream/nfs/sample_event.json deleted file mode 100755 index de4b4525e0..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/nfs/sample_event.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs b/packages/network_traffic/1.1.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs deleted file mode 100755 index 8680c36b1a..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/pgsql/agent/stream/pgsql.yml.hbs +++ /dev/null @@ -1,37 +0,0 @@ -type: pgsql -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 7bd75120a7..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/pgsql/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing pgsql traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/pgsql/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/pgsql/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/pgsql/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/pgsql/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/pgsql/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/pgsql/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/pgsql/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/pgsql/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/pgsql/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/pgsql/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/pgsql/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/pgsql/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/pgsql/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/pgsql/fields/protocol.yml deleted file mode 100755 index 4fd03e12cb..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/pgsql/fields/protocol.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: pgsql - type: group - fields: - - name: error_code - description: The PostgreSQL error code. - type: keyword - - name: error_message - type: keyword - description: The PostgreSQL error message. - - name: error_severity - type: keyword - description: The PostgreSQL error severity. - possible_values: - - ERROR - - FATAL - - PANIC - - name: num_fields - type: long - description: > - If the SELECT query if successful, this field is set to the number of fields returned. - - - name: num_rows - type: long - description: > - If the SELECT query if successful, this field is set to the number of rows returned. - diff --git a/packages/network_traffic/1.1.0/data_stream/pgsql/manifest.yml b/packages/network_traffic/1.1.0/data_stream/pgsql/manifest.yml deleted file mode 100755 index eb205cd837..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/pgsql/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: PostgreSQL -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5432] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: PostgreSQL - description: Capture PostgreSQL Traffic - template_path: pgsql.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/pgsql/sample_event.json b/packages/network_traffic/1.1.0/data_stream/pgsql/sample_event.json deleted file mode 100755 index 462f734f42..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/pgsql/sample_event.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/redis/agent/stream/redis.yml.hbs b/packages/network_traffic/1.1.0/data_stream/redis/agent/stream/redis.yml.hbs deleted file mode 100755 index f357ca3a6d..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/redis/agent/stream/redis.yml.hbs +++ /dev/null @@ -1,43 +0,0 @@ -type: redis -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if queue_max_bytes}} -queue_max_bytes: {{queue_max_bytes}} -{{/if}} -{{#if queue_max_messages}} -queue_max_messages: {{queue_max_messages}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index a2af2349ac..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/redis/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing redis traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/redis/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/redis/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/redis/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/redis/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/redis/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/redis/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/redis/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/redis/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/redis/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/redis/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/redis/fields/ecs.yml deleted file mode 100755 index 7638afce57..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/redis/fields/ecs.yml +++ /dev/null @@ -1,136 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/redis/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/redis/fields/protocol.yml deleted file mode 100755 index 4982b2c2d3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/redis/fields/protocol.yml +++ /dev/null @@ -1,13 +0,0 @@ -- name: redis - type: group - fields: - - name: return_value - type: keyword - description: > - The return value of the Redis command in a human readable format. - - - name: error - type: keyword - description: > - If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. - diff --git a/packages/network_traffic/1.1.0/data_stream/redis/manifest.yml b/packages/network_traffic/1.1.0/data_stream/redis/manifest.yml deleted file mode 100755 index 9fe0ce4e18..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/redis/manifest.yml +++ /dev/null @@ -1,86 +0,0 @@ -title: Redis -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [6379] - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: queue_max_bytes - type: integer - title: Queue Max Bytes - description: |- - Max size for per-session message queue. This places a limit on the memory - that can be used to buffer requests and responses for correlation. - show_user: false - multi: false - required: false - - name: queue_max_messages - type: integer - title: Queue Max Messages - description: |- - Max number of messages for per-session message queue. This limits the number - of requests or responses that can be buffered for correlation. Set a value - large enough to allow for pipelining. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Redis - description: Capture Redis Traffic - template_path: redis.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/redis/sample_event.json b/packages/network_traffic/1.1.0/data_stream/redis/sample_event.json deleted file mode 100755 index 7ce644c935..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/redis/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/sip/agent/stream/sip.yml.hbs b/packages/network_traffic/1.1.0/data_stream/sip/agent/stream/sip.yml.hbs deleted file mode 100755 index 935ea011ee..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/sip/agent/stream/sip.yml.hbs +++ /dev/null @@ -1,34 +0,0 @@ -type: sip -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if parse_authorization}} -parse_authorization: {{parse_authorization}} -{{/if}} -{{#if parse_body}} -parse_body: {{parse_body}} -{{/if}} -{{#if keep_original}} -keep_original: {{keep_original}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c20207afdd..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/sip/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -description: Pipeline for processing sip traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -# Remove invalid "protocol" term added by packetbeat prior to v7.17.4/8.2.1. -- script: - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "protocol") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/sip/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/sip/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/sip/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/sip/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/sip/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/sip/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/sip/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/sip/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/sip/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/sip/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/sip/fields/ecs.yml deleted file mode 100755 index c2a147238b..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/sip/fields/ecs.yml +++ /dev/null @@ -1,174 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - Sequence number of the event. - The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. - name: event.sequence - type: long -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/network_traffic/1.1.0/data_stream/sip/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/sip/fields/protocol.yml deleted file mode 100755 index 5b25d9df6d..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/sip/fields/protocol.yml +++ /dev/null @@ -1,231 +0,0 @@ -- name: sip - type: group - description: Information about SIP traffic. - fields: - - name: code - type: long - description: Response status code. - - name: method - type: keyword - description: Request method. - - name: status - type: keyword - description: Response status phrase. - - name: type - type: keyword - description: Either request or response. - - name: version - type: keyword - description: SIP protocol version. - - name: uri.original - type: keyword - description: The original URI. - multi_fields: - - name: text - type: text - norms: false - - name: uri.scheme - type: keyword - description: The URI scheme. - - name: uri.username - type: keyword - description: The URI user name. - - name: uri.host - type: keyword - description: The URI host. - - name: uri.port - type: long - description: The URI port. - - name: accept - type: keyword - description: Accept header value. - - name: allow - type: keyword - description: Allowed methods. - - name: call_id - type: keyword - description: Call ID. - - name: content_length - type: long - - name: content_type - type: keyword - - name: max_forwards - type: long - - name: supported - type: keyword - description: Supported methods. - - name: user_agent.original - type: keyword - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.original - type: keyword - description: Private original URI. - multi_fields: - - name: text - type: text - norms: false - - name: private.uri.scheme - type: keyword - description: Private URI scheme. - - name: private.uri.username - type: keyword - description: Private URI user name. - - name: private.uri.host - type: keyword - description: Private URI host. - - name: private.uri.port - type: long - description: Private URI port. - - name: cseq.code - type: long - description: Sequence code. - - name: cseq.method - type: keyword - description: Sequence method. - - name: via.original - type: keyword - description: The original Via value. - multi_fields: - - name: text - type: text - norms: false - - name: to.display_info - type: keyword - description: "To display info" - - name: to.uri.original - type: keyword - description: "To original URI" - multi_fields: - - name: text - type: text - norms: false - - name: to.uri.scheme - type: keyword - description: "To URI scheme" - - name: to.uri.username - type: keyword - description: "To URI user name" - - name: to.uri.host - type: keyword - description: "To URI host" - - name: to.uri.port - type: long - description: "To URI port" - - name: to.tag - type: keyword - description: "To tag" - - name: from.display_info - type: keyword - description: "From display info" - - name: from.uri.original - type: keyword - description: "From original URI" - multi_fields: - - name: text - type: text - norms: false - - name: from.uri.scheme - type: keyword - description: "From URI scheme" - - name: from.uri.username - type: keyword - description: "From URI user name" - - name: from.uri.host - type: keyword - description: "From URI host" - - name: from.uri.port - type: long - description: "From URI port" - - name: from.tag - type: keyword - description: "From tag" - - name: contact.display_info - type: keyword - description: "Contact display info" - - name: contact.uri.original - type: keyword - description: "Contact original URI" - multi_fields: - - name: text - type: text - norms: false - - name: contact.uri.scheme - type: keyword - description: "Contat URI scheme" - - name: contact.uri.username - type: keyword - description: "Contact URI user name" - - name: contact.uri.host - type: keyword - description: "Contact URI host" - - name: contact.uri.port - type: long - description: "Contact URI port" - - name: contact.transport - type: keyword - description: "Contact transport" - - name: contact.line - type: keyword - description: "Contact line" - - name: contact.expires - type: keyword - description: "Contact expires" - - name: contact.q - type: keyword - description: "Contact Q" - - name: auth.scheme - type: keyword - description: "Auth scheme" - - name: auth.realm - type: keyword - description: "Auth realm" - - name: auth.uri.original - type: keyword - description: "Auth original URI" - multi_fields: - - name: text - type: text - norms: false - - name: auth.uri.scheme - type: keyword - description: "Auth URI scheme" - - name: auth.uri.host - type: keyword - description: "Auth URI host" - - name: auth.uri.port - type: long - description: "Auth URI port" - - name: sdp.version - type: keyword - description: "SDP version" - - name: sdp.owner.username - type: keyword - description: "SDP owner user name" - - name: sdp.owner.session_id - type: keyword - description: "SDP owner session ID" - - name: sdp.owner.version - type: keyword - description: "SDP owner version" - - name: sdp.owner.ip - type: ip - description: "SDP owner IP" - - name: sdp.session.name - type: keyword - description: "SDP session name" - - name: sdp.connection.info - type: keyword - description: "SDP connection info" - - name: sdp.connection.address - type: keyword - description: "SDP connection address" - - name: sdp.body.original - type: keyword - description: "SDP original body" - multi_fields: - - name: text - type: text - norms: false diff --git a/packages/network_traffic/1.1.0/data_stream/sip/manifest.yml b/packages/network_traffic/1.1.0/data_stream/sip/manifest.yml deleted file mode 100755 index 79dd27ea52..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/sip/manifest.yml +++ /dev/null @@ -1,54 +0,0 @@ -title: SIP -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [5060] - - name: parse_authorization - type: bool - title: Parse Authorization - description: Parse the authorization headers - show_user: false - multi: false - required: false - - name: parse_body - type: bool - title: Parse Body - description: Parse body contents (only when body is SDP) - show_user: false - multi: false - required: false - - name: keep_original - type: bool - title: Keep Original - description: Preserve original contents in event.original - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: SIP - description: Capture SIP Traffic - template_path: sip.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/sip/sample_event.json b/packages/network_traffic/1.1.0/data_stream/sip/sample_event.json deleted file mode 100755 index 5a36041d5a..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/sip/sample_event.json +++ /dev/null @@ -1,174 +0,0 @@ -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/thrift/agent/stream/thrift.yml.hbs b/packages/network_traffic/1.1.0/data_stream/thrift/agent/stream/thrift.yml.hbs deleted file mode 100755 index d6d9604253..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/thrift/agent/stream/thrift.yml.hbs +++ /dev/null @@ -1,64 +0,0 @@ -type: thrift -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if transport_type}} -transport_type: {{transport_type}} -{{/if}} -{{#if protocol_type}} -protocol_type: {{protocol_type}} -{{/if}} -{{#if idl_files}} -idl_files: -{{#each idl_files as |idl_file|}} - - {{idl_file}} -{{/each}} -{{/if}} -{{#if string_max_size}} -string_max_size: {{string_max_size}} -{{/if}} -{{#if collection_max_size}} -collection_max_size: {{collection_max_size}} -{{/if}} -{{#if capture_reply}} -capture_reply: {{capture_reply}} -{{/if}} -{{#if obfuscate_strings}} -obfuscate_strings: {{obfuscate_strings}} -{{/if}} -{{#if drop_after_n_struct_fields}} -drop_after_n_struct_fields: {{drop_after_n_struct_fields}} -{{/if}} -{{#if send_request}} -send_request: {{send_request}} -{{/if}} -{{#if send_response}} -send_response: {{send_response}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if transaction_timeout}} -transaction_timeout: {{transaction_timeout}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 987bedd730..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -description: Pipeline for processing thrift traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/thrift/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/thrift/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/thrift/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/thrift/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/thrift/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/thrift/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/thrift/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/thrift/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/thrift/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/thrift/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/thrift/fields/ecs.yml deleted file mode 100755 index 45c65d5b8a..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/thrift/fields/ecs.yml +++ /dev/null @@ -1,123 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long diff --git a/packages/network_traffic/1.1.0/data_stream/thrift/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/thrift/fields/protocol.yml deleted file mode 100755 index dd097f61ee..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/thrift/fields/protocol.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: thrift - type: group - fields: - - name: params - type: keyword - description: > - The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. - - - name: service - type: keyword - description: > - The name of the Thrift-RPC service as defined in the IDL files. - - - name: return_value - type: keyword - description: > - The value returned by the Thrift-RPC call. This is encoded in a human readable format. - - - name: exceptions - type: keyword - description: > - If the call resulted in exceptions, this field contains the exceptions in a human readable format. - diff --git a/packages/network_traffic/1.1.0/data_stream/thrift/manifest.yml b/packages/network_traffic/1.1.0/data_stream/thrift/manifest.yml deleted file mode 100755 index 29eabbeb19..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/thrift/manifest.yml +++ /dev/null @@ -1,141 +0,0 @@ -title: Thrift -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [9090] - - name: transport_type - type: text - title: Transport Type - description: |- - The Thrift transport type. Currently this option accepts the values socket - for TSocket, which is the default Thrift transport, and framed for the - TFramed Thrift transport. The default is socket. - show_user: false - multi: false - required: false - - name: protocol_type - type: text - title: Protocol Type - description: |- - The Thrift protocol type. Currently the only accepted value is binary for - the TBinary protocol, which is the default Thrift protocol. - show_user: false - multi: false - required: false - - name: idl_files - type: text - title: Idl Files - description: |- - The Thrift interface description language (IDL) files for the service that - Packetbeat is monitoring. Providing the IDL enables Packetbeat to include - parameter and exception names. - show_user: false - multi: true - required: false - - name: string_max_size - type: integer - title: String Max Size - description: |- - The maximum length for strings in parameters or return values. If a string - is longer than this value, the string is automatically truncated to this - length. - show_user: false - multi: false - required: false - - name: collection_max_size - type: integer - title: Collection Max Size - description: The maximum number of elements in a Thrift list, set, map, or structure. - show_user: false - multi: false - required: false - - name: capture_reply - type: bool - title: Capture Reply - description: |- - If this option is set to false, Packetbeat decodes the method name from the - reply and simply skips the rest of the response message. - show_user: false - multi: false - required: false - - name: obfuscate_strings - type: bool - title: Obfuscate Strings - description: |- - If this option is set to true, Packetbeat replaces all strings found in - method parameters, return codes, or exception structures with the "*" - string. - show_user: false - multi: false - required: false - - name: drop_after_n_struct_fields - type: integer - title: Drop After N Struct Fields - description: |- - The maximum number of fields that a structure can have before Packetbeat - ignores the whole transaction. - show_user: false - multi: false - required: false - - name: send_request - type: bool - title: Send Request - description: |- - If this option is enabled, the raw message of the request (`request` field) - is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: send_response - type: bool - title: Send Response - description: |- - If this option is enabled, the raw message of the response (`response` - field) is sent to Elasticsearch. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: transaction_timeout - type: text - title: Transaction Timeout - description: |- - Transaction timeout. Expired transactions will no longer be correlated to - incoming responses, but sent to Elasticsearch immediately. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: Thrift - description: Capture Thrift Traffic - template_path: thrift.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/thrift/sample_event.json b/packages/network_traffic/1.1.0/data_stream/thrift/sample_event.json deleted file mode 100755 index 523e6958a6..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/thrift/sample_event.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "@timestamp": "2022-05-23T10:59:35.668Z", - "agent": { - "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1275700, - "end": "2022-05-23T10:59:35.669Z", - "ingested": "2022-05-23T10:59:36Z", - "kind": "event", - "start": "2022-05-23T10:59:35.668Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/data_stream/tls/agent/stream/tls.yml.hbs b/packages/network_traffic/1.1.0/data_stream/tls/agent/stream/tls.yml.hbs deleted file mode 100755 index 877a553bfd..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/tls/agent/stream/tls.yml.hbs +++ /dev/null @@ -1,40 +0,0 @@ -type: tls -{{#if port}} -ports: -{{#each port as |p|}} - - {{p}} -{{/each}} -{{/if}} -{{#if fingerprints}} -fingerprints: -{{#each fingerprints as |fingerprint|}} - - {{fingerprint}} -{{/each}} -{{/if}} -{{#if send_certificates}} -send_certificates: {{send_certificates}} -{{/if}} -{{#if include_raw_certificates}} -include_raw_certificates: {{include_raw_certificates}} -{{/if}} -{{#if keep_null}} -keep_null: {{keep_null}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} -{{#if tags}} -tags: -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{/if}} -{{#if interface}} -interface: -{{#if (contains ".pcap" interface)}} - file: {{interface}} -{{else}} - device: {{interface}} -{{/if}} -{{/if}} diff --git a/packages/network_traffic/1.1.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/1.1.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index bd7f3b2b61..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/tls/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- -description: Pipeline for processing tls traffic -processors: -- set: - field: ecs.version - value: 8.2.0 -## -# Set host.mac to dash separated upper case value -# as per ECS recommendation -## -- gsub: - field: host.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- gsub: - field: host.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: host.mac - ignore_missing: true - -## -# Make tls.{client,server}.x509.version_number a string as per ECS. -## -- convert: - field: tls.client.x509.version_number - type: string - ignore_missing: true -- convert: - field: tls.server.x509.version_number - type: string - ignore_missing: true - -## -# This handles legacy TLS fields from Packetbeat 7.17. -## -- remove: - description: Remove legacy fields from Packetbeat 7.17 that are duplicated. - field: - - tls.client.x509.issuer.province # Duplicated as tls.client.x509.issuer.state_or_province. - - tls.client.x509.subject.province # Duplicated as tls.client.x509.subject.state_or_province. - - tls.client.x509.version # Duplicated as tls.client.x509.version_number. - - tls.detailed.client_certificate # Duplicated as tls.client.x509. - - tls.detailed.server_certificate # Duplicated as tls.server.x509. - - tls.server.x509.issuer.province # Duplicated as tls.server.x509.issuer.state_or_province. - - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province. - - tls.server.x509.version # Duplicated as tls.server.x509.version_number. - ignore_missing: true - -- script: - description: Remove invalid "network_traffic" term added by packetbeat prior to v8. - # This string-based comparison is valid while versions are below v10.x. - if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' - lang: painless - source: > - if (ctx.event?.category != null) { - for (int i=ctx.event.category.length-1; i>=0; i--) { - if (ctx.event.category[i] == "network_traffic") { - ctx.event.category.remove(i); - } - } - } - -on_failure: -- set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/network_traffic/1.1.0/data_stream/tls/fields/agent.yml b/packages/network_traffic/1.1.0/data_stream/tls/fields/agent.yml deleted file mode 100755 index a55e9f71b3..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/tls/fields/agent.yml +++ /dev/null @@ -1,196 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/network_traffic/1.1.0/data_stream/tls/fields/base.yml b/packages/network_traffic/1.1.0/data_stream/tls/fields/base.yml deleted file mode 100755 index 0d1791ffed..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/tls/fields/base.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/network_traffic/1.1.0/data_stream/tls/fields/beats.yml b/packages/network_traffic/1.1.0/data_stream/tls/fields/beats.yml deleted file mode 100755 index d23ddc749e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/tls/fields/beats.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: request - type: text - description: > - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: response - type: text - description: > - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. - -- name: query - type: keyword - description: > - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. - -- name: params - type: text - description: > - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. - -- name: status - type: keyword - description: > - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. - -- name: method - type: keyword - description: > - The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). - -- name: resource - type: keyword - description: > - The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. - -- name: path - type: keyword - description: > - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. - -- name: flow.final - type: boolean - description: > - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - -- name: flow.id - type: keyword - description: > - Internal flow ID based on connection meta data and address. - -- name: flow.vlan - type: long - description: > - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - -- name: type - description: > - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. - - type: keyword -- name: server.process.name - type: keyword - description: > - The name of the process that served the transaction. - -- name: server.process.args - type: keyword - description: > - The command-line of the process that served the transaction. - -- name: server.process.executable - type: keyword - description: > - Absolute path to the server process executable. - -- name: server.process.working_directory - type: keyword - description: > - The working directory of the server process. - -- name: server.process.start - type: date - description: > - The time the server process started. - -- name: client.process.name - type: keyword - description: > - The name of the process that initiated the transaction. - -- name: client.process.args - type: keyword - description: > - The command-line of the process that initiated the transaction. - -- name: client.process.executable - type: keyword - description: > - Absolute path to the client process executable. - -- name: client.process.working_directory - type: keyword - description: > - The working directory of the client process. - -- name: client.process.start - type: date - description: > - The time the client process started. - diff --git a/packages/network_traffic/1.1.0/data_stream/tls/fields/ecs.yml b/packages/network_traffic/1.1.0/data_stream/tls/fields/ecs.yml deleted file mode 100755 index 49c713858d..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/tls/fields/ecs.yml +++ /dev/null @@ -1,368 +0,0 @@ -- description: Bytes sent from the client to the server. - name: client.bytes - type: long -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: event.end contains the date when the event ended or when the activity was last observed. - name: event.end - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Host IP address when the source IP address is the proxy. - name: network.forwarded_ip - type: ip -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Bytes sent from the server to the client. - name: server.bytes - type: long -- description: |- - The domain name of the server system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: server.domain - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: String indicating the cipher used during the current connection. - name: tls.cipher - type: keyword -- description: PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. - name: tls.client.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. - name: tls.client.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.client.hash.sha256 - type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - name: tls.client.issuer - type: keyword -- description: A hash that identifies clients based on how they perform an SSL/TLS handshake. - name: tls.client.ja3 - type: keyword -- description: Date/Time indicating when client certificate is no longer considered valid. - name: tls.client.not_after - type: date -- description: Date/Time indicating when client certificate is first considered valid. - name: tls.client.not_before - type: date -- description: Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. - name: tls.client.server_name - type: keyword -- description: Distinguished name of subject of the x.509 certificate presented by the client. - name: tls.client.subject - type: keyword -- description: Array of ciphers offered by the client during the client hello. - name: tls.client.supported_ciphers - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.client.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.client.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.client.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.client.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.client.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.client.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.client.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.client.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.client.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.client.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.client.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.client.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.client.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.client.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.client.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.client.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.client.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.client.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.client.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.client.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.client.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.client.x509.version_number - type: keyword -- description: String indicating the curve used for the given cipher, when applicable. - name: tls.curve - type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. - name: tls.established - type: boolean -- description: String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - name: tls.next_protocol - type: keyword -- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - name: tls.resumed - type: boolean -- description: PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - name: tls.server.certificate - type: keyword -- description: Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - name: tls.server.certificate_chain - type: keyword -- description: Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.md5 - type: keyword -- description: Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha1 - type: keyword -- description: Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - name: tls.server.hash.sha256 - type: keyword -- description: Subject of the issuer of the x.509 certificate presented by the server. - name: tls.server.issuer - type: keyword -- description: A hash that identifies servers based on how they perform an SSL/TLS handshake. - name: tls.server.ja3s - type: keyword -- description: Timestamp indicating when server certificate is no longer considered valid. - name: tls.server.not_after - type: date -- description: Timestamp indicating when server certificate is first considered valid. - name: tls.server.not_before - type: date -- description: Subject of the x.509 certificate presented by the server. - name: tls.server.subject - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: tls.server.x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: tls.server.x509.issuer.common_name - type: keyword -- description: List of country (C) codes - name: tls.server.x509.issuer.country - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: tls.server.x509.issuer.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.issuer.locality - type: keyword -- description: List of organizations (O) of issuing certificate authority. - name: tls.server.x509.issuer.organization - type: keyword -- description: List of organizational units (OU) of issuing certificate authority. - name: tls.server.x509.issuer.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.issuer.state_or_province - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: tls.server.x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: tls.server.x509.not_before - type: date -- description: Algorithm used to generate the public key. - name: tls.server.x509.public_key_algorithm - type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. - name: tls.server.x509.public_key_curve - type: keyword -- description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - index: false - name: tls.server.x509.public_key_exponent - type: long -- description: The size of the public key space in bits. - name: tls.server.x509.public_key_size - type: long -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: tls.server.x509.serial_number - type: keyword -- description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - name: tls.server.x509.signature_algorithm - type: keyword -- description: List of common names (CN) of subject. - name: tls.server.x509.subject.common_name - type: keyword -- description: List of country (C) code - name: tls.server.x509.subject.country - type: keyword -- description: Distinguished name (DN) of the certificate subject entity. - name: tls.server.x509.subject.distinguished_name - type: keyword -- description: List of locality names (L) - name: tls.server.x509.subject.locality - type: keyword -- description: List of organizations (O) of subject. - name: tls.server.x509.subject.organization - type: keyword -- description: List of organizational units (OU) of subject. - name: tls.server.x509.subject.organizational_unit - type: keyword -- description: List of state or province names (ST, S, or P) - name: tls.server.x509.subject.state_or_province - type: keyword -- description: Version of x509 format. - name: tls.server.x509.version_number - type: keyword -- description: Numeric part of the version parsed from the original string. - name: tls.version - type: keyword -- description: Normalized lowercase protocol name parsed from original string. - name: tls.version_protocol - type: keyword diff --git a/packages/network_traffic/1.1.0/data_stream/tls/fields/protocol.yml b/packages/network_traffic/1.1.0/data_stream/tls/fields/protocol.yml deleted file mode 100755 index d8264468d4..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/tls/fields/protocol.yml +++ /dev/null @@ -1,173 +0,0 @@ -- name: tls - type: group - fields: - - name: detailed - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol used. - - example: "TLS 1.3" - - name: resumption_method - type: keyword - description: > - If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. - - - name: client_certificate_requested - type: boolean - description: > - Whether the server has requested the client to authenticate itself using a client certificate. - - - name: ocsp_response - type: keyword - description: > - The result of an OCSP request. - - - name: client_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol by which the client wishes to communicate during this session. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: supported_compression_methods - type: keyword - description: > - The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml - - - name: extensions - type: group - description: The hello extensions provided by the client. - fields: - - name: server_name_indication - type: keyword - description: List of hostnames - - name: application_layer_protocol_negotiation - type: keyword - description: > - List of application-layer protocols the client is willing to use. - - - name: session_ticket - type: keyword - description: > - Length of the session ticket, if provided, or an empty string to advertise support for tickets. - - - name: supported_versions - type: keyword - description: > - List of TLS versions that the client is willing to use. - - - name: supported_groups - type: keyword - description: > - List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. - - - name: signature_algorithms - type: keyword - description: > - List of signature algorithms that may be use in digital signatures. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: type - type: keyword - description: The type of the status request. Always "ocsp" if present. - - name: responder_id_list_length - type: short - description: The length of the list of trusted responders. - - name: request_extensions - type: short - description: The number of certificate extensions for the request. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. - - - name: random - type: keyword - description: > - Random data used by the TLS protocol to generate the encryption key. - - - name: selected_compression_method - type: keyword - description: > - The compression method selected by the server from the list provided in the client hello. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding connection with the client. - - - name: extensions - type: group - description: The hello extensions provided by the server. - fields: - - name: application_layer_protocol_negotiation - type: keyword - description: Negotiated application layer protocol - - name: session_ticket - type: keyword - description: > - Used to announce that a session ticket will be provided by the server. Always an empty string. - - - name: supported_versions - type: keyword - description: > - Negotiated TLS version to be used. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. - - - name: status_request - type: group - description: Status request made to the server. - fields: - - name: response - type: boolean - description: Whether a certificate status request response was made. - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_certificate_chain - type: array - description: Chain of trust for the server certificate. - - name: client_certificate_chain - type: array - description: Chain of trust for the client certificate. - - name: alert_types - type: keyword - description: > - An array containing the TLS alert type for every alert received. - diff --git a/packages/network_traffic/1.1.0/data_stream/tls/manifest.yml b/packages/network_traffic/1.1.0/data_stream/tls/manifest.yml deleted file mode 100755 index d2b8f403da..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/tls/manifest.yml +++ /dev/null @@ -1,67 +0,0 @@ -title: TLS -release: beta -type: logs -streams: - - input: packet - vars: - - name: port - # currently the Kibana UI doesn't support multi inputs - # that are numeric, you get "Error: r.toLowerCase is not a function" - # so map this as text - type: text - multi: true - title: Ports - required: true - show_user: true - default: [443, 993, 995, 5223, 8443, 8883, 9243] - - name: fingerprints - type: text - title: Fingerprints - description: |- - List of hash algorithms to use to calculate certificates' fingerprints. - Valid values are `sha1`, `sha256` and `md5`. - show_user: false - multi: true - required: false - - name: send_certificates - type: bool - title: Send Certificates - description: |- - If this option is enabled, the client and server certificates and - certificate chains are sent to Elasticsearch. The default is true. - show_user: false - multi: false - required: false - - name: include_raw_certificates - type: bool - title: Include Raw Certificates - description: |- - If this option is enabled, the raw certificates will be stored - in PEM format under the `raw` key. The default is false. - show_user: false - multi: false - required: false - - name: keep_null - type: bool - title: Keep Null - description: Set to true to publish fields with null values in events. - show_user: false - multi: false - required: false - - name: processors - type: yaml - title: Processors - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - show_user: false - multi: false - required: false - - name: tags - type: text - title: Tags - description: Tags to include in the published event. - show_user: false - multi: true - required: false - title: TLS - description: Capture TLS Traffic - template_path: tls.yml.hbs diff --git a/packages/network_traffic/1.1.0/data_stream/tls/sample_event.json b/packages/network_traffic/1.1.0/data_stream/tls/sample_event.json deleted file mode 100755 index 6c9779651e..0000000000 --- a/packages/network_traffic/1.1.0/data_stream/tls/sample_event.json +++ /dev/null @@ -1,302 +0,0 @@ -{ - "@timestamp": "2022-05-23T11:01:14.376Z", - "agent": { - "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "192.168.1.35", - "port": 59455 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 365887700, - "end": "2022-05-23T11:01:14.741Z", - "ingested": "2022-05-23T11:01:17Z", - "kind": "event", - "start": "2022-05-23T11:01:14.376Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.35", - "93.184.216.34" - ] - }, - "server": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "source": { - "ip": "192.168.1.35", - "port": 59455 - }, - "status": "OK", - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "client": { - "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", - "server_name": "example.net", - "supported_ciphers": [ - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "(unknown:0xff85)", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_GOSTR341001_WITH_28147_CNT_IMIT", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "example.net" - ], - "signature_algorithms": [ - "rsa_pkcs1_sha512", - "ecdsa_secp521r1_sha512", - "(unknown:0xefef)", - "rsa_pkcs1_sha384", - "ecdsa_secp384r1_sha384", - "rsa_pkcs1_sha256", - "ecdsa_secp256r1_sha256", - "(unknown:0xeeee)", - "(unknown:0xeded)", - "(unknown:0x0301)", - "(unknown:0x0303)", - "rsa_pkcs1_sha1", - "ecdsa_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1" - ] - }, - "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "server_certificate_chain": [ - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2023-03-08T12:00:00.000Z", - "not_before": "2013-03-08T12:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "version_number": 3 - }, - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2031-11-10T00:00:00.000Z", - "not_before": "2006-11-10T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", - "signature_algorithm": "SHA1-RSA", - "subject": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "version_number": 3 - } - ], - "server_hello": { - "extensions": { - "_unparsed_": [ - "renegotiation_info", - "server_name_indication" - ], - "application_layer_protocol_negotiation": [ - "h2" - ], - "ec_points_formats": [ - "uncompressed", - "ansiX962_compressed_prime", - "ansiX962_compressed_char2" - ] - }, - "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", - "selected_compression_method": "NULL", - "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", - "version": "3.3" - }, - "version": "TLS 1.2" - }, - "established": true, - "next_protocol": "h2", - "resumed": false, - "server": { - "hash": { - "sha1": "7BB698386970363D2919CC5772846984FFD4A889" - }, - "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "x509": { - "alternative_names": [ - "www.example.org", - "example.com", - "example.edu", - "example.net", - "example.org", - "www.example.com", - "www.example.edu", - "www.example.net" - ], - "issuer": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "21020869104500376438182461249190639870", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "www.example.org", - "country": "US", - "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "locality": "Los Angeles", - "organization": "Internet Corporation for Assigned Names and Numbers", - "organizational_unit": "Technology", - "state_or_province": "California" - }, - "version_number": "3" - } - }, - "version": "1.2", - "version_protocol": "tls" - }, - "type": "tls" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/docs/README.md b/packages/network_traffic/1.1.0/docs/README.md deleted file mode 100755 index f446dfef90..0000000000 --- a/packages/network_traffic/1.1.0/docs/README.md +++ /dev/null @@ -1,4713 +0,0 @@ -# Network Packet Capture Integration - -This integration sniffs network packets on a host and dissects -known protocols. - -Monitoring your network traffic is critical to gaining observability and -securing your environment — ensuring high levels of performance and security. -The Network Packet Capture integration captures the network traffic between -your application servers, decodes common application layer protocols and -records the interesting fields for each transaction. - -## Supported Protocols - -Currently, Network Packet Capture supports the following protocols: - -- ICMP (v4 and v6) -- DHCP (v4) -- DNS -- HTTP -- AMQP 0.9.1 -- Cassandra -- Mysql -- PostgreSQL -- Redis -- Thrift-RPC -- MongoDB -- Memcache -- NFS -- TLS -- SIP/SDP (beta) - -### Common protocol options - -The following options are available for all protocols: - -#### `enabled` - -The enabled setting is a boolean setting to enable or disable protocols -without having to comment out configuration sections. If set to false, -the protocol is disabled. - -The default value is true. - -#### `ports` - -Exception: For ICMP the option `enabled` has to be used instead. - -The ports where Network Packet Capture will look to capture traffic for specific -protocols. Network Packet Capture installs a -[BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) filter based -on the ports specified in this section. If a packet doesn’t match the -filter, very little CPU is required to discard the packet. Network Packet Capture -also uses the ports specified here to determine which parser to use for -each packet. - -#### `send_request` - -If this option is enabled, the raw message of the request (`request` -field) is sent to Elasticsearch. The default is false. This option is -useful when you want to index the whole request. Note that for HTTP, the -body is not included by default, only the HTTP headers. - -#### `send_response` - -If this option is enabled, the raw message of the response (`response` -field) is sent to Elasticsearch. The default is false. This option is -useful when you want to index the whole response. Note that for HTTP, -the body is not included by default, only the HTTP headers. - -#### `transaction_timeout` - -The per protocol transaction timeout. Expired transactions will no -longer be correlated to incoming responses, but sent to Elasticsearch -immediately. - -#### `tags` - -A list of tags that will be sent with the transaction event. This -setting is optional. - -#### `processors` - -A list of processors to apply to the data generated by the protocol. - -#### `keep_null` - -If this option is set to true, fields with `null` values will be -published in the output document. By default, `keep_null` is set to -`false`. - - -## Network Flows - -Overall flow information about the network connections on a -host. - -You can configure Network Packet Capture to collect and report statistics -on network flows. A *flow* is a group of packets sent over the same time -period that share common properties, such as the same source and destination -address and protocol. You can use this feature to analyze network -traffic over specific protocols on your network. - -For each flow, Network Packet Capture reports the number of packets and the -total number of bytes sent from the source to the destination. Each flow event -also contains information about the source and destination hosts, such -as their IP address. For bi-directional flows, Network Packet Capture reports -statistics for the reverse flow. - -Network Packet Capture collects and reports statistics up to and including the -transport layer. - -**Configuration options** - -You can specify the following options for capturing flows. - -#### `enabled` - -Enables flows support if set to true. Set to false to disable network -flows support without having to delete or comment out the flows section. -The default value is true. - -#### `timeout` - -Timeout configures the lifetime of a flow. If no packets have been -received for a flow within the timeout time window, the flow is killed -and reported. The default value is 30s. - -#### `period` - -Configure the reporting interval. All flows are reported at the very -same point in time. Periodical reporting can be disabled by setting the -value to -1. If disabled, flows are still reported once being timed out. -The default value is 10s. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -## Protocols - -### AMQP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_body_length` - -The maximum size in bytes of the message displayed in the request or -response fields. Messages that are bigger than the specified size are -truncated. Use this option to avoid publishing huge messages when -[`send_request`](#send-request-option) or -[`send_response`](#send-response-option) is enabled. The default is -1000 bytes. - -#### `parse_headers` - -If set to true, Network Packet Capture parses the additional arguments specified in -the headers field of a message. Those arguments are key-value pairs that -specify information such as the content type of the message or the -message priority. The default is true. - -#### `parse_arguments` - -If set to true, Network Packet Capture parses the additional arguments specified in -AMQP methods. Those arguments are key-value pairs specified by the user -and can be of any length. The default is true. - -#### `hide_connection_information` - -If set to false, the connection layer methods of the protocol are also -displayed, such as the opening and closing of connections and channels -by clients, or the quality of service negotiation. The default is true. - -Fields published for AMQP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| amqp.app-id | Creating application id. | keyword | -| amqp.arguments | Optional additional arguments passed to some methods. Can be of various types. | object | -| amqp.auto-delete | If set, auto-delete queue when unused. | boolean | -| amqp.class-id | Failing method class. | long | -| amqp.consumer-count | The number of consumers of a queue. | long | -| amqp.consumer-tag | Identifier for the consumer, valid within the current channel. | keyword | -| amqp.content-encoding | MIME content encoding. | keyword | -| amqp.content-type | MIME content type. | keyword | -| amqp.correlation-id | Application correlation identifier. | keyword | -| amqp.delivery-mode | Non-persistent (1) or persistent (2). | keyword | -| amqp.delivery-tag | The server-assigned and channel-specific delivery tag. | long | -| amqp.durable | If set, request a durable exchange/queue. | boolean | -| amqp.exchange | Name of the exchange. | keyword | -| amqp.exchange-type | Exchange type. | keyword | -| amqp.exclusive | If set, request an exclusive queue. | boolean | -| amqp.expiration | Message expiration specification. | keyword | -| amqp.headers | Message header field table. | object | -| amqp.if-empty | Delete only if empty. | boolean | -| amqp.if-unused | Delete only if unused. | boolean | -| amqp.immediate | Request immediate delivery. | boolean | -| amqp.mandatory | Indicates mandatory routing. | boolean | -| amqp.message-count | The number of messages in the queue, which will be zero for newly-declared queues. | long | -| amqp.message-id | Application message identifier. | keyword | -| amqp.method-id | Failing method ID. | long | -| amqp.multiple | Acknowledge multiple messages. | boolean | -| amqp.no-ack | If set, the server does not expect acknowledgements for messages. | boolean | -| amqp.no-local | If set, the server will not send messages to the connection that published them. | boolean | -| amqp.no-wait | If set, the server will not respond to the method. | boolean | -| amqp.passive | If set, do not create exchange/queue. | boolean | -| amqp.priority | Message priority, 0 to 9. | long | -| amqp.queue | The queue name identifies the queue within the vhost. | keyword | -| amqp.redelivered | Indicates that the message has been previously delivered to this or another client. | boolean | -| amqp.reply-code | AMQP reply code to an error, similar to http reply-code | long | -| amqp.reply-text | Text explaining the error. | keyword | -| amqp.reply-to | Address to reply to. | keyword | -| amqp.routing-key | Message routing key. | keyword | -| amqp.timestamp | Message timestamp. | keyword | -| amqp.type | Message type name. | keyword | -| amqp.user-id | Creating user id. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `amqp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:37:02.033Z", - "agent": { - "ephemeral_id": "ff9ccf25-9d67-46a5-b661-aa01e3db9b84", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "amqp": { - "auto-delete": false, - "consumer-count": 0, - "durable": false, - "exclusive": false, - "message-count": 0, - "no-wait": false, - "passive": false, - "queue": "hello" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "data_stream": { - "dataset": "network_traffic.amqp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "amqp.queue.declare", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.amqp", - "duration": 1325900, - "end": "2022-03-09T07:37:02.035Z", - "ingested": "2022-03-09T07:37:03Z", - "kind": "event", - "start": "2022-03-09T07:37:02.033Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "queue.declare", - "network": { - "bytes": 51, - "community_id": "1:i6J4zz0FGnZMYLIy8kabND2W/XE=", - "direction": "ingress", - "protocol": "amqp", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 26, - "ip": "127.0.0.1", - "port": 5672 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 34222 - }, - "status": "OK", - "type": "amqp" -} -``` - -### Cassandra - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `send_request_header` - -If this option is enabled, the raw message of the response -(`cassandra_request.request_headers` field) is sent to Elasticsearch. -The default is true. Enable `send_request` first before enabling this -option. - -#### `send_response_header` - -If this option is enabled, the raw message of the response -(`cassandra_response.response_headers` field) is included in published -events. The default is true. enable `send_response` first before enable -this option. - -#### `ignored_ops` - -This option indicates which Operator/Operators captured will be ignored. -currently support: `ERROR` ,`STARTUP` ,`READY` ,`AUTHENTICATE` -,`OPTIONS` ,`SUPPORTED` , `QUERY` ,`RESULT` ,`PREPARE` ,`EXECUTE` -,`REGISTER` ,`EVENT` , `BATCH` ,`AUTH_CHALLENGE`,`AUTH_RESPONSE` -,`AUTH_SUCCESS` . - -#### `compressor` - -Configures the default compression algorithm being used to uncompress -compressed frames by name. Currently only `snappy` is can be configured. -By default no compressor is configured. - -Fields published for Apache Cassandra packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cassandra.no_request | Indicates that there is no request because this is a PUSH message. | boolean | -| cassandra.request.headers.flags | Flags applying to this frame. | keyword | -| cassandra.request.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.request.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.request.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.request.headers.version | The version of the protocol. | keyword | -| cassandra.request.query | The CQL query which client send to cassandra. | keyword | -| cassandra.response.authentication.class | Indicates the full class name of the IAuthenticator in use | keyword | -| cassandra.response.error.code | The error code of the Cassandra response. | long | -| cassandra.response.error.details.alive | Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). | long | -| cassandra.response.error.details.arg_types | One string for each argument type (as CQL type) of the failed function. | keyword | -| cassandra.response.error.details.blockfor | Representing the number of replicas whose acknowledgement is required to achieve consistency level. | long | -| cassandra.response.error.details.data_present | It means the replica that was asked for data had responded. | boolean | -| cassandra.response.error.details.function | The name of the failed function. | keyword | -| cassandra.response.error.details.keyspace | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.num_failures | Representing the number of nodes that experience a failure while executing the request. | keyword | -| cassandra.response.error.details.read_consistency | Representing the consistency level of the query that triggered the exception. | keyword | -| cassandra.response.error.details.received | Representing the number of nodes having acknowledged the request. | long | -| cassandra.response.error.details.required | Representing the number of nodes that should be alive to respect consistency level. | long | -| cassandra.response.error.details.stmt_id | Representing the unknown ID. | keyword | -| cassandra.response.error.details.table | The keyspace of the failed function. | keyword | -| cassandra.response.error.details.write_type | Describe the type of the write that timed out. | keyword | -| cassandra.response.error.msg | The error message of the Cassandra response. | keyword | -| cassandra.response.error.type | The error type of the Cassandra response. | keyword | -| cassandra.response.event.change | The message corresponding respectively to the type of change followed by the address of the new/removed node. | keyword | -| cassandra.response.event.host | Representing the node ip. | keyword | -| cassandra.response.event.port | Representing the node port. | long | -| cassandra.response.event.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.event.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.event.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.event.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.event.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.event.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.event.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.event.type | Representing the event type. | keyword | -| cassandra.response.headers.flags | Flags applying to this frame. | keyword | -| cassandra.response.headers.length | A integer representing the length of the body of the frame (a frame is limited to 256MB in length). | long | -| cassandra.response.headers.op | An operation type that distinguishes the actual message. | keyword | -| cassandra.response.headers.stream | A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. | keyword | -| cassandra.response.headers.version | The version of the protocol. | keyword | -| cassandra.response.result.keyspace | Indicating the name of the keyspace that has been set. | keyword | -| cassandra.response.result.prepared.prepared_id | Representing the prepared query ID. | keyword | -| cassandra.response.result.prepared.req_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.req_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.req_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.req_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.req_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.req_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.prepared.resp_meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.prepared.resp_meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.prepared.resp_meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.prepared.resp_meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.prepared.resp_meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.prepared.resp_meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.meta.col_count | Representing the number of columns selected by the query that produced this result. | long | -| cassandra.response.result.rows.meta.flags | Provides information on the formatting of the remaining information. | keyword | -| cassandra.response.result.rows.meta.keyspace | Only present after set Global_tables_spec, the keyspace name. | keyword | -| cassandra.response.result.rows.meta.paging_state | The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. | keyword | -| cassandra.response.result.rows.meta.pkey_columns | Representing the PK columns index and counts. | long | -| cassandra.response.result.rows.meta.table | Only present after set Global_tables_spec, the table name. | keyword | -| cassandra.response.result.rows.num_rows | Representing the number of rows present in this result. | long | -| cassandra.response.result.schema_change.args | One string for each argument type (as CQL type). | keyword | -| cassandra.response.result.schema_change.change | Representing the type of changed involved. | keyword | -| cassandra.response.result.schema_change.keyspace | This describes which keyspace has changed. | keyword | -| cassandra.response.result.schema_change.name | The function/aggregate name. | keyword | -| cassandra.response.result.schema_change.object | This describes the name of said affected object (either the table, user type, function, or aggregate name). | keyword | -| cassandra.response.result.schema_change.table | This describes which table has changed. | keyword | -| cassandra.response.result.schema_change.target | Target could be "FUNCTION" or "AGGREGATE", multiple arguments. | keyword | -| cassandra.response.result.type | Cassandra result type. | keyword | -| cassandra.response.supported | Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. | flattened | -| cassandra.response.warnings | The text of the warnings, only occur when Warning flag was set. | keyword | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `cassandra` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:05.888Z", - "agent": { - "ephemeral_id": "20d6eb94-1319-473d-9e2f-05621a4d2494", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "cassandra": { - "request": { - "headers": { - "flags": "Default", - "length": 98, - "op": "QUERY", - "stream": 49, - "version": "4" - }, - "query": "CREATE TABLE users (\n user_id int PRIMARY KEY,\n fname text,\n lname text\n);" - }, - "response": { - "headers": { - "flags": "Default", - "length": 39, - "op": "RESULT", - "stream": 49, - "version": "4" - }, - "result": { - "schema_change": { - "change": "CREATED", - "keyspace": "mykeyspace", - "object": "users", - "target": "TABLE" - }, - "type": "schemaChanged" - } - } - }, - "client": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "data_stream": { - "dataset": "network_traffic.cassandra", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.cassandra", - "duration": 131589500, - "end": "2022-03-09T07:43:06.019Z", - "ingested": "2022-03-09T07:43:09Z", - "kind": "event", - "start": "2022-03-09T07:43:05.888Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 155, - "community_id": "1:bCORHZnGIk6GWYaE3Kn0DOpQCKE=", - "direction": "ingress", - "protocol": "cassandra", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 48, - "ip": "127.0.0.1", - "port": 9042 - }, - "source": { - "bytes": 107, - "ip": "127.0.0.1", - "port": 52749 - }, - "status": "OK", - "type": "cassandra" -} -``` - -### DHCP - -**Configuration options** - -See [Common protocol options](#common-protocol-options). - -Fields published for DHCPv4 packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dhcpv4.assigned_ip | The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. | ip | -| dhcpv4.client_ip | The current IP address of the client. | ip | -| dhcpv4.client_mac | The client's MAC address (layer two). | keyword | -| dhcpv4.flags | Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. | keyword | -| dhcpv4.hardware_type | The type of hardware used for the local network (Ethernet, LocalTalk, etc). | keyword | -| dhcpv4.hops | The number of hops the DHCP message went through. | long | -| dhcpv4.op_code | The message op code (bootrequest or bootreply). | keyword | -| dhcpv4.option.boot_file_name | This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. | keyword | -| dhcpv4.option.broadcast_address | This option specifies the broadcast address in use on the client's subnet. | ip | -| dhcpv4.option.class_identifier | This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. | keyword | -| dhcpv4.option.dns_servers | The domain name server option specifies a list of Domain Name System servers available to the client. | ip | -| dhcpv4.option.domain_name | This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. | keyword | -| dhcpv4.option.hostname | This option specifies the name of the client. | keyword | -| dhcpv4.option.ip_address_lease_time_sec | This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. | long | -| dhcpv4.option.max_dhcp_message_size | This option specifies the maximum length DHCP message that the client is willing to accept. | long | -| dhcpv4.option.message | This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. | text | -| dhcpv4.option.message_type | The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). | keyword | -| dhcpv4.option.ntp_servers | This option specifies a list of IP addresses indicating NTP servers available to the client. | ip | -| dhcpv4.option.parameter_request_list | This option is used by a DHCP client to request values for specified configuration parameters. | keyword | -| dhcpv4.option.rebinding_time_sec | This option specifies the time interval from address assignment until the client transitions to the REBINDING state. | long | -| dhcpv4.option.renewal_time_sec | This option specifies the time interval from address assignment until the client transitions to the RENEWING state. | long | -| dhcpv4.option.requested_ip_address | This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. | ip | -| dhcpv4.option.router | The router option specifies a list of IP addresses for routers on the client's subnet. | ip | -| dhcpv4.option.server_identifier | IP address of the individual DHCP server which handled this message. | ip | -| dhcpv4.option.subnet_mask | The subnet mask that the client should use on the currnet network. | ip | -| dhcpv4.option.time_servers | The time server option specifies a list of RFC 868 time servers available to the client. | ip | -| dhcpv4.option.utc_time_offset_sec | The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). | long | -| dhcpv4.option.vendor_identifying_options | A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. | object | -| dhcpv4.relay_ip | The relay IP address used by the client to contact the server (i.e. a DHCP relay server). | ip | -| dhcpv4.seconds | Number of seconds elapsed since client began address acquisition or renewal process. | long | -| dhcpv4.server_ip | The IP address of the DHCP server that the client should use for the next step in the bootstrap process. | ip | -| dhcpv4.server_name | The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. | keyword | -| dhcpv4.transaction_id | Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dhcpv4` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:43:52.712Z", - "agent": { - "ephemeral_id": "b98a43ba-d050-42e6-ab2f-2eba352e9cb0", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "data_stream": { - "dataset": "network_traffic.dhcpv4", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "255.255.255.255", - "port": 67 - }, - "dhcpv4": { - "client_mac": "00-0B-82-01-FC-42", - "flags": "unicast", - "hardware_type": "Ethernet", - "hops": 0, - "op_code": "bootrequest", - "option": { - "message_type": "discover", - "parameter_request_list": [ - "Subnet Mask", - "Router", - "Domain Name Server", - "NTP Servers" - ], - "requested_ip_address": "0.0.0.0" - }, - "seconds": 0, - "transaction_id": "0x00003d1d" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dhcpv4", - "ingested": "2022-03-09T07:43:53Z", - "kind": "event", - "start": "2022-03-09T07:43:52.712Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "network": { - "bytes": 272, - "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", - "direction": "unknown", - "protocol": "dhcpv4", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "0.0.0.0", - "255.255.255.255" - ] - }, - "server": { - "ip": "255.255.255.255", - "port": 67 - }, - "source": { - "bytes": 272, - "ip": "0.0.0.0", - "port": 68 - }, - "status": "OK", - "type": "dhcpv4" -} -``` - -### DNS - -The DNS protocol supports processing DNS messages on TCP and UDP. - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `include_authorities` - -If this option is enabled, dns.authority fields (authority resource -records) are added to DNS events. The default is false. - -#### `include_additionals` - -If this option is enabled, dns.additionals fields (additional resource -records) are added to DNS events. The default is false. - -Fields published for DNS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.additionals | An array containing a dictionary for each additional section from the answer. | object | -| dns.additionals.class | The class of DNS data contained in this resource record. | keyword | -| dns.additionals.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.additionals.name | The domain name to which this resource record pertains. | keyword | -| dns.additionals.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.additionals.type | The type of data contained in this resource record. | keyword | -| dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | -| dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | -| dns.authorities | An array containing a dictionary for each authority section from the answer. | object | -| dns.authorities.class | The class of DNS data contained in this resource record. | keyword | -| dns.authorities.name | The domain name to which this resource record pertains. | keyword | -| dns.authorities.type | The type of data contained in this resource record. | keyword | -| dns.authorities_count | The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. | long | -| dns.flags.authentic_data | A DNS flag specifying that the recursive server considers the response authentic. | boolean | -| dns.flags.authoritative | A DNS flag specifying that the responding server is an authority for the domain name used in the question. | boolean | -| dns.flags.checking_disabled | A DNS flag specifying that the client disables the server signature validation of the query. | boolean | -| dns.flags.recursion_available | A DNS flag specifying whether recursive query support is available in the name server. | boolean | -| dns.flags.recursion_desired | A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. | boolean | -| dns.flags.truncated_response | A DNS flag specifying that only the first 512 bytes of the reply were returned. | boolean | -| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | -| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | -| dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | -| dns.opt.do | If set, the transaction uses DNSSEC. | boolean | -| dns.opt.ext_rcode | Extended response code field. | keyword | -| dns.opt.udp_size | Requestor's UDP payload size (in bytes). | long | -| dns.opt.version | The EDNS version. | keyword | -| dns.question.class | The class of records being queried. | keyword | -| dns.question.etld_plus_one | The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | -| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | -| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | -| dns.question.type | The type of record being queried. | keyword | -| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip | -| dns.response_code | The DNS response code. | keyword | -| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:48:42.751Z", - "agent": { - "ephemeral_id": "1d099984-2551-49e1-9e6a-c1dff964be0f", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "data_stream": { - "dataset": "network_traffic.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "dns": { - "additionals_count": 0, - "answers": [ - { - "class": "IN", - "data": "ns-1183.awsdns-19.org", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-2007.awsdns-58.co.uk", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-66.awsdns-08.com", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - }, - { - "class": "IN", - "data": "ns-835.awsdns-40.net", - "name": "elastic.co", - "ttl": "21599", - "type": "NS" - } - ], - "answers_count": 4, - "authorities_count": 0, - "flags": { - "authentic_data": false, - "authoritative": false, - "checking_disabled": false, - "recursion_available": true, - "recursion_desired": true, - "truncated_response": false - }, - "header_flags": [ - "RD", - "RA" - ], - "id": 26187, - "op_code": "QUERY", - "question": { - "class": "IN", - "etld_plus_one": "elastic.co", - "name": "elastic.co", - "registered_domain": "elastic.co", - "top_level_domain": "co", - "type": "NS" - }, - "response_code": "NOERROR", - "type": "answer" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.dns", - "duration": 68515700, - "end": "2022-03-09T07:48:42.819Z", - "ingested": "2022-03-09T07:48:43Z", - "kind": "event", - "start": "2022-03-09T07:48:42.751Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "QUERY", - "network": { - "bytes": 195, - "community_id": "1:3P4ruI0bVlqxiTAs0WyBhnF74ek=", - "direction": "unknown", - "protocol": "dns", - "transport": "udp", - "type": "ipv4" - }, - "query": "class IN, type NS, elastic.co", - "related": { - "ip": [ - "192.168.238.68", - "8.8.8.8" - ] - }, - "resource": "elastic.co", - "server": { - "bytes": 167, - "ip": "8.8.8.8", - "port": 53 - }, - "source": { - "bytes": 28, - "ip": "192.168.238.68", - "port": 53765 - }, - "status": "OK", - "type": "dns" -} -``` - -### HTTP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `hide_keywords` - -A list of query parameters that Network Packet Capture will automatically censor in -the transactions that it saves. The values associated with these -parameters are replaced by `'xxxxx'`. By default, no changes are made to -the HTTP messages. - -Network Packet Capture has this option because, unlike SQL traffic, which typically -only contains the hashes of the passwords, HTTP traffic may contain -sensitive data. To reduce security risks, you can configure this option -to avoid sending the contents of certain HTTP POST parameters. - -This option replaces query parameters from GET requests and top-level -parameters from POST requests. If sensitive data is encoded inside a -parameter that you don’t specify here, Network Packet Capture cannot censor it. -Also, note that if you configure Network Packet Capture to save the raw request and -response fields (see the [`send_request`](#send-request-option) and -the [`send_response`](#send-response-option) options), sensitive data -may be present in those fields. - -#### `redact_authorization` - -When this option is enabled, Network Packet Capture obscures the value of -`Authorization` and `Proxy-Authorization` HTTP headers, and censors -those strings in the response. - -You should set this option to true for transactions that use Basic -Authentication because they may contain the base64 unencrypted username -and password. - -#### `send_headers` - -A list of header names to capture and send to Elasticsearch. These -headers are placed under the `headers` dictionary in the resulting JSON. - -#### `send_all_headers` - -Instead of sending a white list of headers to Elasticsearch, you can -send all headers by setting this option to true. The default is false. - -#### `redact_headers` - -A list of headers to redact if present in the HTTP request. This will -keep the header field present, but will redact it’s value to show the -header’s presence. - -#### `include_body_for` - -The list of content types for which Network Packet Capture exports the full HTTP -payload. The HTTP body is available under `http.request.body.content` -and `http.response.body.content` for these Content-Types. - -In addition, if [`send_response`](#send-response-option) option is -enabled, then the HTTP body is exported together with the HTTP headers -under `response` and if [`send_request`](#send-request-option) -enabled, then `request` contains the entire HTTP message including the -body. - -In the following example, the HTML attachments of the HTTP responses are -exported under the `response` field and under -`http.request.body.content` or `http.response.body.content`: - - Network Packet Capture.protocols: - - type: http - ports: [80, 8080] - send_response: true - include_body_for: ["text/html"] - -#### `decode_body` - -A boolean flag that controls decoding of HTTP payload. It interprets the -`Content-Encoding` and `Transfer-Encoding` headers and uncompresses the -entity body. Supported encodings are `gzip` and `deflate`. This option -is only applicable in the cases where the HTTP payload is exported, that -is, when one of the `include_*_body_for` options is specified or a POST -request contains url-encoded parameters. - -#### `split_cookie` - -If the `Cookie` or `Set-Cookie` headers are sent, this option controls -whether they are split into individual values. For example, with this -option set, an HTTP response might result in the following JSON: - - "response": { - "code": 200, - "headers": { - "connection": "close", - "content-language": "en", - "content-type": "text/html; charset=utf-8", - "date": "Fri, 21 Nov 2014 17:07:34 GMT", - "server": "gunicorn/19.1.1", - "set-cookie": { - "csrftoken": "S9ZuJF8mvIMT5CL4T1Xqn32wkA6ZSeyf", - "expires": "Fri, 20-Nov-2015 17:07:34 GMT", - "max-age": "31449600", - "path": "/" - }, - "vary": "Cookie, Accept-Language" - }, - "status_phrase": "OK" - } - -- Note that `set-cookie` is a map containing the cookie names as keys. - -The default is false. - -#### `real_ip_header` - -The header field to extract the real IP from. This setting is useful -when you want to capture traffic behind a reverse proxy, but you want to -get the geo-location information. If this header is present and contains -a valid IP addresses, the information is used for the -`network.forwarded_ip` field. - -#### `max_message_size` - -If an individual HTTP message is larger than this setting (in bytes), it -will be trimmed to this size. Unless this value is very small -(<1.5K), Network Packet Capture is able to still correctly follow the transaction -and create an event for it. The default is 10485760 (10 MB). - -Fields published for HTTP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.headers | A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.headers | A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. | flattened | -| http.response.status_code | HTTP response status code. | long | -| http.response.status_phrase | The HTTP status phrase. | keyword | -| http.version | HTTP version. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `http` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:54:42.031Z", - "agent": { - "ephemeral_id": "822947c0-15fd-4278-ba0d-2cc64d687bb2", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "data_stream": { - "dataset": "network_traffic.http", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.http", - "duration": 141490400, - "end": "2022-03-09T07:54:42.172Z", - "ingested": "2022-03-09T07:54:43Z", - "kind": "event", - "start": "2022-03-09T07:54:42.031Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "http": { - "request": { - "body": { - "bytes": 55 - }, - "bytes": 211, - "headers": { - "content-length": 55, - "content-type": "application/x-www-form-urlencoded" - }, - "method": "POST" - }, - "response": { - "body": { - "bytes": 8936 - }, - "bytes": 9108, - "headers": { - "content-length": 8936, - "content-type": "text/html; charset=utf-8" - }, - "status_code": 404, - "status_phrase": "not found" - }, - "version": "1.1" - }, - "method": "POST", - "network": { - "bytes": 9319, - "community_id": "1:LREAuuDqOAxXEbzF064U0QX5FBs=", - "direction": "unknown", - "protocol": "http", - "transport": "tcp", - "type": "ipv4" - }, - "query": "POST /register", - "related": { - "hosts": [ - "packetbeat.com" - ], - "ip": [ - "192.168.238.50", - "107.170.1.22" - ] - }, - "server": { - "bytes": 9108, - "domain": "packetbeat.com", - "ip": "107.170.1.22", - "port": 80 - }, - "source": { - "bytes": 211, - "ip": "192.168.238.50", - "port": 64770 - }, - "status": "Error", - "type": "http", - "url": { - "domain": "packetbeat.com", - "full": "http://packetbeat.com/register?address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "path": "/register", - "query": "address=anklamerstr.14b\u0026telephon=8932784368\u0026user=monica", - "scheme": "http" - }, - "user_agent": { - "original": "curl/7.37.1" - } -} -``` - -### ICMP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -**`enabled`** - -The ICMP protocol can be enabled/disabled via this option. The default -is true. - -If enabled Network Packet Capture will generate the following BPF filter: -`"icmp or icmp6"`. -Fields published for ICMP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| icmp.request.code | The request code. | long | -| icmp.request.message | A human readable form of the request. | keyword | -| icmp.request.type | The request type. | long | -| icmp.response.code | The response code. | long | -| icmp.response.message | A human readable form of the response. | keyword | -| icmp.response.type | The response type. | long | -| icmp.version | The version of the ICMP protocol. | long | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `icmp` looks as following: - -```json -{ - "@timestamp": "2022-03-09T07:57:32.766Z", - "agent": { - "ephemeral_id": "34e079a4-8dee-40db-a820-2296c225fbbe", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 4, - "ip": "::1" - }, - "data_stream": { - "dataset": "network_traffic.icmp", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 4, - "ip": "::2" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.icmp", - "duration": 13336600, - "end": "2022-03-09T07:57:32.779Z", - "ingested": "2022-03-09T07:57:36Z", - "kind": "event", - "start": "2022-03-09T07:57:32.766Z", - "type": [ - "connection" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "icmp": { - "request": { - "code": 0, - "message": "EchoRequest", - "type": 128 - }, - "response": { - "code": 0, - "message": "EchoReply", - "type": 129 - }, - "version": 6 - }, - "network": { - "bytes": 8, - "community_id": "1:9UpHcZHFAOl8WqZVOs5YRQ5wDGE=", - "direction": "egress", - "transport": "ipv6-icmp", - "type": "ipv6" - }, - "path": "::2", - "related": { - "ip": [ - "::1", - "::2" - ] - }, - "server": { - "bytes": 4, - "ip": "::2" - }, - "source": { - "bytes": 4, - "ip": "::1" - }, - "status": "OK", - "type": "icmp" -} -``` - -### Memcached - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `parseunknown` - -When this option is enabled, it forces the memcache text protocol parser -to accept unknown commands. - -The unknown commands MUST NOT contain a data part. - -#### `maxvalues` - -The maximum number of values to store in the message (multi-get). All -values will be base64 encoded. - -The possible settings for this option are: - -- `maxvalue: -1`, which stores all values (text based protocol multi-get) -- `maxvalue: 0`, which stores no values (default) -- `maxvalue: N`, which stores up to N values - -#### `maxbytespervalue` - -The maximum number of bytes to be copied for each value element. - -Values will be base64 encoded, so the actual size in the JSON document -will be 4 times the value that you specify for `maxbytespervalue`. - -#### `udptransactiontimeout` - -The transaction timeout in milliseconds. The defaults is 10000 -milliseconds. - -Quiet messages in UDP binary protocol get responses only if there is an -error. The memcache protocol analyzer will wait for the number of -milliseconds specified by `udptransactiontimeout` before publishing -quiet messages. Non-quiet messages or quiet requests with an error -response are published immediately. - -Fields published for Memcached packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| memcache.protocol_type | The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. | keyword | -| memcache.request.automove | The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. | keyword | -| memcache.request.bytes | The byte count of the values being transferred. | long | -| memcache.request.cas_unique | The CAS (compare-and-swap) identifier if present. | long | -| memcache.request.command | The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. | keyword | -| memcache.request.count_values | The number of values found in the memcache request message. If the command does not send any data, this field is missing. | long | -| memcache.request.delta | The counter increment/decrement delta value. | long | -| memcache.request.dest_class | The destination class id in 'slab reassign' command. | long | -| memcache.request.exptime | The data expiry time in seconds sent with the memcache command (if present). If the value is `\< 30` days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). | long | -| memcache.request.flags | The memcache command flags sent in the request (if present). | long | -| memcache.request.initial | The counter increment/decrement initial value parameter (binary protocol only). | long | -| memcache.request.keys | The list of keys sent in the store or load commands. | array | -| memcache.request.line | The raw command line for unknown commands ONLY. | keyword | -| memcache.request.noreply | Set to true if noreply was set in the request. The `memcache.response` field will be missing. | boolean | -| memcache.request.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.request.opcode | The binary protocol message opcode name. | keyword | -| memcache.request.opcode_value | The binary protocol message opcode value. | long | -| memcache.request.quiet | Set to true if the binary protocol message is to be treated as a quiet message. | boolean | -| memcache.request.raw_args | The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. | keyword | -| memcache.request.sleep_us | The sleep setting in microseconds for the 'lru_crawler sleep' command. | long | -| memcache.request.source_class | The source class id in 'slab reassign' command. | long | -| memcache.request.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". | keyword | -| memcache.request.values | The list of base64 encoded values sent with the request (if present). | array | -| memcache.request.vbucket | The vbucket index sent in the binary message. | long | -| memcache.request.verbosity | The value of the memcache "verbosity" command. | long | -| memcache.response.bytes | The byte count of the values being transferred. | long | -| memcache.response.cas_unique | The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). | long | -| memcache.response.command | Either the text based protocol response message type or the name of the originating request if binary protocol is used. | keyword | -| memcache.response.count_values | The number of values found in the memcache response message. If the command does not send any data, this field is missing. | long | -| memcache.response.error_msg | The optional error message in the memcache response (text based protocol only). | keyword | -| memcache.response.flags | The memcache message flags sent in the response (if present). | long | -| memcache.response.keys | The list of keys returned for the load command (if present). | array | -| memcache.response.opaque | The binary protocol opaque header value used for correlating request with response messages. | long | -| memcache.response.opcode | The binary protocol message opcode name. | keyword | -| memcache.response.opcode_value | The binary protocol message opcode value. | long | -| memcache.response.stats | The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". | array | -| memcache.response.status | The textual representation of the response error code (binary protocol only). | keyword | -| memcache.response.status_code | The status code value returned in the response (binary protocol only). | long | -| memcache.response.type | The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). | keyword | -| memcache.response.value | The counter value returned by a counter operation. | long | -| memcache.response.values | The list of base64 encoded values sent with the response (if present). | array | -| memcache.response.version | The returned memcache version string. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `memcached` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:09:26.564Z", - "agent": { - "ephemeral_id": "53c3aab1-4c1d-4f33-87a9-1d1d4ce75205", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "ip": "192.168.188.37", - "port": 65195 - }, - "data_stream": { - "dataset": "network_traffic.memcached", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.memcached", - "ingested": "2022-03-09T08:09:37Z", - "kind": "event", - "start": "2022-03-09T08:09:26.564Z", - "type": [ - "connection", - "protocol" - ] - }, - "event.action": "memcache.store", - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "memcache": { - "protocol_type": "binary", - "request": { - "bytes": 1024, - "command": "set", - "count_values": 1, - "exptime": 0, - "flags": 0, - "keys": [ - "test_key" - ], - "opaque": 65536, - "opcode": "SetQ", - "opcode_value": 17, - "quiet": true, - "type": "Store", - "vbucket": 0 - } - }, - "network": { - "bytes": 1064, - "community_id": "1:QMbWqXK5vGDDbp48SEFuFe8Z1lQ=", - "direction": "unknown", - "protocol": "memcache", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.188.37", - "192.168.188.38" - ] - }, - "server": { - "bytes": 1064, - "ip": "192.168.188.38", - "port": 11211 - }, - "source": { - "ip": "192.168.188.37", - "port": 65195 - }, - "status": "OK", - "type": "memcache" -} -``` - -### MongoDB - -**Configuration options** - -The `max_docs` and `max_doc_length` settings are useful for limiting the -amount of data Network Packet Capture indexes in the `response` fields. - -Also see [Common protocol options](#common-protocol-options). - -#### `max_docs` - -The maximum number of documents from the response to index in the -`response` field. The default is 10. You can set this to 0 to index an -unlimited number of documents. - -Network Packet Capture adds a `[...]` line at the end to signify that there were -additional documents that weren’t saved because of this setting. - -#### `max_doc_length` - -The maximum number of characters in a single document indexed in the -`response` field. The default is 5000. You can set this to 0 to index an -unlimited number of characters per document. - -If the document is trimmed because of this setting, Network Packet Capture adds the -string `...` at the end of the document. - -Note that limiting documents in this way means that they are no longer -correctly formatted JSON objects. - -Fields published for MongoDB packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mongodb.cursorId | The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | keyword | -| mongodb.error | If the MongoDB request has resulted in an error, this field contains the error message returned by the server. | keyword | -| mongodb.fullCollectionName | The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. | keyword | -| mongodb.numberReturned | The number of documents in the reply. | long | -| mongodb.numberToReturn | The requested maximum number of documents to be returned. | long | -| mongodb.numberToSkip | Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. | long | -| mongodb.query | A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. | keyword | -| mongodb.returnFieldsSelector | A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. | keyword | -| mongodb.selector | A BSON document that specifies the query for selecting the document to update or delete. | keyword | -| mongodb.startingFrom | Where in the cursor this reply is starting. | keyword | -| mongodb.update | A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mongodb` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:15:48.570Z", - "agent": { - "ephemeral_id": "fafaeb02-c623-46a0-a3e0-72e035bd12ba", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "data_stream": { - "dataset": "network_traffic.mongodb", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mongodb", - "duration": 1365900, - "end": "2022-03-09T08:15:48.571Z", - "ingested": "2022-03-09T08:15:49Z", - "kind": "event", - "start": "2022-03-09T08:15:48.570Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "find", - "mongodb": { - "cursorId": 0, - "fullCollectionName": "test.restaurants", - "numberReturned": 1, - "numberToReturn": 1, - "numberToSkip": 0, - "startingFrom": 0 - }, - "network": { - "bytes": 564, - "community_id": "1:mYSTZ4QZBfvJO05Em9TnPwrae6g=", - "direction": "ingress", - "protocol": "mongodb", - "transport": "tcp", - "type": "ipv4" - }, - "query": "test.restaurants.find().limit(1)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "test.restaurants", - "server": { - "bytes": 514, - "ip": "127.0.0.1", - "port": 27017 - }, - "source": { - "bytes": 50, - "ip": "127.0.0.1", - "port": 57203 - }, - "status": "OK", - "type": "mongodb" -} -``` - -### MySQL - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_rows` - -The maximum number of rows from the SQL message to publish to -Elasticsearch. The default is 10 rows. - -#### `max_row_length` - -The maximum length in bytes of a row from the SQL message to publish to -Elasticsearch. The default is 1024 bytes. - -### `statement_timeout` - -The duration for which prepared statements are cached after their last -use. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". The -default is `1h`. - -Fields published for MySQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| mysql.affected_rows | If the MySQL command is successful, this field contains the affected number of rows of the last statement. | long | -| mysql.error_code | The error code returned by MySQL. | long | -| mysql.error_message | The error info message returned by MySQL. | keyword | -| mysql.insert_id | If the INSERT query is successful, this field contains the id of the newly inserted row. | keyword | -| mysql.num_fields | If the SELECT query is successful, this field is set to the number of fields returned. | long | -| mysql.num_rows | If the SELECT query is successful, this field is set to the number of rows returned. | long | -| mysql.query | The row mysql query as read from the transaction's request. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `mysql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:20:44.667Z", - "agent": { - "ephemeral_id": "43167926-7ebd-4acd-8216-daf3664fe286", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "data_stream": { - "dataset": "network_traffic.mysql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.mysql", - "duration": 5532500, - "end": "2022-03-09T08:20:44.673Z", - "ingested": "2022-03-09T08:20:45Z", - "kind": "event", - "start": "2022-03-09T08:20:44.667Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "mysql": { - "affected_rows": 0, - "insert_id": 0, - "num_fields": 3, - "num_rows": 15 - }, - "network": { - "bytes": 3652, - "community_id": "1:goIcZn7CMIJ6W7Yf8JRV618zzxA=", - "direction": "ingress", - "protocol": "mysql", - "transport": "tcp", - "type": "ipv4" - }, - "path": "test.test", - "query": "select * from test", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3629, - "ip": "127.0.0.1", - "port": 3306 - }, - "source": { - "bytes": 23, - "ip": "127.0.0.1", - "port": 41517 - }, - "status": "OK", - "type": "mysql" -} -``` - -### NFS - -**Configuration options** - -See [Common protocol options](#common-protocol-options). - -Fields published for NFS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| nfs.minor_version | NFS protocol minor version number. | long | -| nfs.opcode | NFS operation name, or main operation name, in case of COMPOUND calls. | keyword | -| nfs.status | NFS operation reply status. | keyword | -| nfs.tag | NFS v4 COMPOUND operation tag. | keyword | -| nfs.version | NFS protocol version number. | long | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| rpc.auth_flavor | RPC authentication flavor. | keyword | -| rpc.cred.gid | RPC caller's group id, in case of auth-unix. | long | -| rpc.cred.gids | RPC caller's secondary group ids, in case of auth-unix. | long | -| rpc.cred.machinename | The name of the caller's machine. | keyword | -| rpc.cred.stamp | Arbitrary ID which the caller machine may generate. | long | -| rpc.cred.uid | RPC caller's user id, in case of auth-unix. | long | -| rpc.status | RPC message reply status. | keyword | -| rpc.xid | RPC message transaction identifier. | keyword | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -An example event for `nfs` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:24:00.569Z", - "agent": { - "ephemeral_id": "62904593-11a1-4706-8487-78b14fb72c08", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "data_stream": { - "dataset": "network_traffic.nfs", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "nfs.CLOSE", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.nfs", - "duration": 6573500, - "end": "2022-03-09T08:24:00.575Z", - "ingested": "2022-03-09T08:24:01Z", - "kind": "event", - "start": "2022-03-09T08:24:00.569Z", - "type": [ - "connection", - "protocol" - ] - }, - "group.id": 48, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "host.hostname": "desycloud03.desy.de", - "network": { - "bytes": 384, - "community_id": "1:cd5eLXemAsSPMdXwCbdDUWWud4M=", - "direction": "unknown", - "protocol": "nfsv4", - "transport": "tcp", - "type": "ipv4" - }, - "nfs": { - "minor_version": 1, - "opcode": "CLOSE", - "status": "NFS_OK", - "tag": "", - "version": 4 - }, - "related": { - "ip": [ - "131.169.5.156", - "131.169.192.35" - ] - }, - "rpc": { - "auth_flavor": "unix", - "cred": { - "gid": 48, - "gids": [ - 48 - ], - "machinename": "desycloud03.desy.de", - "stamp": 4308441, - "uid": 48 - }, - "status": "success", - "xid": "c3103fc1" - }, - "server": { - "bytes": 176, - "ip": "131.169.192.35", - "port": 2049 - }, - "source": { - "bytes": 208, - "domain": "desycloud03.desy.de", - "ip": "131.169.5.156", - "port": 907 - }, - "status": "OK", - "type": "nfs", - "user.id": 48 -} -``` - -### PostgreSQL - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `max_rows` - -The maximum number of rows from the SQL message to publish to -Elasticsearch. The default is 10 rows. - -#### `max_row_length` - -The maximum length in bytes of a row from the SQL message to publish to -Elasticsearch. The default is 1024 bytes. - -Fields published for PostgreSQL packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| pgsql.error_code | The PostgreSQL error code. | keyword | -| pgsql.error_message | The PostgreSQL error message. | keyword | -| pgsql.error_severity | The PostgreSQL error severity. | keyword | -| pgsql.num_fields | If the SELECT query if successful, this field is set to the number of fields returned. | long | -| pgsql.num_rows | If the SELECT query if successful, this field is set to the number of rows returned. | long | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `pgsql` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:29:39.675Z", - "agent": { - "ephemeral_id": "1e05998c-1d97-426b-8d9e-f5f92c446612", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "data_stream": { - "dataset": "network_traffic.pgsql", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.pgsql", - "duration": 2568100, - "end": "2022-03-09T08:29:39.678Z", - "ingested": "2022-03-09T08:29:40Z", - "kind": "event", - "start": "2022-03-09T08:29:39.675Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SELECT", - "network": { - "bytes": 3220, - "community_id": "1:WUuTzESSpZnUwZ2tuZKZtNOdHSU=", - "direction": "ingress", - "protocol": "pgsql", - "transport": "tcp", - "type": "ipv4" - }, - "pgsql": { - "num_fields": 3, - "num_rows": 15 - }, - "query": "select * from long_response", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 3186, - "ip": "127.0.0.1", - "port": 5432 - }, - "source": { - "bytes": 34, - "ip": "127.0.0.1", - "port": 34936 - }, - "status": "OK", - "type": "pgsql" -} -``` - -### Redis - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `queue_max_bytes` and `queue_max_messages` - -store requests in memory until a response is received. These settings -impose a limit on the number of bytes (`queue_max_bytes`) and number of -requests (`queue_max_messages`) that can be stored. These limits are -per-connection. The default is to queue up to 1MB or 20.000 requests per -connection, which allows to use request pipelining while at the same -time limiting the amount of memory consumed by replication sessions. - -Fields published for Redis packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| redis.error | If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. | keyword | -| redis.return_value | The return value of the Redis command in a human readable format. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `redis` looks as following: - -```json -{ - "@timestamp": "2022-03-09T08:30:57.254Z", - "agent": { - "ephemeral_id": "b68277a8-8012-4ada-bbdd-6ce88a51c5ce", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.0.0" - }, - "client": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "data_stream": { - "dataset": "network_traffic.redis", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "action": "redis.set", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.redis", - "duration": 1421600, - "end": "2022-03-09T08:30:57.256Z", - "ingested": "2022-03-09T08:30:58Z", - "kind": "event", - "start": "2022-03-09T08:30:57.254Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": true, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.176.7" - ], - "mac": [ - "02-42-C0-A8-B0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.47-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" - } - }, - "method": "SET", - "network": { - "bytes": 36, - "community_id": "1:GuHlyWpX6bKkMXy19YkvZSNPTS4=", - "direction": "ingress", - "protocol": "redis", - "transport": "tcp", - "type": "ipv4" - }, - "query": "set key3 me", - "redis": { - "return_value": "OK" - }, - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "resource": "key3", - "server": { - "bytes": 5, - "ip": "127.0.0.1", - "port": 6380 - }, - "source": { - "bytes": 31, - "ip": "127.0.0.1", - "port": 32810 - }, - "status": "OK", - "type": "redis" -} -``` - -### SIP - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `parse_authorization` - -If set to true Network Packet Capture will parse the authorization headers -and include them in events. The default is true. - -#### `parse_body` - -If set to true, Network Packet Capture parses the SIP body when the body -contains Session Description Protocol data. The default is true. - -Fields published for SIP packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| sip.accept | Accept header value. | keyword | -| sip.allow | Allowed methods. | keyword | -| sip.auth.realm | Auth realm | keyword | -| sip.auth.scheme | Auth scheme | keyword | -| sip.auth.uri.host | Auth URI host | keyword | -| sip.auth.uri.original | Auth original URI | keyword | -| sip.auth.uri.original.text | Multi-field of `sip.auth.uri.original`. | text | -| sip.auth.uri.port | Auth URI port | long | -| sip.auth.uri.scheme | Auth URI scheme | keyword | -| sip.call_id | Call ID. | keyword | -| sip.code | Response status code. | long | -| sip.contact.display_info | Contact display info | keyword | -| sip.contact.expires | Contact expires | keyword | -| sip.contact.line | Contact line | keyword | -| sip.contact.q | Contact Q | keyword | -| sip.contact.transport | Contact transport | keyword | -| sip.contact.uri.host | Contact URI host | keyword | -| sip.contact.uri.original | Contact original URI | keyword | -| sip.contact.uri.original.text | Multi-field of `sip.contact.uri.original`. | text | -| sip.contact.uri.port | Contact URI port | long | -| sip.contact.uri.scheme | Contat URI scheme | keyword | -| sip.contact.uri.username | Contact URI user name | keyword | -| sip.content_length | | long | -| sip.content_type | | keyword | -| sip.cseq.code | Sequence code. | long | -| sip.cseq.method | Sequence method. | keyword | -| sip.from.display_info | From display info | keyword | -| sip.from.tag | From tag | keyword | -| sip.from.uri.host | From URI host | keyword | -| sip.from.uri.original | From original URI | keyword | -| sip.from.uri.original.text | Multi-field of `sip.from.uri.original`. | text | -| sip.from.uri.port | From URI port | long | -| sip.from.uri.scheme | From URI scheme | keyword | -| sip.from.uri.username | From URI user name | keyword | -| sip.max_forwards | | long | -| sip.method | Request method. | keyword | -| sip.private.uri.host | Private URI host. | keyword | -| sip.private.uri.original | Private original URI. | keyword | -| sip.private.uri.original.text | Multi-field of `sip.private.uri.original`. | text | -| sip.private.uri.port | Private URI port. | long | -| sip.private.uri.scheme | Private URI scheme. | keyword | -| sip.private.uri.username | Private URI user name. | keyword | -| sip.sdp.body.original | SDP original body | keyword | -| sip.sdp.body.original.text | Multi-field of `sip.sdp.body.original`. | text | -| sip.sdp.connection.address | SDP connection address | keyword | -| sip.sdp.connection.info | SDP connection info | keyword | -| sip.sdp.owner.ip | SDP owner IP | ip | -| sip.sdp.owner.session_id | SDP owner session ID | keyword | -| sip.sdp.owner.username | SDP owner user name | keyword | -| sip.sdp.owner.version | SDP owner version | keyword | -| sip.sdp.session.name | SDP session name | keyword | -| sip.sdp.version | SDP version | keyword | -| sip.status | Response status phrase. | keyword | -| sip.supported | Supported methods. | keyword | -| sip.to.display_info | To display info | keyword | -| sip.to.tag | To tag | keyword | -| sip.to.uri.host | To URI host | keyword | -| sip.to.uri.original | To original URI | keyword | -| sip.to.uri.original.text | Multi-field of `sip.to.uri.original`. | text | -| sip.to.uri.port | To URI port | long | -| sip.to.uri.scheme | To URI scheme | keyword | -| sip.to.uri.username | To URI user name | keyword | -| sip.type | Either request or response. | keyword | -| sip.uri.host | The URI host. | keyword | -| sip.uri.original | The original URI. | keyword | -| sip.uri.original.text | Multi-field of `sip.uri.original`. | text | -| sip.uri.port | The URI port. | long | -| sip.uri.scheme | The URI scheme. | keyword | -| sip.uri.username | The URI user name. | keyword | -| sip.user_agent.original | | keyword | -| sip.user_agent.original.text | Multi-field of `sip.user_agent.original`. | text | -| sip.version | SIP protocol version. | keyword | -| sip.via.original | The original Via value. | keyword | -| sip.via.original.text | Multi-field of `sip.via.original`. | text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -An example event for `sip` looks as following: - -```json -{ - "@timestamp": "2022-05-13T07:10:35.715Z", - "agent": { - "ephemeral_id": "008322ce-0d84-45f0-beaf-153cf4786013", - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "10.0.2.20", - "port": 5060 - }, - "data_stream": { - "dataset": "network_traffic.sip", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "10.0.2.15", - "port": 5060 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "a82e5ec9-4d24-4491-8d66-470aa321ddae", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "sip-invite", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.sip", - "duration": 0, - "end": "2022-05-13T07:10:35.715Z", - "ingested": "2022-05-13T07:10:39Z", - "kind": "event", - "original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" \u003csip:sipp@10.0.2.20:5060\u003e;tag=1\r\nTo: test \u003csip:test@10.0.2.15:5060\u003e\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", - "sequence": 1, - "start": "2022-05-13T07:10:35.715Z", - "type": [ - "info" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "172.31.0.7" - ], - "mac": [ - "02-42-AC-1F-00-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "application": "sip", - "community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", - "direction": "unknown", - "iana_number": "17", - "protocol": "sip", - "transport": "udp", - "type": "ipv4" - }, - "related": { - "hosts": [ - "10.0.2.15", - "10.0.2.20" - ], - "ip": [ - "10.0.2.20", - "10.0.2.15" - ], - "user": [ - "test", - "sipp" - ] - }, - "server": { - "ip": "10.0.2.15", - "port": 5060 - }, - "sip": { - "call_id": "1-2187@10.0.2.20", - "contact": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "content_length": 123, - "content_type": "application/sdp", - "cseq": { - "code": 1, - "method": "INVITE" - }, - "from": { - "display_info": "DVI4/8000", - "tag": "1", - "uri": { - "host": "10.0.2.20", - "original": "sip:sipp@10.0.2.20:5060", - "port": 5060, - "scheme": "sip", - "username": "sipp" - } - }, - "max_forwards": 70, - "method": "INVITE", - "sdp": { - "body": { - "original": "v=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n" - }, - "connection": { - "address": "10.0.2.20", - "info": "IN IP4 10.0.2.20" - }, - "owner": { - "ip": "10.0.2.20", - "session_id": "42", - "version": "42" - }, - "version": "0" - }, - "to": { - "display_info": "test", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - } - }, - "type": "request", - "uri": { - "host": "10.0.2.15", - "original": "sip:test@10.0.2.15:5060", - "port": 5060, - "scheme": "sip", - "username": "test" - }, - "version": "2.0", - "via": { - "original": [ - "SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0" - ] - } - }, - "source": { - "ip": "10.0.2.20", - "port": 5060 - }, - "status": "OK", - "type": "sip" -} -``` - -### Thrift - -[Apache Thrift](https://thrift.apache.org/) is a communication protocol -and RPC framework initially created at Facebook. It is sometimes used in -[microservices](http://martinfowler.com/articles/microservices.html) -architectures because it provides better performance when compared to -the more obvious HTTP/RESTful API choice, while still supporting a wide -range of programming languages and frameworks. - -Network Packet Capture works based on a copy of the traffic, which means that you -get performance management features without having to modify your -services in any way and without any latency overhead. Network Packet Capture -captures the transactions from the network and indexes them in -Elasticsearch so that they can be analyzed and searched. - -Network Packet Capture indexes the method, parameters, return value, and exceptions -of each Thrift-RPC call. You can search by and create statistics based -on any of these fields. Network Packet Capture automatically fills in the `status` -column with either `OK` or `Error`, so it’s easy to find the problematic -RPC calls. A transaction is put into the `Error` state if it returned an -exception. - -Network Packet Capture also indexes the `event.duration` field so you can get -performance analytics and find the slow RPC calls. - -Thrift supports multiple [transport and protocol -types](http://en.wikipedia.org/wiki/Apache_Thrift). Currently Network Packet Capture -supports the default `TSocket` transport as well as the `TFramed` -transport. From the protocol point of view, Network Packet Capture currently -supports only the default `TBinary` protocol. - -Network Packet Capture also has several configuration options that allow you to get -the right balance between visibility, disk usage, and data protection. -You can, for example, choose to obfuscate all strings or to store the -requests but not the responses, while still capturing the response time -for each of the RPC calls. You can also choose to limit the size of -strings and lists to a given number of elements, so you can fine tune -how much data you want to have stored in Elasticsearch. - -The Thrift protocol has several specific configuration options. - -Providing the Thrift IDL files to Network Packet Capture is optional. The binary -Thrift messages include the called method name and enough structural -information to decode the messages without needing the IDL files. -However, if you provide the IDL files, Network Packet Capture can also resolve the -service name, arguments, and exception names. - -**Configuration options** - -Also see [Common protocol options](#common-protocol-options). - -#### `transport_type` - -The Thrift transport type. Currently this option accepts the values -`socket` for TSocket, which is the default Thrift transport, and -`framed` for the TFramed Thrift transport. The default is `socket`. - -#### `protocol_type` - -The Thrift protocol type. Currently the only accepted value is `binary` -for the TBinary protocol, which is the default Thrift protocol. - -#### `idl_files` - -The Thrift interface description language (IDL) files for the service -that Network Packet Capture is monitoring. Providing the IDL files is optional, -because the Thrift messages contain enough information to decode them -without having the IDL files. However, providing the IDL enables -Network Packet Capture to include parameter and exception names. - -#### `string_max_size` - -The maximum length for strings in parameters or return values. If a -string is longer than this value, the string is automatically truncated -to this length. Network Packet Capture adds dots at the end of the string to mark -that it was truncated. The default is 200. - -#### `collection_max_size` - -The maximum number of elements in a Thrift list, set, map, or structure. -If a collection has more elements than this value, Network Packet Capture captures -only the specified number of elements. Network Packet Capture adds a fictive last -element `...` to the end of the collection to mark that it was -truncated. The default is 15. - -#### `capture_reply` - -If this option is set to false, Network Packet Capture decodes the method name from -the reply and simply skips the rest of the response message. This -setting can be useful for performance, disk usage, or data retention -reasons. The default is true. - -#### `obfuscate_strings` - -If this option is set to true, Network Packet Capture replaces all strings found in -method parameters, return codes, or exception structures with the `"*"` -string. - -#### `drop_after_n_struct_fields` - -The maximum number of fields that a structure can have before Network Packet Capture -ignores the whole transaction. This is a memory protection mechanism (so -that Network Packet Capture’s memory doesn’t grow indefinitely), so you would -typically set this to a relatively high value. The default is 500. - -Fields published for Thrift packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| thrift.exceptions | If the call resulted in exceptions, this field contains the exceptions in a human readable format. | keyword | -| thrift.params | The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. | keyword | -| thrift.return_value | The value returned by the Thrift-RPC call. This is encoded in a human readable format. | keyword | -| thrift.service | The name of the Thrift-RPC service as defined in the IDL files. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `thrift` looks as following: - -```json -{ - "@timestamp": "2022-05-23T10:59:35.668Z", - "agent": { - "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "data_stream": { - "dataset": "network_traffic.thrift", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.thrift", - "duration": 1275700, - "end": "2022-05-23T10:59:35.669Z", - "ingested": "2022-05-23T10:59:36Z", - "kind": "event", - "start": "2022-05-23T10:59:35.668Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "method": "testByte", - "network": { - "bytes": 50, - "community_id": "1:fs+HuhTN3hqKiWHtoK/DsQ0ni5Y=", - "direction": "ingress", - "protocol": "thrift", - "transport": "tcp", - "type": "ipv4" - }, - "path": "", - "query": "testByte(1: 63)", - "related": { - "ip": [ - "127.0.0.1" - ] - }, - "server": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 9090 - }, - "source": { - "bytes": 25, - "ip": "127.0.0.1", - "port": 50919 - }, - "status": "OK", - "thrift": { - "params": "(1: 63)", - "return_value": "63" - }, - "type": "thrift" -} -``` - -### TLS - -TLS is a cryptographic protocol that provides secure communications on -top of an existing application protocol, like HTTP or MySQL. - -Network Packet Capture intercepts the initial handshake in a TLS connection and -extracts useful information that helps operators diagnose problems and -strengthen the security of their network and systems. It does not -decrypt any information from the encapsulated protocol, nor does it -reveal any sensitive information such as cryptographic keys. TLS -versions 1.0 to 1.3 are supported. - -It works by intercepting the client and server "hello" messages, which -contain the negotiated parameters for the connection such as -cryptographic ciphers and protocol versions. It can also intercept TLS -alerts, which are sent by one of the parties to signal a problem with -the negotiation, such as an expired certificate or a cryptographic -error. - -Detailed information that is not defined in ECS is added under the -`tls.detailed` key. The [`include_detailed_fields`](#include_detailed_fields) configuration flag -is used to control whether this information is exported. - -The fields under `tls.detailed.client_hello` contain the algorithms and -extensions supported by the client, as well as the maximum TLS version -it supports. - -Fields under `tls.detailed.server_hello` contain the final settings for -the TLS session: The selected cipher, compression method, TLS version to -use and other extensions such as application layer protocol negotiation -(ALPN). - -**Configuration options** - -The `send_certificates` and `include_detailed_fields` settings are -useful for limiting the amount of data Network Packet Capture indexes, as multiple -certificates are usually exchanged in a single transaction, and those -can take a considerable amount of storage. - -Also see [Common protocol options](#common-protocol-options). - -#### `send_certificates` - -This setting causes information about the certificates presented by the -client and server to be included in the detailed fields. The server’s -certificate is indexed under `tls.detailed.server_certificate` and its -certification chain under `tls.detailed.server_certificate_chain`. For -the client, the `client_certificate` and `client_certificate_chain` -fields are used. The default is true. - -#### `include_raw_certificates` - -You can set `include_raw_certificates` to include the raw certificate -chains encoded in PEM format, under the `tls.server.certificate_chain` -and `tls.client.certificate_chain` fields. The default is false. - -#### `include_detailed_fields` - -Controls whether the [https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-tls_detailed.html](#exported-fields-tls_detailed) are added to exported documents. When -set to false, only [ECS TLS](https://www.elastic.co/guide/en/ecs/8.2/ecs-tls.html) fields are included. -exported are included. The default is `true`. - -#### `fingerprints` - -Defines a list of hash algorithms to calculate the certificate’s -fingerprints. Valid values are `sha1`, `sha256` and `md5`. - -The default is to output SHA-1 fingerprints. - -Fields published for TLS packets. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.bytes | Bytes sent from the client to the server. | long | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| client.process.args | The command-line of the process that initiated the transaction. | keyword | -| client.process.executable | Absolute path to the client process executable. | keyword | -| client.process.name | The name of the process that initiated the transaction. | keyword | -| client.process.start | The time the client process started. | date | -| client.process.working_directory | The working directory of the client process. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean | -| flow.id | Internal flow ID based on connection meta data and address. | keyword | -| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | -| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | -| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | -| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | -| server.bytes | Bytes sent from the server to the client. | long | -| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| server.process.args | The command-line of the process that served the transaction. | keyword | -| server.process.executable | Absolute path to the server process executable. | keyword | -| server.process.name | The name of the process that served the transaction. | keyword | -| server.process.start | The time the server process started. | date | -| server.process.working_directory | The working directory of the server process. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword | -| tls.cipher | String indicating the cipher used during the current connection. | keyword | -| tls.client.certificate | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | keyword | -| tls.client.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.client.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | -| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | -| tls.client.not_after | Date/Time indicating when client certificate is no longer considered valid. | date | -| tls.client.not_before | Date/Time indicating when client certificate is first considered valid. | date | -| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword | -| tls.client.subject | Distinguished name of subject of the x.509 certificate presented by the client. | keyword | -| tls.client.supported_ciphers | Array of ciphers offered by the client during the client hello. | keyword | -| tls.client.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.client.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.country | List of country (C) codes | keyword | -| tls.client.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.locality | List of locality names (L) | keyword | -| tls.client.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.client.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.client.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.client.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.client.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.client.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.client.x509.public_key_size | The size of the public key space in bits. | long | -| tls.client.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.client.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.client.x509.subject.country | List of country (C) code | keyword | -| tls.client.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.client.x509.subject.locality | List of locality names (L) | keyword | -| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.client.x509.version_number | Version of x509 format. | keyword | -| tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | -| tls.detailed.alert_types | An array containing the TLS alert type for every alert received. | keyword | -| tls.detailed.client_certificate_chain | Chain of trust for the client certificate. | array | -| tls.detailed.client_certificate_requested | Whether the server has requested the client to authenticate itself using a client certificate. | boolean | -| tls.detailed.client_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.client_hello.extensions.application_layer_protocol_negotiation | List of application-layer protocols the client is willing to use. | keyword | -| tls.detailed.client_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. | keyword | -| tls.detailed.client_hello.extensions.server_name_indication | List of hostnames | keyword | -| tls.detailed.client_hello.extensions.session_ticket | Length of the session ticket, if provided, or an empty string to advertise support for tickets. | keyword | -| tls.detailed.client_hello.extensions.signature_algorithms | List of signature algorithms that may be use in digital signatures. | keyword | -| tls.detailed.client_hello.extensions.status_request.request_extensions | The number of certificate extensions for the request. | short | -| tls.detailed.client_hello.extensions.status_request.responder_id_list_length | The length of the list of trusted responders. | short | -| tls.detailed.client_hello.extensions.status_request.type | The type of the status request. Always "ocsp" if present. | keyword | -| tls.detailed.client_hello.extensions.supported_groups | List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. | keyword | -| tls.detailed.client_hello.extensions.supported_versions | List of TLS versions that the client is willing to use. | keyword | -| tls.detailed.client_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.client_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.client_hello.supported_compression_methods | The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml | keyword | -| tls.detailed.client_hello.version | The version of the TLS protocol by which the client wishes to communicate during this session. | keyword | -| tls.detailed.ocsp_response | The result of an OCSP request. | keyword | -| tls.detailed.resumption_method | If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. | keyword | -| tls.detailed.server_certificate_chain | Chain of trust for the server certificate. | array | -| tls.detailed.server_hello.extensions._unparsed_ | List of extensions that were left unparsed by Packetbeat. | keyword | -| tls.detailed.server_hello.extensions.application_layer_protocol_negotiation | Negotiated application layer protocol | keyword | -| tls.detailed.server_hello.extensions.ec_points_formats | List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. | keyword | -| tls.detailed.server_hello.extensions.session_ticket | Used to announce that a session ticket will be provided by the server. Always an empty string. | keyword | -| tls.detailed.server_hello.extensions.status_request.response | Whether a certificate status request response was made. | boolean | -| tls.detailed.server_hello.extensions.supported_versions | Negotiated TLS version to be used. | keyword | -| tls.detailed.server_hello.random | Random data used by the TLS protocol to generate the encryption key. | keyword | -| tls.detailed.server_hello.selected_compression_method | The compression method selected by the server from the list provided in the client hello. | keyword | -| tls.detailed.server_hello.session_id | Unique number to identify the session for the corresponding connection with the client. | keyword | -| tls.detailed.server_hello.version | The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. | keyword | -| tls.detailed.version | The version of the TLS protocol used. | keyword | -| tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | -| tls.next_protocol | String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | keyword | -| tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | -| tls.server.certificate | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | keyword | -| tls.server.certificate_chain | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | keyword | -| tls.server.hash.md5 | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.hash.sha256 | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | -| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | -| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | -| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | -| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | -| tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | -| tls.server.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.country | List of country (C) codes | keyword | -| tls.server.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.locality | List of locality names (L) | keyword | -| tls.server.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | -| tls.server.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.not_after | Time at which the certificate is no longer considered valid. | date | -| tls.server.x509.not_before | Time at which the certificate is first considered valid. | date | -| tls.server.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | -| tls.server.x509.public_key_curve | The curve used by the elliptic curve public key algorithm. This is algorithm specific. | keyword | -| tls.server.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | -| tls.server.x509.public_key_size | The size of the public key space in bits. | long | -| tls.server.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| tls.server.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | -| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | -| tls.server.x509.subject.country | List of country (C) code | keyword | -| tls.server.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | -| tls.server.x509.subject.locality | List of locality names (L) | keyword | -| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | -| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | -| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | -| tls.server.x509.version_number | Version of x509 format. | keyword | -| tls.version | Numeric part of the version parsed from the original string. | keyword | -| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | -| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword | - - -An example event for `tls` looks as following: - -```json -{ - "@timestamp": "2022-05-23T11:01:14.376Z", - "agent": { - "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "name": "docker-fleet-agent", - "type": "packetbeat", - "version": "8.2.0" - }, - "client": { - "ip": "192.168.1.35", - "port": 59455 - }, - "data_stream": { - "dataset": "network_traffic.tls", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0488c467-eaa0-4733-a81a-326734926bc2", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "network_traffic.tls", - "duration": 365887700, - "end": "2022-05-23T11:01:14.741Z", - "ingested": "2022-05-23T11:01:17Z", - "kind": "event", - "start": "2022-05-23T11:01:14.376Z", - "type": [ - "connection", - "protocol" - ] - }, - "host": { - "architecture": "x86_64", - "containerized": false, - "hostname": "docker-fleet-agent", - "ip": [ - "192.168.224.7" - ], - "mac": [ - "02-42-C0-A8-E0-07" - ], - "name": "docker-fleet-agent", - "os": { - "codename": "focal", - "family": "debian", - "kernel": "5.10.104-linuxkit", - "name": "Ubuntu", - "platform": "ubuntu", - "type": "linux", - "version": "20.04.4 LTS (Focal Fossa)" - } - }, - "network": { - "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", - "direction": "unknown", - "protocol": "tls", - "transport": "tcp", - "type": "ipv4" - }, - "related": { - "ip": [ - "192.168.1.35", - "93.184.216.34" - ] - }, - "server": { - "domain": "example.net", - "ip": "93.184.216.34", - "port": 443 - }, - "source": { - "ip": "192.168.1.35", - "port": 59455 - }, - "status": "OK", - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "client": { - "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", - "server_name": "example.net", - "supported_ciphers": [ - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "(unknown:0xff85)", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_GOSTR341001_WITH_28147_CNT_IMIT", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_CBC_SHA256", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" - ] - }, - "detailed": { - "client_certificate_requested": false, - "client_hello": { - "extensions": { - "application_layer_protocol_negotiation": [ - "h2", - "http/1.1" - ], - "ec_points_formats": [ - "uncompressed" - ], - "server_name_indication": [ - "example.net" - ], - "signature_algorithms": [ - "rsa_pkcs1_sha512", - "ecdsa_secp521r1_sha512", - "(unknown:0xefef)", - "rsa_pkcs1_sha384", - "ecdsa_secp384r1_sha384", - "rsa_pkcs1_sha256", - "ecdsa_secp256r1_sha256", - "(unknown:0xeeee)", - "(unknown:0xeded)", - "(unknown:0x0301)", - "(unknown:0x0303)", - "rsa_pkcs1_sha1", - "ecdsa_sha1" - ], - "supported_groups": [ - "x25519", - "secp256r1", - "secp384r1" - ] - }, - "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", - "supported_compression_methods": [ - "NULL" - ], - "version": "3.3" - }, - "server_certificate_chain": [ - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2023-03-08T12:00:00.000Z", - "not_before": "2013-03-08T12:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "version_number": 3 - }, - { - "issuer": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "not_after": "2031-11-10T00:00:00.000Z", - "not_before": "2006-11-10T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", - "signature_algorithm": "SHA1-RSA", - "subject": { - "common_name": "DigiCert Global Root CA", - "country": "US", - "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc", - "organizational_unit": "www.digicert.com" - }, - "version_number": 3 - } - ], - "server_hello": { - "extensions": { - "_unparsed_": [ - "renegotiation_info", - "server_name_indication" - ], - "application_layer_protocol_negotiation": [ - "h2" - ], - "ec_points_formats": [ - "uncompressed", - "ansiX962_compressed_prime", - "ansiX962_compressed_char2" - ] - }, - "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", - "selected_compression_method": "NULL", - "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", - "version": "3.3" - }, - "version": "TLS 1.2" - }, - "established": true, - "next_protocol": "h2", - "resumed": false, - "server": { - "hash": { - "sha1": "7BB698386970363D2919CC5772846984FFD4A889" - }, - "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "x509": { - "alternative_names": [ - "www.example.org", - "example.com", - "example.edu", - "example.net", - "example.org", - "www.example.com", - "www.example.edu", - "www.example.net" - ], - "issuer": { - "common_name": "DigiCert SHA2 Secure Server CA", - "country": "US", - "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", - "organization": "DigiCert Inc" - }, - "not_after": "2020-12-02T12:00:00.000Z", - "not_before": "2018-11-28T00:00:00.000Z", - "public_key_algorithm": "RSA", - "public_key_size": 2048, - "serial_number": "21020869104500376438182461249190639870", - "signature_algorithm": "SHA256-RSA", - "subject": { - "common_name": "www.example.org", - "country": "US", - "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", - "locality": "Los Angeles", - "organization": "Internet Corporation for Assigned Names and Numbers", - "organizational_unit": "Technology", - "state_or_province": "California" - }, - "version_number": "3" - } - }, - "version": "1.2", - "version_protocol": "tls" - }, - "type": "tls" -} -``` - -## Licensing for Windows Systems - -The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project"). \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 16f534dd5e..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "Overview of DNS request and response metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":13,\"x\":0,\"y\":15},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":11,\"x\":13,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-65120940-1454-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-dns-query-summary", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-dns-request-status-over-time", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-dns-question-types", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dns-top-10-questions", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-dns-response-codes", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 7562508a09..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "DHCPv4 Overview", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":9,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"3\",\"w\":11,\"x\":37,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"6\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"7\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"8\",\"w\":13,\"x\":24,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "5:panel_5", - "type": "search" - }, - { - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "name": "8:panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-cassandra.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-cassandra.json deleted file mode 100755 index 489417c609..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-cassandra.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":12,\"x\":36,\"y\":8},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":12,\"x\":24,\"y\":8},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":12,\"x\":12,\"y\":8},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":24},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":32},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"columns\":[\"cassandra.request.query\",\"cassandra.response.result.rows.meta.keyspace\",\"cassandra.response.result.rows.meta.table\",\"cassandra.response.result.rows.num_rows\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":12,\"i\":\"20\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"search\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Cassandra", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-cassandra-responsekeyspace", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetype", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsetime", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcount", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-ops", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountstackbytype", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountstackbytype", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-requestcountbytype", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-responsecountbytype", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "19:panel_19", - "type": "visualization" - }, - { - "id": "network_traffic-cassandra-queryview", - "name": "20:panel_20", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-dashboard.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-dashboard.json deleted file mode 100755 index c1dee3dfea..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-dashboard.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "Network Packet Capture overview dashboard.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":20},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"2\",\"w\":12,\"x\":36,\"y\":20},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"12\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":10,\"i\":\"13\",\"w\":12,\"x\":24,\"y\":20},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true},\\\"id\\\":\\\"3f5bc195-da9d-4ec8-a68f-896db321a54b\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"9638dc3f-f85a-4e68-8e14-25654df43f8e\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"client.geo.location\\\",\\\"id\\\":\\\"220c104b-34a8-4aa7-a3d6-7b56ad4d3b9e\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"maxSize\\\":18,\\\"minSize\\\":7},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":2.4,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"agent.type:packetbeat\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"[Network Packet Capture] Map 2\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":90,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":2.4},\"openTOCDetails\":[]},\"gridData\":{\"h\":20,\"i\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"92e797bb-1975-4320-9d19-9b7f11e9e538\",\"title\":\"[Network Packet Capture] Client IP Locations (requires GeoIP enrichment)\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dashboard", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-db-transactions", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-errors-count-over-time", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-errors-vs-successful-transactions", - "name": "7:panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-latency-histogram", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-response-times-repartition", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "logs-*", - "name": "92e797bb-1975-4320-9d19-9b7f11e9e538:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-dns-unique-domains.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-dns-unique-domains.json deleted file mode 100755 index d6f50f2545..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-dns-unique-domains.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "Detecting tunneling over DNS.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"NOT dns.question.type:PTR\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique Subdomain Count\":\"#EF843C\",\"Unique count of dns.question.name\":\"#E0752D\"},\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] DNS Tunneling", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-unique-domains", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-unique-fqdns-per-etld-1", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-bytes-transferred-per-domain", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-flows.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-flows.json deleted file mode 100755 index 13b51d1106..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-flows.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"1\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"3\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":35,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":35,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Network Flows", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-top-hosts-creating-traffic", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-connections-over-time", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-top-hosts-receiving-traffic", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-network-traffic-between-your-hosts", - "name": "panel_4", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-http.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-http.json deleted file mode 100755 index 0699eb175a..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-http.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":36,\"x\":12,\"y\":20},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] HTTP", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-web-transactions", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-http-error-codes-evolution", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-total-number-of-http-transactions", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-http-codes-for-the-top-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-10-http-requests", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-mongodb-performance.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-mongodb-performance.json deleted file mode 100755 index 76b41ed6ac..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-mongodb-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"6\",\"w\":32,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":25,\"i\":\"7\",\"w\":16,\"x\":32,\"y\":35},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MongoDB", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-commands", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-errors-per-collection", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-in-slash-out-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-mongodb-response-times-by-collection", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-slowest-mongodb-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-mysql-performance.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-mysql-performance.json deleted file mode 100755 index 6e51b19d93..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-mysql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] MySQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-methods", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-throughput", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-mysql-queries", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-mysql-queries", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-response-times-percentiles", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-mysql-reads-vs-writes", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-nfs.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-nfs.json deleted file mode 100755 index 2b9bfc8b82..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-nfs.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "NFSv3 and NFSv4 transactions over TCP.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":25,\"i\":\"1\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":55},\"panelIndex\":\"3\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"spy\":{\"mode\":{\"fill\":false,\"name\":null}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":10,\"i\":\"4\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":16,\"x\":32,\"y\":10},\"panelIndex\":\"5\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":25},\"panelIndex\":\"6\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"7\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":55},\"panelIndex\":\"8\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":30,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":25},\"panelIndex\":\"9\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":25,\"i\":\"10\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"10\",\"panelRefName\":\"panel_8\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] NFS", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-clients-pie-chart", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operations-area-chart", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-group-pie-chart", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-top-users-pie-chart", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-response-times", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-errors", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-operation-table", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-nfs-bytes-in-slash-out", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "network_traffic-navigation", - "name": "panel_8", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-pgsql-performance.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-pgsql-performance.json deleted file mode 100755 index 462ad7a8be..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-pgsql-performance.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "attributes": { - "description": "Postgres database query performance.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":20,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":35},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":35},\"panelIndex\":\"6\",\"panelRefName\":\"panel_5\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"7\",\"w\":24,\"x\":0,\"y\":50},\"panelIndex\":\"7\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":30,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":50},\"panelIndex\":\"8\",\"panelRefName\":\"panel_7\",\"version\":\"7.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] PgSQL performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-errors", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-methods", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-response-times-percentiles", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-throughput", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-pgsql-reads-vs-writes", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-most-frequent-pgsql-queries", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-pgsql-queries", - "name": "panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-thrift-performance.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-thrift-performance.json deleted file mode 100755 index fe50a1efbd..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-thrift-performance.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"2\",\"w\":20,\"x\":12,\"y\":0},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"4\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"6\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] Thrift performance", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-performance", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-requests-per-minute", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-rpc-errors", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "network_traffic-slowest-thrift-rpc-methods", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-thrift-response-times-percentiles", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-methods", - "name": "6:panel_6", - "type": "visualization" - }, - { - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "name": "7:panel_7", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-tls-sessions.json b/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-tls-sessions.json deleted file mode 100755 index 876601f994..0000000000 --- a/packages/network_traffic/1.1.0/kibana/dashboard/network_traffic-tls-sessions.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "[Network Packet Capture] TLS Sessions", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" - }, - "optionsJSON": "{\"darkTheme\":false,\"useMargins\":false}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"8\",\"w\":36,\"x\":12,\"y\":0},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":12,\"x\":12,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":12,\"x\":0,\"y\":16},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":40},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"12\",\"w\":12,\"x\":24,\"y\":28},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":12,\"x\":36,\"y\":28},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":12,\"x\":0,\"y\":28},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":24,\"x\":0,\"y\":64},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"17\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"18\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":36,\"x\":12,\"y\":16},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]", - "timeRestore": false, - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-tls-sessions", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-navigation", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "name": "8:panel_8", - "type": "visualization" - }, - { - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "name": "9:panel_9", - "type": "visualization" - }, - { - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "name": "10:panel_10", - "type": "visualization" - }, - { - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "name": "11:panel_11", - "type": "visualization" - }, - { - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "name": "12:panel_12", - "type": "visualization" - }, - { - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "name": "13:panel_13", - "type": "visualization" - }, - { - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "name": "14:panel_14", - "type": "visualization" - }, - { - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "name": "15:panel_15", - "type": "visualization" - }, - { - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "name": "16:panel_16", - "type": "visualization" - }, - { - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "name": "17:panel_17", - "type": "visualization" - }, - { - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "name": "18:panel_18", - "type": "visualization" - }, - { - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "name": "19:panel_19", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index afb21d2457..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 67be55b24a..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.ja3\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.ja3\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Fingerprint", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json deleted file mode 100755 index 6d16385a7d..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] HTTP Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 438de0c09a..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"event.duration\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Handshake Latency", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index b2320634bf..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.server.x509.public_key_size\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.server.x509.public_key_size\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Server Public Key Size", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json deleted file mode 100755 index 7851d8f875..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-94908e80-d2d8-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.client.server_name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.client.server_name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Server Name Indication", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json deleted file mode 100755 index 44b4e814c2..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "dhcpv4.transaction_id", - "dhcpv4.op_code", - "dhcpv4.option.message_type", - "source.ip", - "destination.ip", - "dhcpv4.client_mac", - "dhcpv4.option.hostname", - "dhcpv4.option.class_identifier" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DHCPv4", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json deleted file mode 100755 index 48114ab869..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.detailed.version\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.detailed.version\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Version", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-cassandra-queryview.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-cassandra-queryview.json deleted file mode 100755 index 4da4785f32..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-cassandra-queryview.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "cassandra.request.query", - "cassandra.response.result.rows.meta.keyspace", - "cassandra.response.result.rows.meta.table", - "cassandra.response.result.rows.num_rows" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"cassandra.request.headers.op\",\"negate\":false,\"params\":{\"query\":\"QUERY\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"QUERY\"},\"query\":{\"match\":{\"cassandra.request.headers.op\":{\"query\":\"QUERY\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"cassandra.response.headers.op\",\"negate\":true,\"params\":{\"query\":\"ERROR\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"ERROR\"},\"query\":{\"match\":{\"cassandra.response.headers.op\":{\"query\":\"ERROR\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Query Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-queryview", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json deleted file mode 100755 index e042ed47b0..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "server.ip", - "destination.ip", - "dns.question.name", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"dns\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"dns\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"dns\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] DNS Protocol", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json deleted file mode 100755 index adda40afe3..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.cassandra\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Cassandra Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json deleted file mode 100755 index 54ccb16243..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":\"TLS sessions\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] TLS Sessions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-flows-search.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-flows-search.json deleted file mode 100755 index 94bf5f31c0..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-flows-search.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "attributes": { - "columns": [ - "type", - "event.start", - "event.end", - "source.ip", - "source.port", - "destination.ip", - "destination.port", - "source.bytes", - "destination.bytes" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.flow\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Flows Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-flows-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json deleted file mode 100755 index f3f1e907c0..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-mongodb-transactions-with-write-concern-0.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb and request: \\\"writeConcern w 0\\\"\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB transactions with write concern 0", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-mongodb-transactions.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-mongodb-transactions.json deleted file mode 100755 index 71fb0f7d06..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-mongodb-transactions.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status", - "query" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mongodb\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MongoDB Transaction Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-mysql-errors.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-mysql-errors.json deleted file mode 100755 index e6696d3dfe..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-mysql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-mysql-transactions.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-mysql-transactions.json deleted file mode 100755 index 035e4af69f..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-mysql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.mysql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] MySQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-nfs-errors-search.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-nfs-errors-search.json deleted file mode 100755 index 234a135c17..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-nfs-errors-search.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFSERR_NOENT\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFSERR_NOENT\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"nfs.status\",\"negate\":true,\"params\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"NFS_OK\"},\"query\":{\"match\":{\"nfs.status\":{\"query\":\"NFS_OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Error Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-nfs.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-nfs.json deleted file mode 100755 index 637ab8785a..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-nfs.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "attributes": { - "columns": [ - "_source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.nfs\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] NFS Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-pgsql-errors.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-pgsql-errors.json deleted file mode 100755 index e1e696c06b..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-pgsql-transactions.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-pgsql-transactions.json deleted file mode 100755 index 4cf83e438b..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-pgsql-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.pgsql\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] PgSQL Transactions", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-search.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-search.json deleted file mode 100755 index b8dcde28ff..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-search.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-search", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-thrift-errors.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-thrift-errors.json deleted file mode 100755 index 4ada45ff68..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-thrift-errors.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Errors", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-thrift-transactions.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-thrift-transactions.json deleted file mode 100755 index d561697995..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-thrift-transactions.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "method", - "type", - "path", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.thrift\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Thrift Transactions Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-transactions", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/search/network_traffic-transactions-errors.json b/packages/network_traffic/1.1.0/kibana/search/network_traffic-transactions-errors.json deleted file mode 100755 index 26f67d32a2..0000000000 --- a/packages/network_traffic/1.1.0/kibana/search/network_traffic-transactions-errors.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "attributes": { - "columns": [ - "client.ip", - "client.port", - "server.ip", - "server.port", - "data_stream.dataset", - "query", - "method", - "event.duration", - "status" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":true,\"params\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"network_traffic.flow\"},\"query\":{\"match\":{\"data_stream.dataset\":{\"query\":\"network_traffic.flow\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"status\",\"negate\":true,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"},\"version\":true}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Network Packet Capture] Transactions Errors Search", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-transactions-errors", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json deleted file mode 100755 index 72cce261f0..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Sessions", - "uiStateJSON": "{\"vis\":{\"colors\":{\"false\":\"#E24D42\",\"true\":\"#7EB26D\"},\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sessions per minute\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Handshake completed\",\"field\":\"tls.established\",\"json\":\"\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Sessions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-059fe5e0-d2dd-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index 428c808c1b..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-061de380-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"tls.established\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tls.established\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] Total Number of TLS Sessions", - "uiStateJSON": "{\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-7\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total Number of TLS Sessions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-061de380-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 3d5fc5d68c..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-0958a910-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.server.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Organization\",\"field\":\"tls.server.x509.subject.organization\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Server Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0958a910-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index a9a6b6d585..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-0af0b790-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Versions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"TLS version\",\"field\":\"tls.detailed.version\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Versions\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-0af0b790-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-bf3d23b0-d37c-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json deleted file mode 100755 index 5c709d21ab..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Client Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique MACs\",\"field\":\"dhcpv4.client_mac\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Client Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-11d33ea0-8bad-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 238ff5fe1b..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-2c467370-d392-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Session Resume", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"\",\"field\":\"tls.detailed.resumption_method\",\"json\":\"{\\n\\\"missing\\\": \\\"none\\\"\\n}\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Session Resume\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-2c467370-d392-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index 28758eb761..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Message Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Op Code\",\"field\":\"dhcpv4.op_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Message Type\",\"field\":\"dhcpv4.option.message_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DHCPv4 Message Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-418dfbe0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json deleted file mode 100755 index dfd0b9c2df..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Cipher", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Cipher\",\"field\":\"tls.cipher\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Cipher\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-463d2bf0-d3a8-11e7-9081-ab2af08e9961", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json deleted file mode 100755 index 69216a897d..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"dhcpv4.option.message_type:nak OR dhcpv4.option.message_type:decline\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 NAK and Decline Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":57,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 NAK and Decline Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-4ad9db20-8bab-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index e347b89b8e..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Avg Response Time (ns)\":\"#629E51\",\"Max Response Time (ns)\":\"#E24D42\",\"Min Response Time (ns)\":\"#70DBED\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Min Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"min\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Max Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"max\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"4\",\"label\":\"Min Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Max Response Time (ns)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Average event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Min/Max/Avg Response Time Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-735d25c0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json deleted file mode 100755 index 27390bc2a6..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dhcpv4\"}}" - }, - "title": "[Network Packet Capture] DHCPv4 Message Types over Time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"c2cf4410-8ba8-11e8-ae15-bdcba81344e6\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"type:dhcpv4\"},\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"ignore_global_filter\":0,\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"NOT dhcpv4.option.message_type:nak NOT dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"8abe6eb0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"Response\",\"line_width\":1,\"metrics\":[{\"id\":\"8abe6eb1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"dhcpv4.option.message_type\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:nak\"},\"formatter\":\"number\",\"id\":\"ae5610d0-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"nak\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"ae5610d1-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"dhcpv4.option.message_type:decline\"},\"formatter\":\"number\",\"id\":\"cf7ba180-8ba9-11e8-ae15-bdcba81344e6\",\"label\":\"decline\",\"line_width\":\"4\",\"metrics\":[{\"id\":\"cf7ba181-8ba9-11e8-ae15-bdcba81344e6\",\"type\":\"count\"}],\"point_size\":\"3\",\"seperate_axis\":0,\"series_drop_last_bucket\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"[Network Packet Capture] DHCPv4 Message Types over Time\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-8460fcd0-8baa-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json deleted file mode 100755 index 23e4ad24db..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-86743f90-d396-11e7-8fa0-232aa9259081.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Client Certificates", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Subject Common Name\",\"field\":\"tls.client.x509.subject.common_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Signature Algorithm\",\"field\":\"tls.client.x509.signature_algorithm\",\"json\":\"{ \\\"missing\\\": \\\"N/A\\\" }\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Client Certificates\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-86743f90-d396-11e7-8fa0-232aa9259081", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-ffc3c0b0-d2d7-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json deleted file mode 100755 index e100d4e38f..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-a28d09d0-d361-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Name Indication", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Name Indication\",\"field\":\"tls.client.server_name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"hideLabel\":false,\"maxFontSize\":64,\"minFontSize\":14,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"[Network Packet Capture] TLS Server Name Indication\",\"type\":\"tagcloud\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-a28d09d0-d361-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-94908e80-d2d8-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json deleted file mode 100755 index 204f509a93..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Fingerprint", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"JA3 Fingerprint\",\"field\":\"tls.client.ja3\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] TLS Fingerprint\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ad2a8b50-d49d-11e7-996f-bd7c1ca4591b", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-6b1b1360-d49d-11e7-996f-bd7c1ca4591b", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json deleted file mode 100755 index c8ca05e364..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Server Public Key Size", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Public Key Size\",\"field\":\"tls.server.x509.public_key_size\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] Server Public Key Size\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-ae6e33c0-d37d-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-8f0ff590-d37d-11e7-9914-4982455b3063", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json deleted file mode 100755 index 7d805b99d1..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Client and Servers Pie Chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Client and Servers Pie Chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bacb6ed0-1459-11e9-9de0-f98d1808db8e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json deleted file mode 100755 index 6b89c0127d..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-bytes-transferred-per-domain.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Bytes Transferred per Domain", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Bytes In\":\"#F2C96D\",\"Bytes Out\":\"#629E51\",\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Bytes Out\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Bytes In\"},\"mode\":\"normal\",\"show\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"grouped\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Bytes Transferred per Domain\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-bytes-transferred-per-domain", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json deleted file mode 100755 index 1b5f21f993..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-c14377a0-d353-11e7-9914-4982455b3063.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"exists\\\":{\\\"field\\\":\\\"tls\\\"}}\"},\"query\":{\"exists\":{\"field\":\"tls\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.tls\"}}" - }, - "title": "[Network Packet Capture] TLS Alerts", - "uiStateJSON": "{\"vis\":{\"colors\":{\"None\":\"#7EB26D\",\"handshake_failure\":\"#E24D42\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"tls.detailed.alert_types\",\"include\":\".*\",\"json\":\"{\\\"missing\\\": \\\"None\\\"}\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"type\":\"pie\"},\"title\":\"[Network Packet Capture] TLS Alerts\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-c14377a0-d353-11e7-9914-4982455b3063", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-ops.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-ops.json deleted file mode 100755 index fcdb742965..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-ops.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra Ops", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra Ops\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-ops", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-requestcount.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-requestcount.json deleted file mode 100755 index ac31b1fa2f..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-requestcount.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCount", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"square root\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCount\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcount", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json deleted file mode 100755 index be3352be29..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-requestcountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":\"13\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json deleted file mode 100755 index 9e1ebf6056..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-requestcountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra RequestCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.request.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra RequestCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-requestcountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json deleted file mode 100755 index 17a71a0e30..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsecountbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"radiusRatio\":\"15\",\"scale\":\"log\",\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra: ResponseCountByType\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json deleted file mode 100755 index ee9d47e2f6..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsecountstackbytype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseCountStackByType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.headers.op\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseCountStackByType\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsecountstackbytype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json deleted file mode 100755 index 2f203d6dd9..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsekeyspace.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseKeyspace", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.keyspace\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cassandra.response.result.rows.meta.table\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseKeyspace\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsekeyspace", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsetime.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsetime.json deleted file mode 100755 index 152ebf53ef..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsetime.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseTime", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[5,25,50,75,95]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"square root\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Cassandra ResponseTime\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetime", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsetype.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsetype.json deleted file mode 100755 index 85c2b4d398..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-cassandra-responsetype.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Cassandra ResponseType", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cassandra.response.result.type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true},\"title\":\"[Network Packet Capture] Cassandra ResponseType\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-cassandra-responsetype", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-eaa83e60-190b-11e9-be0d-adde5066235e", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-connections-over-time.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-connections-over-time.json deleted file mode 100755 index 97d4affdf5..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-connections-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Connections over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Flows\",\"field\":\"flow.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique Flows\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Connections over time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-connections-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json deleted file mode 100755 index d8cedfb7c3..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Transaction Count", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Transactions\",\"field\":\"dhcpv4.transaction_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Transaction Count\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d0120dc0-8bac-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json deleted file mode 100755 index 856211710f..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.duration\",\"negate\":false,\"params\":{\"gte\":0,\"lt\":1000000000},\"type\":\"range\",\"value\":\"0 to 1,000,000,000\"},\"range\":{\"event.duration\":{\"gte\":0,\"lt\":1000000000}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] TLS Handshake Latency", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Handshake Latency (ns)\",\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":2000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] TLS Handshake Latency\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-d2e15950-d560-11e7-9fff-7b1ebf397ba9", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-8e2af860-d520-11e7-9fff-7b1ebf397ba9", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-db-transactions.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-db-transactions.json deleted file mode 100755 index 475882f60d..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-db-transactions.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.type\",\"negate\":true,\"params\":{\"query\":\"flow\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"flow\"},\"query\":{\"match\":{\"event.type\":{\"query\":\"flow\",\"type\":\"phrase\"}}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"agent.type:packetbeat\"}}" - }, - "title": "[Network Packet Capture] Transaction Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.dataset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Transaction Types\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-db-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json deleted file mode 100755 index 333052a373..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.dns\"}}" - }, - "title": "[Network Packet Capture] Top Domains by Data Volume", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes In\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"3\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes Out\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top Domains by Data Volume\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dc743240-1665-11e7-a6de-cbac1a3d0a7d", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-query-summary.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-query-summary.json deleted file mode 100755 index 1898c984d8..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-query-summary.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Query Summary", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Server Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Avg Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"17\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":28,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DNS Query Summary\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-query-summary", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-question-types.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-question-types.json deleted file mode 100755 index b2a975b430..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-question-types.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Question Types", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"dns.question.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] DNS Question Types\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-question-types", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-request-status-over-time.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-request-status-over-time.json deleted file mode 100755 index 53c1b991c8..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-request-status-over-time.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Request Status Over Time", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Error\":\"#890F02\",\"OK\":\"#0A50A1\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] DNS Request Status Over Time\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-request-status-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-response-codes.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-response-codes.json deleted file mode 100755 index b9edd3cab4..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-response-codes.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Response Codes", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"dns.response_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Response Codes\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-response-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-top-10-questions.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-top-10-questions.json deleted file mode 100755 index d86db94a8d..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-dns-top-10-questions.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"status\",\"negate\":false,\"params\":{\"query\":\"OK\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"OK\"},\"query\":{\"match\":{\"status\":{\"query\":\"OK\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"fragment_size\":2147483647,\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"],\"require_field_match\":false},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Top 10 Questions", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Question\",\"field\":\"dns.question.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":30},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] DNS Top 10 Questions\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-dns-top-10-questions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json deleted file mode 100755 index b89d822540..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DNS Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Avg Response Time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"lineWidth\":3.5,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Avg Response Time\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] DNS Transactions\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-e3f09730-1b80-11e9-83df-75eebb35951e", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-errors-count-over-time.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-errors-count-over-time.json deleted file mode 100755 index 5582bc6c67..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-errors-count-over-time.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors count over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"30s\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"id\":\"3\",\"params\":{\"field\":\"type\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] New Visualization\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-count-over-time", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-transactions-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json deleted file mode 100755 index c3ac23f5a7..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-errors-vs-successful-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Errors vs successful transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"percentage\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"percentage\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Errors vs successful transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-errors-vs-successful-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json deleted file mode 100755 index c0d680e520..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] DHCPv4 Data Transfer", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Requests\",\"field\":\"client.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Responses\",\"field\":\"server.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":24,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] DHCPv4 Data Transfer\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-f43a8f20-8bb5-11e8-9676-ef67484126fb", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-b8992150-8ba8-11e8-9676-ef67484126fb", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json deleted file mode 100755 index d8885cd43f..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-http-codes-for-the-top-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP status codes for the top queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Query\",\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"row\":false,\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] HTTP status codes for the top queries\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-codes-for-the-top-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-http-error-codes-evolution.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-http-error-codes-evolution.json deleted file mode 100755 index 479733a2af..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-http-error-codes-evolution.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"network.protocol\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"http.response.status_code\",\"negate\":true,\"params\":{\"gte\":200,\"lt\":299},\"type\":\"range\",\"value\":\"200 to 299\"},\"range\":{\"http.response.status_code\":{\"gte\":200,\"lte\":299}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes evolution", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes evolution\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes-evolution", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-http-error-codes.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-http-error-codes.json deleted file mode 100755 index 1cb90080fc..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-http-error-codes.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"type\",\"negate\":false,\"params\":{\"query\":\"http\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"http\"},\"query\":{\"match\":{\"network.protocol\":{\"query\":\"http\",\"type\":\"phrase\"}}}}],\"highlight\":{\"fields\":{\"*\":{}},\"post_tags\":[\"@/kibana-highlighted-field@\"],\"pre_tags\":[\"@kibana-highlighted-field@\"]},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:network_traffic.http and http.response.status_code \\u003e= 300\"}}" - }, - "title": "[Network Packet Capture] HTTP error codes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"type\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"HTTP Status Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Unique count of type\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP error codes\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-http-error-codes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-latency-histogram.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-latency-histogram.json deleted file mode 100755 index 34aa0f3d11..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-latency-histogram.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Latency Histogram", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"segment\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Latency Histogram\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-latency-histogram", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-commands.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-commands.json deleted file mode 100755 index 87474df326..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-commands.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB Commands", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"silhouette\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"silhouette\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB Commands\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-commands", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json deleted file mode 100755 index ea23f3560f..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-errors-per-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors per collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors per collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors-per-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-errors.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-errors.json deleted file mode 100755 index 183ec66ef3..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"split\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"row\":true,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"spyPerPage\":10,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB errors\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-651fd6d0-88d0-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json deleted file mode 100755 index 74b8a6fd64..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-in-slash-out-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB in/out throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of source.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Sum of destination.bytes\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB in/out throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-in-slash-out-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json deleted file mode 100755 index 0346b7b1cd..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mongodb-response-times-by-collection.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MongoDB response times by collection", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"resource\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":false,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":false,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MongoDB response times by collection\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mongodb-response-times-by-collection", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json deleted file mode 100755 index 08c27fcecf..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-most-frequent-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent MySQL queries", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"query\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true},\"title\":\"[Network Packet Capture] Most frequent MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json deleted file mode 100755 index 6ddc08eafb..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-most-frequent-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Most frequent PgSQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Most frequent PgSQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-most-frequent-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-errors.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-errors.json deleted file mode 100755 index 25ded66860..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-methods.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-methods.json deleted file mode 100755 index 34e609f25b..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json deleted file mode 100755 index 4fece54090..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] MySQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json deleted file mode 100755 index add1156167..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Mysql response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Mysql response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-throughput.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-throughput.json deleted file mode 100755 index fd67a3b714..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-mysql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] MySQL throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] MySQL throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-mysql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-navigation.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-navigation.json deleted file mode 100755 index 958a4a7a7c..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-navigation.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "title": "[Network Packet Capture] Navigation", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"fontSize\":10,\"markdown\":\"### Network Packet Capture:\\n\\n[Overview](#/dashboard/network_traffic-dashboard)\\n\\n[Network Flows](#/dashboard/network_traffic-flows)\\n\\n[DNS Overview](#/dashboard/network_traffic-65120940-1454-11e9-9de0-f98d1808db8e) | [Tunneling](#/dashboard/network_traffic-dns-unique-domains)\\n\\n[DHCPv4 Transactions](#/dashboard/network_traffic-a7b35890-8baa-11e8-9676-ef67484126fb)\\n\\n[TLS Overview](#/dashboard/network_traffic-tls-sessions)\\n\\n[HTTP transactions](#/dashboard/network_traffic-http)\\n\\nDatabases: [MySQL](#/dashboard/network_traffic-mysql-performance) | [PostgreSQL](#/dashboard/network_traffic-pgsql-performance) | [MongoDB](#/dashboard/network_traffic-mongodb-performance) | [Cassandra](#/dashboard/network_traffic-cassandra)\\n\\nRPC: [Thrift](#/dashboard/network_traffic-thrift-performance)\\n\\nStorage: [NFS](#/dashboard/network_traffic-nfs)\",\"openLinksInNewTab\":false},\"title\":\"[Network Packet Capture] Navigation\",\"type\":\"markdown\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-navigation", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json deleted file mode 100755 index 292355bbdf..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-network-traffic-between-your-hosts.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Traffic Between Hosts", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Traffic Between Hosts\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-network-traffic-between-your-hosts", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json deleted file mode 100755 index 8b550d78cf..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-bytes-in-slash-out.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS Request / Response Sizes", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Sum of rpc.reply_size\":\"#7EB26D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Request Size\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Response Size\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Request Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Response Size\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS Request / Response Sizes\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-bytes-in-slash-out", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json deleted file mode 100755 index 4272f7571e..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-clients-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS clients pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.machinename\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS clients pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-clients-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-errors.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-errors.json deleted file mode 100755 index f407f4153d..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"nfs.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":12},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs-errors-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-operation-table.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-operation-table.json deleted file mode 100755 index 56e28320c1..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-operation-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operation table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Opcode\",\"field\":\"nfs.opcode\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] NFS operation table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operation-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json deleted file mode 100755 index 56cb538f8f..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-operations-area-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS operations area chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"nfs.opcode\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":16},\"schema\":\"group\",\"type\":\"terms\"},{\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS operations area chart\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-operations-area-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-response-times.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-response-times.json deleted file mode 100755 index 2ffaacd816..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-response-times.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS response times", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[50]},\"schema\":\"metric\",\"type\":\"median\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":true,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":\"9\",\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Median event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":\"9\",\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Median event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] NFS response times\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-response-times", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json deleted file mode 100755 index c1b2816c13..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-top-group-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top group pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.gid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top group pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-group-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json deleted file mode 100755 index 543bfe7058..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-nfs-top-users-pie-chart.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] NFS top users pie chart", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"rpc.cred.uid\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":16},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"shareYAxis\":true,\"type\":\"pie\"},\"title\":\"[Network Packet Capture] NFS top users pie chart\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-nfs-top-users-pie-chart", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-nfs", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json deleted file mode 100755 index 770c776e13..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"radius\",\"type\":\"count\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":false,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Number of MongoDB transactions with writeConcern w=0\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-number-of-mongodb-transactions-with-writeconcern-w-equal-0", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions-with-write-concern-0", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-errors.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-errors.json deleted file mode 100755 index 88a19443ff..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-methods.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-methods.json deleted file mode 100755 index e49215022c..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Methods", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"wiggle\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"wiggle\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Methods\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json deleted file mode 100755 index 60be8776dd..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-reads-vs-writes.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Reads vs Writes", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"method: SELECT\"}},{\"input\":{\"language\":\"lucene\",\"query\":\"method: INSERT OR method: UPDATE OR method: DELETE\"}}]},\"schema\":\"group\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 30 seconds\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] PgSQL Reads vs Writes\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-reads-vs-writes", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json deleted file mode 100755 index 66eb8b3b8b..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-throughput.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-throughput.json deleted file mode 100755 index aba4ebafd0..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-pgsql-throughput.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] PgSQL Throughput", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Sum of destination.bytes\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"2\",\"label\":\"Sum of source.bytes\"},\"mode\":\"normal\",\"show\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] PgSQL Throughput\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-pgsql-throughput", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-response-times-percentiles.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-response-times-percentiles.json deleted file mode 100755 index f43cfc0233..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,95,99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"drawLinesBetweenPoints\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"cardinal\",\"mode\":\"normal\",\"radiusRatio\":9,\"show\":\"true\",\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"showCircles\":true,\"smoothLines\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-response-times-repartition.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-response-times-repartition.json deleted file mode 100755 index 2271bdb9a7..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-response-times-repartition.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Response times repartition", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"extended_bounds\":{},\"field\":\"event.duration\",\"interval\":10000000},\"schema\":\"group\",\"type\":\"histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Response times repartition\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-response-times-repartition", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-slowest-mysql-queries.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-slowest-mysql-queries.json deleted file mode 100755 index 9194c62aaa..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-slowest-mysql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest MySQL queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Avg Response Time\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest MySQL queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-mysql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mysql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json deleted file mode 100755 index ce2d661459..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-slowest-pgsql-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest PgSQL Queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Average Response Time (ns)\",\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest PgSQL Queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-pgsql-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-pgsql-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json deleted file mode 100755 index 777f4d7abe..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-slowest-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Slowest Thrift RPC methods", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"method\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Slowest Thrift RPC methods\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-slowest-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json deleted file mode 100755 index e9dee7461a..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-thrift-requests-per-minute.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift requests per minute", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"m\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift requests per minute\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-requests-per-minute", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json deleted file mode 100755 index 835ee06280..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-thrift-response-times-percentiles.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift response times percentiles", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[75,99,99.5]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Percentiles of event.duration\"},\"mode\":\"normal\",\"show\":\"true\",\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"shareYAxis\":true,\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Percentiles of event.duration\"},\"type\":\"value\"}]},\"title\":\"[Network Packet Capture] Thrift response times percentiles\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-response-times-percentiles", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-thrift-rpc-errors.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-thrift-rpc-errors.json deleted file mode 100755 index 37e3e901fc..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-thrift-rpc-errors.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Thrift RPC Errors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":false,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Thrift RPC Errors\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-thrift-rpc-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-10-http-requests.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-10-http-requests.json deleted file mode 100755 index bb5c71dbfe..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-10-http-requests.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top 10 HTTP requests", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"url.full\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top 10 HTTP requests\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-10-http-requests", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json deleted file mode 100755 index 842f9f29ec..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-hosts-creating-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Creating Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Source Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Source Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Creating Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-creating-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json deleted file mode 100755 index 34f9d74be2..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-hosts-receiving-traffic.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Hosts Receiving Traffic", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Bytes\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"fittingFunction\":\"zero\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Bytes\"},\"interpolate\":\"cardinal\",\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"smoothLines\":true,\"times\":[],\"type\":\"area\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Hosts Receiving Traffic\",\"type\":\"area\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-hosts-receiving-traffic", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-flows-search", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json deleted file mode 100755 index e39b39b7f9..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-slowest-mongodb-queries.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top slowest MongoDB queries", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"event.duration\",\"percents\":[99]},\"schema\":\"metric\",\"type\":\"percentiles\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"query\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Top slowest MongoDB queries\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-slowest-mongodb-queries", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-mongodb-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json deleted file mode 100755 index 3f7aee4851..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-thrift-rpc-calls-with-errors.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC calls with errors", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"shareYAxis\":true},\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-calls-with-errors", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-errors", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json deleted file mode 100755 index 8add979f7b..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-top-thrift-rpc-methods.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Top Thrift-RPC methods ", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"id\":\"2\",\"params\":{\"field\":\"method\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Top Thrift-RPC methods\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-top-thrift-rpc-methods", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-thrift-transactions", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json deleted file mode 100755 index 77e8f9b41a..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-total-number-of-http-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Total number of HTTP transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"37\",\"handleNoResults\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Network Packet Capture] Total number of HTTP transactions\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-total-number-of-http-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json deleted file mode 100755 index 93a9d62de2..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1-table.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1 Table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ETLD+1\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Unique Domains\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1 Table\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1-table", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json deleted file mode 100755 index e94d78a938..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-unique-fqdns-per-etld-1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] Unique FQDNs per eTLD+1", - "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#1F78C1\",\"Unique count of dns.question.name\":\"#E0752D\"}}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Unique Subdomain Count\",\"field\":\"dns.question.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Domains\",\"field\":\"dns.question.etld_plus_one\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":true,\"legendPosition\":\"right\",\"mode\":\"grouped\",\"scale\":\"linear\",\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"yAxis\":{}},\"title\":\"[Network Packet Capture] Unique FQDNs per eTLD+1\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-unique-fqdns-per-etld-1", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-d19e8485-7df5-47ce-8009-9dc3c42bcf17", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-web-transactions.json b/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-web-transactions.json deleted file mode 100755 index 354ec98cef..0000000000 --- a/packages/network_traffic/1.1.0/kibana/visualization/network_traffic-web-transactions.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "savedSearchRefName": "search_0", - "title": "[Network Packet Capture] HTTP Transactions", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"defaultYExtents\":false,\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"isVislibVis\":true,\"legendPosition\":\"right\",\"mode\":\"stacked\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"mode\":\"stacked\",\"show\":\"true\",\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"shareYAxis\":true,\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":false,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"yAxis\":{}},\"title\":\"[Network Packet Capture] HTTP Transactions\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "7.17.0", - "id": "network_traffic-web-transactions", - "migrationVersion": { - "visualization": "7.17.0" - }, - "references": [ - { - "id": "network_traffic-71908f00-88ca-11e7-ad9c-db80de0bf8d3", - "name": "search_0", - "type": "search" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/network_traffic/1.1.0/manifest.yml b/packages/network_traffic/1.1.0/manifest.yml deleted file mode 100755 index b7131f66f3..0000000000 --- a/packages/network_traffic/1.1.0/manifest.yml +++ /dev/null @@ -1,28 +0,0 @@ -format_version: 1.0.0 -name: network_traffic -title: Network Packet Capture -version: 1.1.0 -license: basic -description: Capture and analyze network traffic from a host with Elastic Agent. -type: integration -categories: - - web -release: ga -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -policy_templates: - - name: network - title: Network Packet Capture - description: Capture network traffic - inputs: - - type: packet - title: Capture network traffic - description: Collecting network traffic - vars: - - name: interface - type: text - title: Interface - required: false - show_user: false -owner: - github: elastic/security-external-integrations diff --git a/packages/proofpoint_tap/0.1.0/changelog.yml b/packages/proofpoint_tap/0.1.0/changelog.yml deleted file mode 100755 index fb37f7f3f1..0000000000 --- a/packages/proofpoint_tap/0.1.0/changelog.yml +++ /dev/null @@ -1,6 +0,0 @@ -# newer versions go on top -- version: 0.1.0 - changes: - - description: Initial draft of the package. - type: enhancement - link: https://github.com/elastic/integrations/pull/3201 diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/agent/stream/httpjson.yml.hbs deleted file mode 100755 index c6e6cfa7ec..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/v2/siem/clicks/blocked -auth.basic.user: {{principal}} -auth.basic.password: {{secret}} -request.transforms: - - set: - target: url.params.format - value: json - - set: - target: url.params.interval - value: '[[if (le (formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))]][[else]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate now]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]/[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "1h"))]]' -response.pagination: - - set: - target: url.params.interval - value: '[[if (le (formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .last_response.body.queryEndTime "RFC3339")]]/[[formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_received_time: - value: '[[.last_response.body.queryEndTime]]' -response.split: - target: body.clicksBlocked -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 4647d994c3..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,168 +0,0 @@ ---- -description: Pipeline for parsing Proofpoint TAP blocked clicks logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.GUID - - json.clickTime - - json.threatTime - target_field: _id - ignore_missing: true - - append: - field: event.category - value: email - ignore_failure: true - - append: - field: event.type - value: denied - ignore_failure: true - - set: - field: event.kind - value: event - - rename: - field: json.sender - target_field: email.from.address - ignore_missing: true - - rename: - field: json.messageID - target_field: email.message_id - ignore_missing: true - - rename: - field: json.recipient - target_field: email.to.address - ignore_missing: true - - date: - field: json.clickTime - target_field: '@timestamp' - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.id - target_field: event.id - ignore_missing: true - - append: - field: related.ip - value: '{{{json.senderIP}}}' - if: ctx.json?.senderIP != null && ctx.json?.senderIP != '' - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{json.clickIP}}}' - if: ctx.json?.clickIP != null && ctx.json?.clickIP != '' - allow_duplicates: false - ignore_failure: true - - convert: - field: json.clickIP - target_field: destination.ip - type: ip - ignore_failure: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - convert: - field: json.senderIP - target_field: source.ip - type: ip - ignore_failure: true - - date: - field: json.threatTime - target_field: proofpoint_tap.clicks_blocked.threat.time - ignore_failure: true - formats: - - ISO8601 - - uri_parts: - field: json.url - keep_original: false - ignore_failure: true - - urldecode: - field: json.url - target_field: url.full - ignore_missing: true - - user_agent: - field: json.userAgent - target_field: user_agent - ignore_missing: true - ignore_failure: true - - rename: - field: json.campaignId - target_field: proofpoint_tap.clicks_blocked.campaign_id - ignore_missing: true - - rename: - field: json.classification - target_field: proofpoint_tap.clicks_blocked.classification - ignore_missing: true - - rename: - field: json.GUID - target_field: proofpoint_tap.guid - ignore_missing: true - - rename: - field: json.threatID - target_field: proofpoint_tap.clicks_blocked.threat.id - ignore_missing: true - - rename: - field: json.threatStatus - target_field: proofpoint_tap.clicks_blocked.threat.status - ignore_missing: true - - rename: - field: json.threatURL - target_field: proofpoint_tap.clicks_blocked.threat.url - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - remove: - field: json - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/agent.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/base-fields.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/base-fields.yml deleted file mode 100755 index cdbe703dbe..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: proofpoint_tap -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: proofpoint_tap.clicks_blocked diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/ecs.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/ecs.yml deleted file mode 100755 index 6ebb943263..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/ecs.yml +++ /dev/null @@ -1,176 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - type: keyword -- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. - name: email.message_id - type: wildcard -- description: The email address of recipient - name: email.to.address - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/fields.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/fields.yml deleted file mode 100755 index 7e52d6873d..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/fields/fields.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: proofpoint_tap - type: group - fields: - - name: clicks_blocked - type: group - fields: - - name: campaign_id - type: keyword - description: An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. - - name: classification - type: keyword - description: The threat category of the malicious URL. - - name: sender_ip - type: ip - description: The IP address of the sender. - - name: threat - type: group - fields: - - name: id - type: keyword - description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. - - name: status - type: keyword - description: The current state of the threat. - - name: time - type: date - description: Proofpoint identified the URL as a threat at this time. - - name: url - type: keyword - description: A link to the entry on the TAP Dashboard for the particular threat. - - name: guid - type: keyword - description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/manifest.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/manifest.yml deleted file mode 100755 index 3a343b9f5e..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Clicks Blocked -type: logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Proofpoint_TAP Clicks Blocked logs - description: Collect Proofpoint TAP Clicks Blocked logs via API. - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch data from Proofpoint TAP API (The interval should be at least 1m). - multi: false - required: true - show_user: true - default: 1h - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). - default: 24h - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - proofpoint_tap-clicks_blocked - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/sample_event.json b/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/sample_event.json deleted file mode 100755 index 881c2f01a8..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_blocked/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2022-03-30T10:11:12.000Z", - "agent": { - "ephemeral_id": "cd4a05a0-d8d5-4b88-b709-b525da6dd43e", - "hostname": "docker-fleet-agent", - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "proofpoint_tap.clicks_blocked", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.112" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "snapshot": false, - "version": "7.17.0" - }, - "email": { - "from": { - "address": "abc123@example.com" - }, - "message_id": "12345678912345.12345.mail@example.com", - "to": { - "address": "9c52aa64228824247c48df69b066e5a7@example.com" - } - }, - "event": { - "agent_id_status": "verified", - "category": [ - "email" - ], - "created": "2022-05-09T09:38:11.168Z", - "dataset": "proofpoint_tap.clicks_blocked", - "id": "a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx", - "ingested": "2022-05-09T09:38:14Z", - "kind": "event", - "original": "{\"GUID\":\"ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"malware\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-30T10:11:12.000Z\",\"id\":\"a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"9c52aa64228824247c48df69b066e5a7@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-21T14:40:31.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f\",\"url\":\"https://www.example.com/abcdabcd123?query=0\",\"userAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1\"}", - "type": [ - "denied" - ] - }, - "input": { - "type": "httpjson" - }, - "proofpoint_tap": { - "clicks_blocked": { - "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", - "classification": "malware", - "threat": { - "id": "502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f", - "status": "active", - "time": "2022-03-21T14:40:31.000Z", - "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f" - } - }, - "guid": "ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx" - }, - "related": { - "ip": [ - "81.2.69.143", - "89.160.20.112" - ] - }, - "source": { - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "proofpoint_tap-clicks_blocked" - ], - "url": { - "domain": "www.example.com", - "full": "https://www.example.com/abcdabcd123?query=0", - "path": "/abcdabcd123", - "query": "query=0", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "iPhone" - }, - "name": "Google", - "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1", - "os": { - "full": "iOS 14.6", - "name": "iOS", - "version": "14.6" - }, - "version": "199.0.427504638" - } -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/agent/stream/httpjson.yml.hbs deleted file mode 100755 index c846a15843..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/v2/siem/clicks/permitted -auth.basic.user: {{principal}} -auth.basic.password: {{secret}} -request.transforms: - - set: - target: url.params.format - value: json - - set: - target: url.params.interval - value: '[[if (le (formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))]][[else]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate now]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]/[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "1h"))]]' -response.pagination: - - set: - target: url.params.interval - value: '[[if (le (formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .last_response.body.queryEndTime "RFC3339")]]/[[formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_received_time: - value: '[[.last_response.body.queryEndTime]]' -response.split: - target: body.clicksPermitted -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 378558c4f9..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,168 +0,0 @@ ---- -description: Pipeline for parsing Proofpoint TAP permitted clicks logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.GUID - - json.clickTime - - json.threatTime - target_field: _id - ignore_missing: true - - append: - field: event.category - value: email - ignore_failure: true - - append: - field: event.type - value: allowed - ignore_failure: true - - set: - field: event.kind - value: event - - rename: - field: json.sender - target_field: email.from.address - ignore_missing: true - - rename: - field: json.messageID - target_field: email.message_id - ignore_missing: true - - rename: - field: json.recipient - target_field: email.to.address - ignore_missing: true - - date: - field: json.clickTime - target_field: '@timestamp' - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.id - target_field: event.id - ignore_missing: true - - append: - field: related.ip - value: '{{{json.senderIP}}}' - if: ctx.json?.senderIP != null && ctx.json?.senderIP != '' - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{json.clickIP}}}' - if: ctx.json?.clickIP != null && ctx.json?.clickIP != '' - allow_duplicates: false - ignore_failure: true - - convert: - field: json.clickIP - target_field: destination.ip - type: ip - ignore_failure: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - convert: - field: json.senderIP - target_field: source.ip - type: ip - ignore_failure: true - - date: - field: json.threatTime - target_field: proofpoint_tap.clicks_permitted.threat.time - ignore_failure: true - formats: - - ISO8601 - - uri_parts: - field: json.url - keep_original: false - ignore_failure: true - - urldecode: - field: json.url - target_field: url.full - ignore_missing: true - - user_agent: - field: json.userAgent - target_field: user_agent - ignore_missing: true - ignore_failure: true - - rename: - field: json.campaignId - target_field: proofpoint_tap.clicks_permitted.campaign_id - ignore_missing: true - - rename: - field: json.classification - target_field: proofpoint_tap.clicks_permitted.classification - ignore_missing: true - - rename: - field: json.GUID - target_field: proofpoint_tap.guid - ignore_missing: true - - rename: - field: json.threatID - target_field: proofpoint_tap.clicks_permitted.threat.id - ignore_missing: true - - rename: - field: json.threatStatus - target_field: proofpoint_tap.clicks_permitted.threat.status - ignore_missing: true - - rename: - field: json.threatURL - target_field: proofpoint_tap.clicks_permitted.threat.url - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - remove: - field: json - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/agent.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/base-fields.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/base-fields.yml deleted file mode 100755 index a4e7350729..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: proofpoint_tap -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: proofpoint_tap.clicks_permitted diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/ecs.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/ecs.yml deleted file mode 100755 index 6ebb943263..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/ecs.yml +++ /dev/null @@ -1,176 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - type: keyword -- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. - name: email.message_id - type: wildcard -- description: The email address of recipient - name: email.to.address - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/fields.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/fields.yml deleted file mode 100755 index 87b27059db..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/fields/fields.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: proofpoint_tap - type: group - fields: - - name: clicks_permitted - type: group - fields: - - name: campaign_id - type: keyword - description: An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. - - name: classification - type: keyword - description: The threat category of the malicious URL. - - name: sender_ip - type: ip - description: The IP address of the sender. - - name: threat - type: group - fields: - - name: id - type: keyword - description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. - - name: status - type: keyword - description: The current state of the threat. - - name: time - type: date - description: Proofpoint identified the URL as a threat at this time. - - name: url - type: keyword - description: A link to the entry on the TAP Dashboard for the particular threat. - - name: guid - type: keyword - description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/manifest.yml b/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/manifest.yml deleted file mode 100755 index 1327aecdc5..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Clicks Permitted -type: logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Proofpoint_TAP Clicks Permitted logs - description: Collect Proofpoint TAP Clicks Permitted logs via API. - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch data from Proofpoint TAP API (The interval should be at least 1m). - multi: false - required: true - show_user: true - default: 1h - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). - default: 24h - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - proofpoint_tap-clicks_permitted - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/sample_event.json b/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/sample_event.json deleted file mode 100755 index 16e7c809f8..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/clicks_permitted/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2022-03-21T20:39:37.000Z", - "agent": { - "ephemeral_id": "85f7f8f1-c9f4-4d3f-bd2f-c6f4e6c31526", - "hostname": "docker-fleet-agent", - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "proofpoint_tap.clicks_permitted", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.112" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "snapshot": false, - "version": "7.17.0" - }, - "email": { - "from": { - "address": "abc123@example.com" - }, - "message_id": "12345678912345.12345.mail@example.com", - "to": { - "address": "abc@example.com" - } - }, - "event": { - "agent_id_status": "verified", - "category": [ - "email" - ], - "created": "2022-05-09T09:39:34.061Z", - "dataset": "proofpoint_tap.clicks_permitted", - "id": "de7eef56-1234-1234-1234-5xxfx7xxxdxxxx", - "ingested": "2022-05-09T09:39:37Z", - "kind": "event", - "original": "{\"GUID\":\"cTxxxxxxzx7xxxxxxxxxx8x4xwxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"phish\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-21T20:39:37.000Z\",\"id\":\"de7eef56-1234-1234-1234-5xxfx7xxxdxxxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"abc@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-30T10:05:57.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"url\":\"https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46\"}", - "type": [ - "allowed" - ] - }, - "input": { - "type": "httpjson" - }, - "proofpoint_tap": { - "clicks_permitted": { - "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", - "classification": "phish", - "threat": { - "id": "92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx", - "status": "active", - "time": "2022-03-30T10:05:57.000Z", - "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx" - } - }, - "guid": "cTxxxxxxzx7xxxxxxxxxx8x4xwxx" - }, - "related": { - "ip": [ - "81.2.69.143", - "89.160.20.112" - ] - }, - "source": { - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "proofpoint_tap-clicks_permitted" - ], - "url": { - "domain": "example.com", - "full": "https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX", - "path": "/collab/", - "query": "id=x4x3x6xsx1xxxx8xEdxexnxxxaxX", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Edge", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - }, - "version": "99.0.1150.46" - } -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 2c5d71539c..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/v2/siem/messages/blocked -auth.basic.user: {{principal}} -auth.basic.password: {{secret}} -request.transforms: - - set: - target: url.params.format - value: json - - set: - target: url.params.interval - value: '[[if (le (formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))]][[else]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate now]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]/[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "1h"))]]' -response.pagination: - - set: - target: url.params.interval - value: '[[if (le (formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .last_response.body.queryEndTime "RFC3339")]]/[[formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_received_time: - value: '[[.last_response.body.queryEndTime]]' -response.split: - target: body.messagesBlocked -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 73da7207a7..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,443 +0,0 @@ ---- -description: Pipeline for parsing Proofpoint TAP blocked message logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.GUID - - json.messageTime - target_field: _id - ignore_missing: true - - append: - field: event.category - value: email - ignore_failure: true - - append: - field: event.type - value: denied - ignore_failure: true - - set: - field: event.kind - value: event - - convert: - field: json.senderIP - target_field: source.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null && ctx.source?.ip != '' - allow_duplicates: false - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: ctx.source?.ip != null && ctx.source?.ip != '' - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx.source?.ip != null && ctx.source?.ip != '' - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - foreach: - field: json.messageParts - processor: - append: - field: related.hash - value: '{{{_ingest._value.md5}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - if: ctx.json?.messageParts != null && ctx.json?.messageParts instanceof List - - foreach: - field: json.messageParts - processor: - append: - field: related.hash - value: '{{{_ingest._value.sha256}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - if: ctx.json?.messageParts != null && ctx.json?.messageParts instanceof List - - rename: - field: json.ccAddresses - target_field: email.cc.address - ignore_missing: true - - date: - field: json.messageTime - target_field: email.delivery_timestamp - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.fromAddress - target_field: email.from.address - ignore_missing: true - - rename: - field: json.messageID - target_field: email.message_id - ignore_missing: true - - gsub: - field: email.message_id - pattern: '<|>' - replacement: '' - ignore_missing: true - - rename: - field: json.replyToAddress - target_field: email.reply_to.address - ignore_missing: true - - rename: - field: json.sender - target_field: email.sender.address - ignore_missing: true - - rename: - field: json.subject - target_field: email.subject - ignore_missing: true - - set: - field: email.to.address - copy_from: json.toAddresses - ignore_failure: true - - foreach: - field: json.recipient - processor: - append: - field: email.to.address - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - if: ctx.json?.recipient != null && ctx.json?.recipient instanceof List - - rename: - field: json.xmailer - target_field: email.x_mailer - ignore_missing: true - - rename: - field: json.id - target_field: event.id - ignore_missing: true - - set: - field: email.attachments - copy_from: json.messageParts - ignore_failure: true - - foreach: - field: email.attachments - processor: - remove: - field: - - _ingest._value.disposition - - _ingest._value.oContentType - - _ingest._value.sandboxStatus - ignore_missing: true - ignore_failure: true - if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List - - foreach: - field: email.attachments - processor: - rename: - field: _ingest._value.contentType - target_field: _ingest._value.file.mime_type - ignore_missing: true - ignore_failure: true - if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List - - foreach: - field: email.attachments - processor: - rename: - field: _ingest._value.md5 - target_field: _ingest._value.file.hash.md5 - ignore_missing: true - ignore_failure: true - if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List - - foreach: - field: email.attachments - processor: - rename: - field: _ingest._value.sha256 - target_field: _ingest._value.file.hash.sha256 - ignore_missing: true - ignore_failure: true - if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List - - foreach: - field: email.attachments - processor: - rename: - field: _ingest._value.filename - target_field: _ingest._value.file.name - ignore_missing: true - ignore_failure: true - if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List - - script: - description: Adding hash in related.hash from artifact field. - lang: painless - ignore_failure: true - source: | - if (ctx.json?.threatsInfoMap instanceof List) { - for (artifact in ctx.json?.threatsInfoMap) { - def flag = true; - def str = artifact.threat.toLowerCase(); - if (str?.length() == 64) { - for (int i = 0; i < str.length(); i++) { - def ch = str.charAt(i); - if ((ch < (char)'0' || ch > (char)'9') && (ch < (char)'a' || ch > (char)'f')) { - flag = false; - break; - } - } - if (flag && !ctx["related"]["hash"].contains(str)) { - ctx["related"]["hash"].add(str); - } - } - } - } - - rename: - field: json.toAddresses - target_field: proofpoint_tap.message_blocked.to_addresses - ignore_missing: true - - rename: - field: json.recipient - target_field: proofpoint_tap.message_blocked.recipient - ignore_missing: true - - rename: - field: json.cluster - target_field: proofpoint_tap.message_blocked.cluster - ignore_missing: true - - convert: - field: json.completelyRewritten - target_field: proofpoint_tap.message_blocked.completely_rewritten - type: string - ignore_failure: true - - rename: - field: json.GUID - target_field: proofpoint_tap.guid - ignore_missing: true - - rename: - field: json.headerCC - target_field: proofpoint_tap.message_blocked.header.cc - ignore_missing: true - - rename: - field: json.headerFrom - target_field: proofpoint_tap.message_blocked.header.from - ignore_missing: true - - gsub: - field: proofpoint_tap.message_blocked.header.from - pattern: '<|>' - replacement: '' - ignore_missing: true - - rename: - field: json.headerReplyTo - target_field: proofpoint_tap.message_blocked.header.replyto - ignore_missing: true - - rename: - field: json.headerTo - target_field: proofpoint_tap.message_blocked.header.to - ignore_missing: true - - convert: - field: json.impostorScore - target_field: proofpoint_tap.message_blocked.impostor_score - type: double - ignore_failure: true - - convert: - field: json.malwareScore - target_field: proofpoint_tap.message_blocked.malware_score - type: long - ignore_failure: true - - rename: - field: json.messageParts - target_field: proofpoint_tap.message_blocked.message_parts - ignore_missing: true - - foreach: - field: proofpoint_tap.message_blocked.message_parts - processor: - remove: - field: - - _ingest._value.contentType - - _ingest._value.filename - - _ingest._value.md5 - - _ingest._value.sha256 - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List - - foreach: - field: proofpoint_tap.message_blocked.message_parts - processor: - rename: - field: _ingest._value.oContentType - target_field: _ingest._value.o_content_type - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List - - foreach: - field: proofpoint_tap.message_blocked.message_parts - processor: - rename: - field: _ingest._value.sandboxStatus - target_field: _ingest._value.sandbox_status - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List - - convert: - field: json.messageSize - target_field: proofpoint_tap.message_blocked.message_size - type: long - ignore_failure: true - - rename: - field: json.modulesRun - target_field: proofpoint_tap.message_blocked.modules_run - ignore_missing: true - - convert: - field: json.phishScore - target_field: proofpoint_tap.message_blocked.phish_score - type: long - ignore_failure: true - - rename: - field: json.policyRoutes - target_field: proofpoint_tap.message_blocked.policy_routes - ignore_missing: true - - rename: - field: json.QID - target_field: proofpoint_tap.message_blocked.qid - ignore_missing: true - - rename: - field: json.quarantineFolder - target_field: proofpoint_tap.message_blocked.quarantine.folder - ignore_missing: true - - rename: - field: json.quarantineRule - target_field: proofpoint_tap.message_blocked.quarantine.rule - ignore_missing: true - - convert: - field: json.spamScore - target_field: proofpoint_tap.message_blocked.spam_score - type: long - ignore_failure: true - - rename: - field: json.threatsInfoMap - target_field: proofpoint_tap.message_blocked.threat_info_map - ignore_missing: true - - foreach: - field: proofpoint_tap.message_blocked.threat_info_map - processor: - rename: - field: _ingest._value.campaignId - target_field: _ingest._value.campaign_id - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_blocked.threat_info_map - processor: - rename: - field: _ingest._value.threat - target_field: _ingest._value.threat.artifact - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_blocked.threat_info_map - processor: - rename: - field: _ingest._value.threatID - target_field: _ingest._value.threat.id - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_blocked.threat_info_map - processor: - rename: - field: _ingest._value.threatStatus - target_field: _ingest._value.threat.status - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_blocked.threat_info_map - processor: - date: - field: _ingest._value.threatTime - target_field: _ingest._value.threat.time - ignore_failure: true - formats: - - ISO8601 - ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_blocked.threat_info_map - processor: - remove: - field: _ingest._value.threatTime - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_blocked.threat_info_map - processor: - rename: - field: _ingest._value.threatType - target_field: _ingest._value.threat.type - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_blocked.threat_info_map - processor: - rename: - field: _ingest._value.threatUrl - target_field: _ingest._value.threat.url - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - remove: - field: - - json - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - set: - field: error.message - value: '{{{_ingest.on_failure_message}}}' diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/agent.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/base-fields.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/base-fields.yml deleted file mode 100755 index 989ed7305d..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: proofpoint_tap -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: proofpoint_tap.message_blocked diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/ecs.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/ecs.yml deleted file mode 100755 index 4eaf034b1f..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/ecs.yml +++ /dev/null @@ -1,129 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: A list of objects describing the attachment files sent along with an email message. - name: email.attachments - type: nested -- description: MD5 hash. - name: email.attachments.file.hash.md5 - type: keyword -- description: SHA256 hash. - name: email.attachments.file.hash.sha256 - type: keyword -- description: Name of the attachment file including the file extension. - name: email.attachments.file.name - type: keyword -- description: The email address of CC recipient - name: email.cc.address - type: keyword -- description: |- - Information about how the message is to be displayed. - Typically a MIME type. - name: email.content_type - type: keyword -- description: The date and time when the email message was received by the service or client. - name: email.delivery_timestamp - type: date -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - type: keyword -- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. - name: email.message_id - type: wildcard -- description: The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header. - name: email.reply_to.address - type: keyword -- description: Per RFC 5322, specifies the address responsible for the actual transmission of the message. - name: email.sender.address - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: The email address of recipient - name: email.to.address - type: keyword -- description: The name of the application that was used to draft and send the original email message. - name: email.x_mailer - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/fields.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/fields.yml deleted file mode 100755 index 7067b9eb50..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/fields/fields.yml +++ /dev/null @@ -1,110 +0,0 @@ -- name: proofpoint_tap - type: group - fields: - - name: guid - type: keyword - description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. - - name: message_blocked - type: group - fields: - - name: cluster - type: keyword - description: The name of the PPS cluster which processed the message. - - name: completely_rewritten - type: keyword - description: The rewrite status of the message. If value is 'true', all instances of URL threats within the message were successfully rewritten. If the value is 'false', at least one instance of the a threat URL was not rewritten. If the value is 'na', the message did not contain any URL-based threats. - - name: header - type: group - fields: - - name: cc - type: keyword - - name: from - type: keyword - description: 'The full content of the From: header, including any friendly name.' - - name: replyto - type: keyword - description: 'If present, the full content of the Reply-To: header, including any friendly names.' - - name: to - type: keyword - - name: impostor_score - type: double - description: The impostor score of the message. Higher scores indicate higher certainty. - - name: malware_score - type: long - description: The malware score of the message. Higher scores indicate higher certainty. - - name: message_parts - type: group - fields: - - name: disposition - type: keyword - description: If the value is "inline," the messagePart is a message body. If the value is "attached," the messagePart is an attachment. - - name: o_content_type - type: keyword - description: The declared Content-Type of the messagePart. - - name: sandbox_status - type: keyword - description: The verdict returned by the sandbox during the scanning process. If the value is "unsupported", the messagePart is not supported by Attachment Defense and was not scanned. If the value is "clean", the sandbox returned a clean verdict. If the value is "threat", the sandbox returned a malicious verdict. If the value is "prefilter", the messagePart contained no active content, and was therefore not sent to the sandboxing service. If the value is "uploaded," the message was uploaded by PPS to the sandboxing service, but did not yet have a verdict at the time the message was processed. If the value is "inprogress," the attachment had been uploaded and was awaiting scanning at the time the message was processed. If the verdict is "uploaddisabled," the attachment was eligible for scanning, but was not uploaded because of PPS policy. - - name: message_size - type: long - description: The size in bytes of the message, including headers and attachments. - - name: modules_run - type: keyword - description: The list of PPS modules which processed the message. - - name: phish_score - type: long - description: The phish score of the message. Higher scores indicate higher certainty. - - name: policy_routes - type: keyword - description: The policy routes that the message matched during processing by PPS. - - name: qid - type: keyword - description: The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique. - - name: quarantine - type: group - fields: - - name: folder - type: keyword - description: The name of the folder which contains the quarantined message. This appears only for messagesBlocked. - - name: rule - type: keyword - description: The name of the rule which quarantined the message. This appears only for messagesBlocked events. - - name: recipient - type: keyword - description: An array containing the email addresses of the SMTP (envelope) recipients. - - name: spam_score - type: long - description: The spam score of the message. Higher scores indicate higher certainty. - - name: threat_info_map - type: group - description: An array of structures which contain details about detected threats within the message. There may be more than one threat per message. - fields: - - name: campaign_id - type: keyword - description: An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. - - name: classification - type: keyword - description: The category of threat found in the message. - - name: threat - type: group - fields: - - name: artifact - type: keyword - description: The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. - - name: id - type: keyword - description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. - - name: status - type: keyword - description: The current state of the threat. - - name: time - type: date - description: Proofpoint assigned the threatStatus at this time. - - name: type - type: keyword - description: Whether the threat was an attachment, URL, or message type. - - name: url - type: keyword - description: A link to the entry about the threat on the TAP Dashboard. - - name: to_addresses - type: keyword - description: 'A list of email addresses contained within the To: header, excluding friendly names.' diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/manifest.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/manifest.yml deleted file mode 100755 index 99403109dc..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Message Blocked -type: logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Proofpoint_TAP Message Blocked logs - description: Collect Proofpoint TAP Message Blocked logs via API. - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch data from Proofpoint TAP API (The interval should be at least 1m). - multi: false - required: true - show_user: true - default: 1h - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). - default: 24h - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - proofpoint_tap-message_blocked - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/sample_event.json b/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/sample_event.json deleted file mode 100755 index 377c23317d..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_blocked/sample_event.json +++ /dev/null @@ -1,190 +0,0 @@ -{ - "@timestamp": "2022-05-09T09:41:02.164Z", - "agent": { - "ephemeral_id": "dfa889d8-af83-426a-b8dc-483740f73385", - "hostname": "docker-fleet-agent", - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "proofpoint_tap.message_blocked", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "snapshot": false, - "version": "7.17.0" - }, - "email": { - "attachments": [ - { - "file": { - "hash": { - "md5": "b10a8db164e0754105b7a99be72e3fe5", - "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" - }, - "mime_type": "text/plain", - "name": "text.txt" - } - }, - { - "file": { - "hash": { - "md5": "b10a8db164e0754105b7a99be72e3fe5", - "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" - }, - "mime_type": "application/pdf", - "name": "text.pdf" - } - } - ], - "cc": { - "address": [ - "abc@example.com" - ] - }, - "delivery_timestamp": "2021-11-25T09:10:00.050Z", - "from": { - "address": "abc@example.com" - }, - "message_id": "12345678912345.12345.mail@example.com", - "sender": { - "address": "x99x7x5580193x6x51x597xx2x0210@example.com" - }, - "subject": "Please find a totally safe invoice attached.", - "to": { - "address": [ - "example.abc@example.com", - "hey.hello@example.com" - ] - }, - "x_mailer": "Spambot v2.5" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "email" - ], - "created": "2022-05-09T09:41:02.164Z", - "dataset": "proofpoint_tap.message_blocked", - "ingested": "2022-05-09T09:41:05Z", - "kind": "event", - "original": "{\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123456xx\",\"QID\":\"x2XXxXXX111111\",\"ccAddresses\":[\"abc@example.com\"],\"clusterId\":\"pharmtech_hosted\",\"completelyRewritten\":\"true\",\"fromAddress\":\"abc@example.com\",\"headerCC\":\"\\\"Example Abc\\\" \\u003cabc@example.com\\u003e\",\"headerFrom\":\"\\\"A. Bc\\\" \\u003cabc@example.com\\u003e\",\"headerReplyTo\":null,\"headerTo\":\"\\\"Aa Bb\\\" \\u003caa.bb@example.com\\u003e; \\\"Hey Hello\\\" \\u003chey.hello@example.com\\u003e\",\"impostorScore\":0,\"malwareScore\":100,\"messageID\":\"12345678912345.12345.mail@example.com\",\"messageParts\":[{\"contentType\":\"text/plain\",\"disposition\":\"inline\",\"filename\":\"text.txt\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"text/plain\",\"sandboxStatus\":\"unsupported\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"},{\"contentType\":\"application/pdf\",\"disposition\":\"attached\",\"filename\":\"text.pdf\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"application/pdf\",\"sandboxStatus\":\"threat\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"}],\"messageTime\":\"2021-11-25T09:10:00.050Z\",\"modulesRun\":[\"pdr\",\"sandbox\",\"spam\",\"urldefense\"],\"phishScore\":46,\"policyRoutes\":[\"default_inbound\",\"executives\"],\"quarantineFolder\":\"Attachment Defense\",\"quarantineRule\":\"module.sandbox.threat\",\"recipient\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"replyToAddress\":null,\"sender\":\"x99x7x5580193x6x51x597xx2x0210@example.com\",\"senderIP\":\"175.16.199.1\",\"spamScore\":4,\"subject\":\"Please find a totally safe invoice attached.\",\"threatsInfoMap\":[{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"threatId\":\"2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T09:10:00.050Z\",\"threatType\":\"ATTACHMENT\",\"threatUrl\":\"https://www.example.com/?name=john\"},{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"example.com\",\"threatId\":\"3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx\",\"threatTime\":\"2021-07-20T05:00:00.050Z\",\"threatType\":\"URL\",\"threatUrl\":\"https://www.example.com/?name=john\"}],\"toAddresses\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"xmailer\":\"Spambot v2.5\"}", - "type": [ - "denied" - ] - }, - "input": { - "type": "httpjson" - }, - "proofpoint_tap": { - "guid": "x11xxxx1-12f9-111x-x12x-1x1x123456xx", - "message_blocked": { - "completely_rewritten": "true", - "header": { - "cc": "\"Example Abc\" \u003cabc@example.com\u003e", - "from": "\"A. Bc\" abc@example.com", - "to": "\"Aa Bb\" \u003caa.bb@example.com\u003e; \"Hey Hello\" \u003chey.hello@example.com\u003e" - }, - "impostor_score": 0, - "malware_score": 100, - "message_parts": [ - { - "disposition": "inline", - "o_content_type": "text/plain", - "sandbox_status": "unsupported" - }, - { - "disposition": "attached", - "o_content_type": "application/pdf", - "sandbox_status": "threat" - } - ], - "modules_run": [ - "pdr", - "sandbox", - "spam", - "urldefense" - ], - "phish_score": 46, - "policy_routes": [ - "default_inbound", - "executives" - ], - "qid": "x2XXxXXX111111", - "quarantine": { - "folder": "Attachment Defense", - "rule": "module.sandbox.threat" - }, - "recipient": [ - "example.abc@example.com", - "hey.hello@example.com" - ], - "spam_score": 4, - "threat_info_map": [ - { - "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", - "classification": "MALWARE", - "threat": { - "artifact": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e", - "status": "active", - "time": "2021-11-25T09:10:00.050Z", - "type": "ATTACHMENT", - "url": "https://www.example.com/?name=john" - }, - "threatId": "2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx" - }, - { - "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", - "classification": "MALWARE", - "threat": { - "artifact": "example.com", - "time": "2021-07-20T05:00:00.050Z", - "type": "URL", - "url": "https://www.example.com/?name=john" - }, - "threatId": "3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx" - } - ], - "to_addresses": [ - "example.abc@example.com", - "hey.hello@example.com" - ] - } - }, - "related": { - "hash": [ - "b10a8db164e0754105b7a99be72e3fe5", - "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" - ], - "ip": [ - "175.16.199.1" - ] - }, - "source": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "proofpoint_tap-message_blocked" - ] -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 4222c42aa6..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,44 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/v2/siem/messages/delivered -auth.basic.user: {{principal}} -auth.basic.password: {{secret}} -request.transforms: - - set: - target: url.params.format - value: json - - set: - target: url.params.interval - value: '[[if (le (formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))]][[else]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate now]][[end]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]/[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "1h"))]]' -response.pagination: - - set: - target: url.params.interval - value: '[[if (le (formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .last_response.body.queryEndTime "RFC3339")]]/[[formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_received_time: - value: '[[.last_response.body.queryEndTime]]' -response.split: - target: body.messagesDelivered -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 139b593dfc..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,435 +0,0 @@ ---- -description: Pipeline for parsing Proofpoint TAP delivered message logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.GUID - - json.messageTime - target_field: _id - ignore_missing: true - - append: - field: event.category - value: email - ignore_failure: true - - append: - field: event.type - value: info - ignore_failure: true - - set: - field: event.kind - value: event - - convert: - field: json.senderIP - target_field: source.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null && ctx.source?.ip != '' - allow_duplicates: false - ignore_failure: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: ctx.source?.ip != null && ctx.source?.ip != '' - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: ctx.source?.ip != null && ctx.source?.ip != '' - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - foreach: - field: json.messageParts - processor: - append: - field: related.hash - value: '{{{_ingest._value.md5}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - if: ctx.json?.messageParts != null && ctx.json?.messageParts instanceof List - - foreach: - field: json.messageParts - processor: - append: - field: related.hash - value: '{{{_ingest._value.sha256}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - if: ctx.json?.messageParts != null && ctx.json?.messageParts instanceof List - - rename: - field: json.ccAddresses - target_field: email.cc.address - ignore_missing: true - - date: - field: json.messageTime - target_field: email.delivery_timestamp - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.fromAddress - target_field: email.from.address - ignore_missing: true - - rename: - field: json.messageID - target_field: email.message_id - ignore_missing: true - - gsub: - field: email.message_id - pattern: '<|>' - replacement: '' - ignore_missing: true - - rename: - field: json.replyToAddress - target_field: email.reply_to.address - ignore_missing: true - - rename: - field: json.sender - target_field: email.sender.address - ignore_missing: true - - rename: - field: json.subject - target_field: email.subject - ignore_missing: true - - set: - field: email.to.address - copy_from: json.toAddresses - ignore_failure: true - - foreach: - field: json.recipient - processor: - append: - field: email.to.address - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - if: ctx.json?.recipient != null && ctx.json?.recipient instanceof List - - rename: - field: json.xmailer - target_field: email.x_mailer - ignore_missing: true - - rename: - field: json.id - target_field: event.id - ignore_missing: true - - set: - field: email.attachments - copy_from: json.messageParts - ignore_failure: true - - foreach: - field: email.attachments - processor: - remove: - field: - - _ingest._value.disposition - - _ingest._value.oContentType - - _ingest._value.sandboxStatus - ignore_missing: true - ignore_failure: true - if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List - - foreach: - field: email.attachments - processor: - rename: - field: _ingest._value.contentType - target_field: _ingest._value.file.mime_type - ignore_missing: true - ignore_failure: true - if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List - - foreach: - field: email.attachments - processor: - rename: - field: _ingest._value.md5 - target_field: _ingest._value.file.hash.md5 - ignore_missing: true - ignore_failure: true - if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List - - foreach: - field: email.attachments - processor: - rename: - field: _ingest._value.sha256 - target_field: _ingest._value.file.hash.sha256 - ignore_missing: true - ignore_failure: true - if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List - - foreach: - field: email.attachments - processor: - rename: - field: _ingest._value.filename - target_field: _ingest._value.file.name - ignore_missing: true - ignore_failure: true - if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List - - script: - description: Adding hash in related.hash from artifact field. - lang: painless - ignore_failure: true - source: | - if (ctx.json?.threatsInfoMap instanceof List) { - for (artifact in ctx.json?.threatsInfoMap) { - def flag = true; - def str = artifact.threat.toLowerCase(); - if (str?.length() == 64) { - for (int i = 0; i < str.length(); i++) { - def ch = str.charAt(i); - if ((ch < (char)'0' || ch > (char)'9') && (ch < (char)'a' || ch > (char)'f')) { - flag = false; - break; - } - } - if (flag && !ctx["related"]["hash"].contains(str)) { - ctx["related"]["hash"].add(str); - } - } - } - } - - rename: - field: json.toAddresses - target_field: proofpoint_tap.message_delivered.to_addresses - ignore_missing: true - - rename: - field: json.recipient - target_field: proofpoint_tap.message_delivered.recipient - ignore_missing: true - - rename: - field: json.cluster - target_field: proofpoint_tap.message_delivered.cluster - ignore_missing: true - - convert: - field: json.completelyRewritten - target_field: proofpoint_tap.message_delivered.completely_rewritten - type: string - ignore_failure: true - - rename: - field: json.GUID - target_field: proofpoint_tap.guid - ignore_missing: true - - rename: - field: json.headerFrom - target_field: proofpoint_tap.message_delivered.header.from - ignore_missing: true - - gsub: - field: proofpoint_tap.message_delivered.header.from - pattern: '<|>' - replacement: '' - ignore_missing: true - - rename: - field: json.headerReplyTo - target_field: proofpoint_tap.message_delivered.header.replyto - ignore_missing: true - - convert: - field: json.impostorScore - target_field: proofpoint_tap.message_delivered.impostor_score - type: double - ignore_failure: true - - convert: - field: json.malwareScore - target_field: proofpoint_tap.message_delivered.malware_score - type: long - ignore_failure: true - - rename: - field: json.messageParts - target_field: proofpoint_tap.message_delivered.message_parts - ignore_missing: true - - foreach: - field: proofpoint_tap.message_delivered.message_parts - processor: - remove: - field: - - _ingest._value.contentType - - _ingest._value.filename - - _ingest._value.md5 - - _ingest._value.sha256 - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List - - foreach: - field: proofpoint_tap.message_delivered.message_parts - processor: - rename: - field: _ingest._value.oContentType - target_field: _ingest._value.o_content_type - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List - - foreach: - field: proofpoint_tap.message_delivered.message_parts - processor: - rename: - field: _ingest._value.sandboxStatus - target_field: _ingest._value.sandbox_status - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List - - convert: - field: json.messageSize - target_field: proofpoint_tap.message_delivered.message_size - type: long - ignore_failure: true - - rename: - field: json.modulesRun - target_field: proofpoint_tap.message_delivered.modules_run - ignore_missing: true - - convert: - field: json.phishScore - target_field: proofpoint_tap.message_delivered.phish_score - type: long - ignore_failure: true - - rename: - field: json.policyRoutes - target_field: proofpoint_tap.message_delivered.policy_routes - ignore_missing: true - - rename: - field: json.QID - target_field: proofpoint_tap.message_delivered.qid - ignore_missing: true - - rename: - field: json.quarantineFolder - target_field: proofpoint_tap.message_delivered.quarantine.folder - ignore_missing: true - - rename: - field: json.quarantineRule - target_field: proofpoint_tap.message_delivered.quarantine.rule - ignore_missing: true - - convert: - field: json.spamScore - target_field: proofpoint_tap.message_delivered.spam_score - type: long - ignore_failure: true - - rename: - field: json.threatsInfoMap - target_field: proofpoint_tap.message_delivered.threat_info_map - ignore_missing: true - - foreach: - field: proofpoint_tap.message_delivered.threat_info_map - processor: - rename: - field: _ingest._value.campaignId - target_field: _ingest._value.campaign_id - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_delivered.threat_info_map - processor: - rename: - field: _ingest._value.threat - target_field: _ingest._value.threat.artifact - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_delivered.threat_info_map - processor: - rename: - field: _ingest._value.threatID - target_field: _ingest._value.threat.id - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_delivered.threat_info_map - processor: - rename: - field: _ingest._value.threatStatus - target_field: _ingest._value.threat.status - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_delivered.threat_info_map - processor: - date: - field: _ingest._value.threatTime - target_field: _ingest._value.threat.time - ignore_failure: true - formats: - - ISO8601 - ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_delivered.threat_info_map - processor: - remove: - field: _ingest._value.threatTime - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_delivered.threat_info_map - processor: - rename: - field: _ingest._value.threatType - target_field: _ingest._value.threat.type - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - - foreach: - field: proofpoint_tap.message_delivered.threat_info_map - processor: - rename: - field: _ingest._value.threatUrl - target_field: _ingest._value.threat.url - ignore_missing: true - ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - remove: - field: - - json - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - set: - field: error.message - value: '{{{_ingest.on_failure_message}}}' diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/agent.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/agent.yml deleted file mode 100755 index 73e076a93b..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container ID. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host IP addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/base-fields.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/base-fields.yml deleted file mode 100755 index cc51aafdf8..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module. - value: proofpoint_tap -- name: event.dataset - type: constant_keyword - description: Event dataset. - value: proofpoint_tap.message_delivered diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/ecs.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/ecs.yml deleted file mode 100755 index 4eaf034b1f..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/ecs.yml +++ /dev/null @@ -1,129 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: A list of objects describing the attachment files sent along with an email message. - name: email.attachments - type: nested -- description: MD5 hash. - name: email.attachments.file.hash.md5 - type: keyword -- description: SHA256 hash. - name: email.attachments.file.hash.sha256 - type: keyword -- description: Name of the attachment file including the file extension. - name: email.attachments.file.name - type: keyword -- description: The email address of CC recipient - name: email.cc.address - type: keyword -- description: |- - Information about how the message is to be displayed. - Typically a MIME type. - name: email.content_type - type: keyword -- description: The date and time when the email message was received by the service or client. - name: email.delivery_timestamp - type: date -- description: The email address of the sender, typically from the RFC 5322 `From:` header field. - name: email.from.address - type: keyword -- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. - name: email.message_id - type: wildcard -- description: The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header. - name: email.reply_to.address - type: keyword -- description: Per RFC 5322, specifies the address responsible for the actual transmission of the message. - name: email.sender.address - type: keyword -- description: A brief summary of the topic of the message. - multi_fields: - - name: text - type: match_only_text - name: email.subject - type: keyword -- description: The email address of recipient - name: email.to.address - type: keyword -- description: The name of the application that was used to draft and send the original email message. - name: email.x_mailer - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/fields.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/fields.yml deleted file mode 100755 index 7b8ee5ae00..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/fields/fields.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: proofpoint_tap - type: group - fields: - - name: guid - type: keyword - description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. - - name: message_delivered - type: group - fields: - - name: cluster - type: keyword - description: The name of the PPS cluster which processed the message. - - name: completely_rewritten - type: keyword - description: The rewrite status of the message. If value is 'true', all instances of URL threats within the message were successfully rewritten. If the value is 'false', at least one instance of the a threat URL was not rewritten. If the value is 'na', the message did not contain any URL-based threats. - - name: header - type: group - fields: - - name: from - type: keyword - description: 'The full content of the From: header, including any friendly name.' - - name: replyto - type: keyword - description: 'If present, the full content of the Reply-To: header, including any friendly names.' - - name: impostor_score - type: double - description: The impostor score of the message. Higher scores indicate higher certainty. - - name: malware_score - type: long - description: The malware score of the message. Higher scores indicate higher certainty. - - name: message_parts - type: group - fields: - - name: disposition - type: keyword - description: If the value is "inline," the messagePart is a message body. If the value is "attached," the messagePart is an attachment. - - name: o_content_type - type: keyword - description: The declared Content-Type of the messagePart. - - name: sandbox_status - type: keyword - description: The verdict returned by the sandbox during the scanning process. If the value is "unsupported", the messagePart is not supported by Attachment Defense and was not scanned. If the value is "clean", the sandbox returned a clean verdict. If the value is "threat", the sandbox returned a malicious verdict. If the value is "prefilter", the messagePart contained no active content, and was therefore not sent to the sandboxing service. If the value is "uploaded," the message was uploaded by PPS to the sandboxing service, but did not yet have a verdict at the time the message was processed. If the value is "inprogress," the attachment had been uploaded and was awaiting scanning at the time the message was processed. If the verdict is "uploaddisabled," the attachment was eligible for scanning, but was not uploaded because of PPS policy. - - name: message_size - type: long - description: The size in bytes of the message, including headers and attachments. - - name: modules_run - type: keyword - description: The list of PPS modules which processed the message. - - name: phish_score - type: long - description: The phish score of the message. Higher scores indicate higher certainty. - - name: policy_routes - type: keyword - description: The policy routes that the message matched during processing by PPS. - - name: qid - type: keyword - description: The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique. - - name: quarantine - type: group - fields: - - name: folder - type: keyword - description: The name of the folder which contains the quarantined message. This appears only for messagesBlocked. - - name: rule - type: keyword - description: The name of the rule which quarantined the message. This appears only for messagesBlocked events. - - name: recipient - type: keyword - description: An array containing the email addresses of the SMTP (envelope) recipients. - - name: spam_score - type: long - description: The spam score of the message. Higher scores indicate higher certainty. - - name: threat_info_map - type: group - description: An array of structures which contain details about detected threats within the message. There may be more than one threat per message. - fields: - - name: campaign_id - type: keyword - description: An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. - - name: classification - type: keyword - description: The category of threat found in the message. - - name: threat - type: group - fields: - - name: artifact - type: keyword - description: The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. - - name: id - type: keyword - description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. - - name: status - type: keyword - description: The current state of the threat. - - name: time - type: date - description: Proofpoint assigned the threatStatus at this time. - - name: type - type: keyword - description: Whether the threat was an attachment, URL, or message type. - - name: url - type: keyword - description: A link to the entry about the threat on the TAP Dashboard. - - name: to_addresses - type: keyword - description: 'A list of email addresses contained within the To: header, excluding friendly names.' diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/manifest.yml b/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/manifest.yml deleted file mode 100755 index e82e189b75..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Message Delivered -type: logs -streams: - - input: httpjson - template_path: httpjson.yml.hbs - title: Proofpoint_TAP Message Delivered logs - description: Collect Proofpoint TAP Message Delivered logs via API. - vars: - - name: interval - type: text - title: Interval - description: Interval to fetch data from Proofpoint TAP API (The interval should be at least 1m). - multi: false - required: true - show_user: true - default: 1h - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). - default: 24h - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - proofpoint_tap-message_delivered - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/sample_event.json b/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/sample_event.json deleted file mode 100755 index 60229edc5b..0000000000 --- a/packages/proofpoint_tap/0.1.0/data_stream/message_delivered/sample_event.json +++ /dev/null @@ -1,120 +0,0 @@ -{ - "@timestamp": "2022-05-09T09:42:31.705Z", - "agent": { - "ephemeral_id": "59bb449e-3552-4dfb-a4a4-a6928d75b8fa", - "hostname": "docker-fleet-agent", - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "proofpoint_tap.message_delivered", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "snapshot": false, - "version": "7.17.0" - }, - "email": { - "delivery_timestamp": "2022-01-01T00:00:00.000Z", - "to": { - "address": [ - "fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com" - ] - } - }, - "event": { - "agent_id_status": "verified", - "category": [ - "email" - ], - "created": "2022-05-09T09:42:31.705Z", - "dataset": "proofpoint_tap.message_delivered", - "id": "2hsvbU-i8abc123-12345-xxxxx12", - "ingested": "2022-05-09T09:42:35Z", - "kind": "event", - "original": "{\"GUID\":\"NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx\",\"QID\":null,\"ccAddresses\":null,\"cluster\":\"pharmtech_hosted\",\"completelyRewritten\":true,\"fromAddress\":null,\"headerFrom\":null,\"headerReplyTo\":null,\"id\":\"2hsvbU-i8abc123-12345-xxxxx12\",\"impostorScore\":0,\"malwareScore\":0,\"messageID\":\"\",\"messageParts\":null,\"messageSize\":0,\"messageTime\":\"2022-01-01T00:00:00.000Z\",\"modulesRun\":null,\"phishScore\":0,\"policyRoutes\":null,\"quarantineFolder\":null,\"quarantineRule\":null,\"recipient\":[\"fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com\"],\"replyToAddress\":null,\"sender\":\"\",\"senderIP\":\"89.160.20.112\",\"spamScore\":0,\"subject\":null,\"threatsInfoMap\":[{\"campaignID\":null,\"classification\":\"spam\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T13:02:58.640Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"},{\"campaignID\":null,\"classification\":\"phish\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566\",\"threatStatus\":\"active\",\"threatTime\":\"2021-07-19T10:28:15.100Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"}],\"toAddresses\":null,\"xmailer\":null}", - "type": [ - "info" - ] - }, - "input": { - "type": "httpjson" - }, - "proofpoint_tap": { - "guid": "NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx", - "message_delivered": { - "cluster": "pharmtech_hosted", - "completely_rewritten": "true", - "impostor_score": 0, - "malware_score": 0, - "message_size": 0, - "phish_score": 0, - "recipient": [ - "fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com" - ], - "spam_score": 0, - "threat_info_map": [ - { - "classification": "spam", - "threat": { - "artifact": "http://zbcd123456x0.example.com", - "id": "b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb", - "status": "active", - "time": "2021-11-25T13:02:58.640Z", - "type": "url", - "url": "https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb" - } - }, - { - "classification": "phish", - "threat": { - "artifact": "http://zbcd123456x0.example.com", - "id": "aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566", - "status": "active", - "time": "2021-07-19T10:28:15.100Z", - "type": "url", - "url": "https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb" - } - } - ] - } - }, - "related": { - "ip": [ - "89.160.20.112" - ] - }, - "source": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.112" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "proofpoint_tap-message_delivered" - ] -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/docs/README.md b/packages/proofpoint_tap/0.1.0/docs/README.md deleted file mode 100755 index 4499fb5f31..0000000000 --- a/packages/proofpoint_tap/0.1.0/docs/README.md +++ /dev/null @@ -1,1020 +0,0 @@ -# Proofpoint TAP - -The Proofpoint TAP integration collects and parses data from the Proofpoint TAP REST APIs. - -## Compatibility - -This module has been tested against `SIEM API v2`. - -## Configurations - -The service principal and secret are used to authenticate to the SIEM API. To generate TAP Service Credentials please follow the following steps. -1. Log in to the [_TAP dashboard_](https://threatinsight.proofpoint.com). -2. Navigate to **Settings > Connected Applications**. -3. Click **Create New Credential**. -4. Name the new credential set and click **Generate**. -5. Copy the **Service Principal** and **Secret** and save them for later use. -For the more information on generating TAP credentials please follow the steps mentioned in the link [_Generate TAP Service Credentials_](https://ptr-docs.proofpoint.com/ptr-guides/integrations-files/ptr-tap/#generate-tap-service-credentials). - - -## Logs - -### Clicks Blocked - -This is the `clicks_blocked` dataset. - -An example event for `clicks_blocked` looks as following: - -```json -{ - "@timestamp": "2022-03-30T10:11:12.000Z", - "agent": { - "ephemeral_id": "cd4a05a0-d8d5-4b88-b709-b525da6dd43e", - "hostname": "docker-fleet-agent", - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "proofpoint_tap.clicks_blocked", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.112" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "snapshot": false, - "version": "7.17.0" - }, - "email": { - "from": { - "address": "abc123@example.com" - }, - "message_id": "12345678912345.12345.mail@example.com", - "to": { - "address": "9c52aa64228824247c48df69b066e5a7@example.com" - } - }, - "event": { - "agent_id_status": "verified", - "category": [ - "email" - ], - "created": "2022-05-09T09:38:11.168Z", - "dataset": "proofpoint_tap.clicks_blocked", - "id": "a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx", - "ingested": "2022-05-09T09:38:14Z", - "kind": "event", - "original": "{\"GUID\":\"ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"malware\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-30T10:11:12.000Z\",\"id\":\"a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"9c52aa64228824247c48df69b066e5a7@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-21T14:40:31.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f\",\"url\":\"https://www.example.com/abcdabcd123?query=0\",\"userAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1\"}", - "type": [ - "denied" - ] - }, - "input": { - "type": "httpjson" - }, - "proofpoint_tap": { - "clicks_blocked": { - "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", - "classification": "malware", - "threat": { - "id": "502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f", - "status": "active", - "time": "2022-03-21T14:40:31.000Z", - "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f" - } - }, - "guid": "ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx" - }, - "related": { - "ip": [ - "81.2.69.143", - "89.160.20.112" - ] - }, - "source": { - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "proofpoint_tap-clicks_blocked" - ], - "url": { - "domain": "www.example.com", - "full": "https://www.example.com/abcdabcd123?query=0", - "path": "/abcdabcd123", - "query": "query=0", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "iPhone" - }, - "name": "Google", - "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1", - "os": { - "full": "iOS 14.6", - "name": "iOS", - "version": "14.6" - }, - "version": "199.0.427504638" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.to.address | The email address of recipient | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| proofpoint_tap.clicks_blocked.campaign_id | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. | keyword | -| proofpoint_tap.clicks_blocked.classification | The threat category of the malicious URL. | keyword | -| proofpoint_tap.clicks_blocked.sender_ip | The IP address of the sender. | ip | -| proofpoint_tap.clicks_blocked.threat.id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword | -| proofpoint_tap.clicks_blocked.threat.status | The current state of the threat. | keyword | -| proofpoint_tap.clicks_blocked.threat.time | Proofpoint identified the URL as a threat at this time. | date | -| proofpoint_tap.clicks_blocked.threat.url | A link to the entry on the TAP Dashboard for the particular threat. | keyword | -| proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -### Clicks Permitted - -This is the `clicks_permitted` dataset. - -An example event for `clicks_permitted` looks as following: - -```json -{ - "@timestamp": "2022-03-21T20:39:37.000Z", - "agent": { - "ephemeral_id": "85f7f8f1-c9f4-4d3f-bd2f-c6f4e6c31526", - "hostname": "docker-fleet-agent", - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "proofpoint_tap.clicks_permitted", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.112" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "snapshot": false, - "version": "7.17.0" - }, - "email": { - "from": { - "address": "abc123@example.com" - }, - "message_id": "12345678912345.12345.mail@example.com", - "to": { - "address": "abc@example.com" - } - }, - "event": { - "agent_id_status": "verified", - "category": [ - "email" - ], - "created": "2022-05-09T09:39:34.061Z", - "dataset": "proofpoint_tap.clicks_permitted", - "id": "de7eef56-1234-1234-1234-5xxfx7xxxdxxxx", - "ingested": "2022-05-09T09:39:37Z", - "kind": "event", - "original": "{\"GUID\":\"cTxxxxxxzx7xxxxxxxxxx8x4xwxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"phish\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-21T20:39:37.000Z\",\"id\":\"de7eef56-1234-1234-1234-5xxfx7xxxdxxxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"abc@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-30T10:05:57.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"url\":\"https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46\"}", - "type": [ - "allowed" - ] - }, - "input": { - "type": "httpjson" - }, - "proofpoint_tap": { - "clicks_permitted": { - "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", - "classification": "phish", - "threat": { - "id": "92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx", - "status": "active", - "time": "2022-03-30T10:05:57.000Z", - "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx" - } - }, - "guid": "cTxxxxxxzx7xxxxxxxxxx8x4xwxx" - }, - "related": { - "ip": [ - "81.2.69.143", - "89.160.20.112" - ] - }, - "source": { - "ip": "81.2.69.143" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "proofpoint_tap-clicks_permitted" - ], - "url": { - "domain": "example.com", - "full": "https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX", - "path": "/collab/", - "query": "id=x4x3x6xsx1xxxx8xEdxexnxxxaxX", - "scheme": "https" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Edge", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - }, - "version": "99.0.1150.46" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.to.address | The email address of recipient | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| proofpoint_tap.clicks_permitted.campaign_id | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. | keyword | -| proofpoint_tap.clicks_permitted.classification | The threat category of the malicious URL. | keyword | -| proofpoint_tap.clicks_permitted.sender_ip | The IP address of the sender. | ip | -| proofpoint_tap.clicks_permitted.threat.id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword | -| proofpoint_tap.clicks_permitted.threat.status | The current state of the threat. | keyword | -| proofpoint_tap.clicks_permitted.threat.time | Proofpoint identified the URL as a threat at this time. | date | -| proofpoint_tap.clicks_permitted.threat.url | A link to the entry on the TAP Dashboard for the particular threat. | keyword | -| proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | - - -### Message Blocked - -This is the `message_blocked` dataset. - -An example event for `message_blocked` looks as following: - -```json -{ - "@timestamp": "2022-05-09T09:41:02.164Z", - "agent": { - "ephemeral_id": "dfa889d8-af83-426a-b8dc-483740f73385", - "hostname": "docker-fleet-agent", - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "proofpoint_tap.message_blocked", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "snapshot": false, - "version": "7.17.0" - }, - "email": { - "attachments": [ - { - "file": { - "hash": { - "md5": "b10a8db164e0754105b7a99be72e3fe5", - "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" - }, - "mime_type": "text/plain", - "name": "text.txt" - } - }, - { - "file": { - "hash": { - "md5": "b10a8db164e0754105b7a99be72e3fe5", - "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" - }, - "mime_type": "application/pdf", - "name": "text.pdf" - } - } - ], - "cc": { - "address": [ - "abc@example.com" - ] - }, - "delivery_timestamp": "2021-11-25T09:10:00.050Z", - "from": { - "address": "abc@example.com" - }, - "message_id": "12345678912345.12345.mail@example.com", - "sender": { - "address": "x99x7x5580193x6x51x597xx2x0210@example.com" - }, - "subject": "Please find a totally safe invoice attached.", - "to": { - "address": [ - "example.abc@example.com", - "hey.hello@example.com" - ] - }, - "x_mailer": "Spambot v2.5" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "email" - ], - "created": "2022-05-09T09:41:02.164Z", - "dataset": "proofpoint_tap.message_blocked", - "ingested": "2022-05-09T09:41:05Z", - "kind": "event", - "original": "{\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123456xx\",\"QID\":\"x2XXxXXX111111\",\"ccAddresses\":[\"abc@example.com\"],\"clusterId\":\"pharmtech_hosted\",\"completelyRewritten\":\"true\",\"fromAddress\":\"abc@example.com\",\"headerCC\":\"\\\"Example Abc\\\" \\u003cabc@example.com\\u003e\",\"headerFrom\":\"\\\"A. Bc\\\" \\u003cabc@example.com\\u003e\",\"headerReplyTo\":null,\"headerTo\":\"\\\"Aa Bb\\\" \\u003caa.bb@example.com\\u003e; \\\"Hey Hello\\\" \\u003chey.hello@example.com\\u003e\",\"impostorScore\":0,\"malwareScore\":100,\"messageID\":\"12345678912345.12345.mail@example.com\",\"messageParts\":[{\"contentType\":\"text/plain\",\"disposition\":\"inline\",\"filename\":\"text.txt\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"text/plain\",\"sandboxStatus\":\"unsupported\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"},{\"contentType\":\"application/pdf\",\"disposition\":\"attached\",\"filename\":\"text.pdf\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"application/pdf\",\"sandboxStatus\":\"threat\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"}],\"messageTime\":\"2021-11-25T09:10:00.050Z\",\"modulesRun\":[\"pdr\",\"sandbox\",\"spam\",\"urldefense\"],\"phishScore\":46,\"policyRoutes\":[\"default_inbound\",\"executives\"],\"quarantineFolder\":\"Attachment Defense\",\"quarantineRule\":\"module.sandbox.threat\",\"recipient\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"replyToAddress\":null,\"sender\":\"x99x7x5580193x6x51x597xx2x0210@example.com\",\"senderIP\":\"175.16.199.1\",\"spamScore\":4,\"subject\":\"Please find a totally safe invoice attached.\",\"threatsInfoMap\":[{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"threatId\":\"2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T09:10:00.050Z\",\"threatType\":\"ATTACHMENT\",\"threatUrl\":\"https://www.example.com/?name=john\"},{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"example.com\",\"threatId\":\"3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx\",\"threatTime\":\"2021-07-20T05:00:00.050Z\",\"threatType\":\"URL\",\"threatUrl\":\"https://www.example.com/?name=john\"}],\"toAddresses\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"xmailer\":\"Spambot v2.5\"}", - "type": [ - "denied" - ] - }, - "input": { - "type": "httpjson" - }, - "proofpoint_tap": { - "guid": "x11xxxx1-12f9-111x-x12x-1x1x123456xx", - "message_blocked": { - "completely_rewritten": "true", - "header": { - "cc": "\"Example Abc\" \u003cabc@example.com\u003e", - "from": "\"A. Bc\" abc@example.com", - "to": "\"Aa Bb\" \u003caa.bb@example.com\u003e; \"Hey Hello\" \u003chey.hello@example.com\u003e" - }, - "impostor_score": 0, - "malware_score": 100, - "message_parts": [ - { - "disposition": "inline", - "o_content_type": "text/plain", - "sandbox_status": "unsupported" - }, - { - "disposition": "attached", - "o_content_type": "application/pdf", - "sandbox_status": "threat" - } - ], - "modules_run": [ - "pdr", - "sandbox", - "spam", - "urldefense" - ], - "phish_score": 46, - "policy_routes": [ - "default_inbound", - "executives" - ], - "qid": "x2XXxXXX111111", - "quarantine": { - "folder": "Attachment Defense", - "rule": "module.sandbox.threat" - }, - "recipient": [ - "example.abc@example.com", - "hey.hello@example.com" - ], - "spam_score": 4, - "threat_info_map": [ - { - "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", - "classification": "MALWARE", - "threat": { - "artifact": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e", - "status": "active", - "time": "2021-11-25T09:10:00.050Z", - "type": "ATTACHMENT", - "url": "https://www.example.com/?name=john" - }, - "threatId": "2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx" - }, - { - "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", - "classification": "MALWARE", - "threat": { - "artifact": "example.com", - "time": "2021-07-20T05:00:00.050Z", - "type": "URL", - "url": "https://www.example.com/?name=john" - }, - "threatId": "3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx" - } - ], - "to_addresses": [ - "example.abc@example.com", - "hey.hello@example.com" - ] - } - }, - "related": { - "hash": [ - "b10a8db164e0754105b7a99be72e3fe5", - "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" - ], - "ip": [ - "175.16.199.1" - ] - }, - "source": { - "geo": { - "city_name": "Changchun", - "continent_name": "Asia", - "country_iso_code": "CN", - "country_name": "China", - "location": { - "lat": 43.88, - "lon": 125.3228 - }, - "region_iso_code": "CN-22", - "region_name": "Jilin Sheng" - }, - "ip": "175.16.199.1" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "proofpoint_tap-message_blocked" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.attachments | A list of objects describing the attachment files sent along with an email message. | nested | -| email.attachments.file.hash.md5 | MD5 hash. | keyword | -| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | -| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | -| email.cc.address | The email address of CC recipient | keyword | -| email.content_type | Information about how the message is to be displayed. Typically a MIME type. | keyword | -| email.delivery_timestamp | The date and time when the email message was received by the service or client. | date | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.reply_to.address | The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header. | keyword | -| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| email.x_mailer | The name of the application that was used to draft and send the original email message. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | -| proofpoint_tap.message_blocked.cluster | The name of the PPS cluster which processed the message. | keyword | -| proofpoint_tap.message_blocked.completely_rewritten | The rewrite status of the message. If value is 'true', all instances of URL threats within the message were successfully rewritten. If the value is 'false', at least one instance of the a threat URL was not rewritten. If the value is 'na', the message did not contain any URL-based threats. | keyword | -| proofpoint_tap.message_blocked.header.cc | | keyword | -| proofpoint_tap.message_blocked.header.from | The full content of the From: header, including any friendly name. | keyword | -| proofpoint_tap.message_blocked.header.replyto | If present, the full content of the Reply-To: header, including any friendly names. | keyword | -| proofpoint_tap.message_blocked.header.to | | keyword | -| proofpoint_tap.message_blocked.impostor_score | The impostor score of the message. Higher scores indicate higher certainty. | double | -| proofpoint_tap.message_blocked.malware_score | The malware score of the message. Higher scores indicate higher certainty. | long | -| proofpoint_tap.message_blocked.message_parts.disposition | If the value is "inline," the messagePart is a message body. If the value is "attached," the messagePart is an attachment. | keyword | -| proofpoint_tap.message_blocked.message_parts.o_content_type | The declared Content-Type of the messagePart. | keyword | -| proofpoint_tap.message_blocked.message_parts.sandbox_status | The verdict returned by the sandbox during the scanning process. If the value is "unsupported", the messagePart is not supported by Attachment Defense and was not scanned. If the value is "clean", the sandbox returned a clean verdict. If the value is "threat", the sandbox returned a malicious verdict. If the value is "prefilter", the messagePart contained no active content, and was therefore not sent to the sandboxing service. If the value is "uploaded," the message was uploaded by PPS to the sandboxing service, but did not yet have a verdict at the time the message was processed. If the value is "inprogress," the attachment had been uploaded and was awaiting scanning at the time the message was processed. If the verdict is "uploaddisabled," the attachment was eligible for scanning, but was not uploaded because of PPS policy. | keyword | -| proofpoint_tap.message_blocked.message_size | The size in bytes of the message, including headers and attachments. | long | -| proofpoint_tap.message_blocked.modules_run | The list of PPS modules which processed the message. | keyword | -| proofpoint_tap.message_blocked.phish_score | The phish score of the message. Higher scores indicate higher certainty. | long | -| proofpoint_tap.message_blocked.policy_routes | The policy routes that the message matched during processing by PPS. | keyword | -| proofpoint_tap.message_blocked.qid | The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique. | keyword | -| proofpoint_tap.message_blocked.quarantine.folder | The name of the folder which contains the quarantined message. This appears only for messagesBlocked. | keyword | -| proofpoint_tap.message_blocked.quarantine.rule | The name of the rule which quarantined the message. This appears only for messagesBlocked events. | keyword | -| proofpoint_tap.message_blocked.recipient | An array containing the email addresses of the SMTP (envelope) recipients. | keyword | -| proofpoint_tap.message_blocked.spam_score | The spam score of the message. Higher scores indicate higher certainty. | long | -| proofpoint_tap.message_blocked.threat_info_map.campaign_id | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. | keyword | -| proofpoint_tap.message_blocked.threat_info_map.classification | The category of threat found in the message. | keyword | -| proofpoint_tap.message_blocked.threat_info_map.threat.artifact | The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. | keyword | -| proofpoint_tap.message_blocked.threat_info_map.threat.id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword | -| proofpoint_tap.message_blocked.threat_info_map.threat.status | The current state of the threat. | keyword | -| proofpoint_tap.message_blocked.threat_info_map.threat.time | Proofpoint assigned the threatStatus at this time. | date | -| proofpoint_tap.message_blocked.threat_info_map.threat.type | Whether the threat was an attachment, URL, or message type. | keyword | -| proofpoint_tap.message_blocked.threat_info_map.threat.url | A link to the entry about the threat on the TAP Dashboard. | keyword | -| proofpoint_tap.message_blocked.to_addresses | A list of email addresses contained within the To: header, excluding friendly names. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - - -### Message Delivered - -This is the `message_delivered` dataset. - -An example event for `message_delivered` looks as following: - -```json -{ - "@timestamp": "2022-05-09T09:42:31.705Z", - "agent": { - "ephemeral_id": "59bb449e-3552-4dfb-a4a4-a6928d75b8fa", - "hostname": "docker-fleet-agent", - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.17.0" - }, - "data_stream": { - "dataset": "proofpoint_tap.message_delivered", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "3dc09e3a-0004-444b-a301-8c632b17172b", - "snapshot": false, - "version": "7.17.0" - }, - "email": { - "delivery_timestamp": "2022-01-01T00:00:00.000Z", - "to": { - "address": [ - "fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com" - ] - } - }, - "event": { - "agent_id_status": "verified", - "category": [ - "email" - ], - "created": "2022-05-09T09:42:31.705Z", - "dataset": "proofpoint_tap.message_delivered", - "id": "2hsvbU-i8abc123-12345-xxxxx12", - "ingested": "2022-05-09T09:42:35Z", - "kind": "event", - "original": "{\"GUID\":\"NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx\",\"QID\":null,\"ccAddresses\":null,\"cluster\":\"pharmtech_hosted\",\"completelyRewritten\":true,\"fromAddress\":null,\"headerFrom\":null,\"headerReplyTo\":null,\"id\":\"2hsvbU-i8abc123-12345-xxxxx12\",\"impostorScore\":0,\"malwareScore\":0,\"messageID\":\"\",\"messageParts\":null,\"messageSize\":0,\"messageTime\":\"2022-01-01T00:00:00.000Z\",\"modulesRun\":null,\"phishScore\":0,\"policyRoutes\":null,\"quarantineFolder\":null,\"quarantineRule\":null,\"recipient\":[\"fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com\"],\"replyToAddress\":null,\"sender\":\"\",\"senderIP\":\"89.160.20.112\",\"spamScore\":0,\"subject\":null,\"threatsInfoMap\":[{\"campaignID\":null,\"classification\":\"spam\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T13:02:58.640Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"},{\"campaignID\":null,\"classification\":\"phish\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566\",\"threatStatus\":\"active\",\"threatTime\":\"2021-07-19T10:28:15.100Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"}],\"toAddresses\":null,\"xmailer\":null}", - "type": [ - "info" - ] - }, - "input": { - "type": "httpjson" - }, - "proofpoint_tap": { - "guid": "NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx", - "message_delivered": { - "cluster": "pharmtech_hosted", - "completely_rewritten": "true", - "impostor_score": 0, - "malware_score": 0, - "message_size": 0, - "phish_score": 0, - "recipient": [ - "fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com" - ], - "spam_score": 0, - "threat_info_map": [ - { - "classification": "spam", - "threat": { - "artifact": "http://zbcd123456x0.example.com", - "id": "b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb", - "status": "active", - "time": "2021-11-25T13:02:58.640Z", - "type": "url", - "url": "https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb" - } - }, - { - "classification": "phish", - "threat": { - "artifact": "http://zbcd123456x0.example.com", - "id": "aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566", - "status": "active", - "time": "2021-07-19T10:28:15.100Z", - "type": "url", - "url": "https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb" - } - } - ] - } - }, - "related": { - "ip": [ - "89.160.20.112" - ] - }, - "source": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.112" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "proofpoint_tap-message_delivered" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container ID. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| email.attachments | A list of objects describing the attachment files sent along with an email message. | nested | -| email.attachments.file.hash.md5 | MD5 hash. | keyword | -| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | -| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | -| email.cc.address | The email address of CC recipient | keyword | -| email.content_type | Information about how the message is to be displayed. Typically a MIME type. | keyword | -| email.delivery_timestamp | The date and time when the email message was received by the service or client. | date | -| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | -| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | -| email.reply_to.address | The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header. | keyword | -| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | -| email.subject | A brief summary of the topic of the message. | keyword | -| email.subject.text | Multi-field of `email.subject`. | match_only_text | -| email.to.address | The email address of recipient | keyword | -| email.x_mailer | The name of the application that was used to draft and send the original email message. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset. | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module. | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host IP addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | -| proofpoint_tap.message_delivered.cluster | The name of the PPS cluster which processed the message. | keyword | -| proofpoint_tap.message_delivered.completely_rewritten | The rewrite status of the message. If value is 'true', all instances of URL threats within the message were successfully rewritten. If the value is 'false', at least one instance of the a threat URL was not rewritten. If the value is 'na', the message did not contain any URL-based threats. | keyword | -| proofpoint_tap.message_delivered.header.from | The full content of the From: header, including any friendly name. | keyword | -| proofpoint_tap.message_delivered.header.replyto | If present, the full content of the Reply-To: header, including any friendly names. | keyword | -| proofpoint_tap.message_delivered.impostor_score | The impostor score of the message. Higher scores indicate higher certainty. | double | -| proofpoint_tap.message_delivered.malware_score | The malware score of the message. Higher scores indicate higher certainty. | long | -| proofpoint_tap.message_delivered.message_parts.disposition | If the value is "inline," the messagePart is a message body. If the value is "attached," the messagePart is an attachment. | keyword | -| proofpoint_tap.message_delivered.message_parts.o_content_type | The declared Content-Type of the messagePart. | keyword | -| proofpoint_tap.message_delivered.message_parts.sandbox_status | The verdict returned by the sandbox during the scanning process. If the value is "unsupported", the messagePart is not supported by Attachment Defense and was not scanned. If the value is "clean", the sandbox returned a clean verdict. If the value is "threat", the sandbox returned a malicious verdict. If the value is "prefilter", the messagePart contained no active content, and was therefore not sent to the sandboxing service. If the value is "uploaded," the message was uploaded by PPS to the sandboxing service, but did not yet have a verdict at the time the message was processed. If the value is "inprogress," the attachment had been uploaded and was awaiting scanning at the time the message was processed. If the verdict is "uploaddisabled," the attachment was eligible for scanning, but was not uploaded because of PPS policy. | keyword | -| proofpoint_tap.message_delivered.message_size | The size in bytes of the message, including headers and attachments. | long | -| proofpoint_tap.message_delivered.modules_run | The list of PPS modules which processed the message. | keyword | -| proofpoint_tap.message_delivered.phish_score | The phish score of the message. Higher scores indicate higher certainty. | long | -| proofpoint_tap.message_delivered.policy_routes | The policy routes that the message matched during processing by PPS. | keyword | -| proofpoint_tap.message_delivered.qid | The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique. | keyword | -| proofpoint_tap.message_delivered.quarantine.folder | The name of the folder which contains the quarantined message. This appears only for messagesBlocked. | keyword | -| proofpoint_tap.message_delivered.quarantine.rule | The name of the rule which quarantined the message. This appears only for messagesBlocked events. | keyword | -| proofpoint_tap.message_delivered.recipient | An array containing the email addresses of the SMTP (envelope) recipients. | keyword | -| proofpoint_tap.message_delivered.spam_score | The spam score of the message. Higher scores indicate higher certainty. | long | -| proofpoint_tap.message_delivered.threat_info_map.campaign_id | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. | keyword | -| proofpoint_tap.message_delivered.threat_info_map.classification | The category of threat found in the message. | keyword | -| proofpoint_tap.message_delivered.threat_info_map.threat.artifact | The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. | keyword | -| proofpoint_tap.message_delivered.threat_info_map.threat.id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword | -| proofpoint_tap.message_delivered.threat_info_map.threat.status | The current state of the threat. | keyword | -| proofpoint_tap.message_delivered.threat_info_map.threat.time | Proofpoint assigned the threatStatus at this time. | date | -| proofpoint_tap.message_delivered.threat_info_map.threat.type | Whether the threat was an attachment, URL, or message type. | keyword | -| proofpoint_tap.message_delivered.threat_info_map.threat.url | A link to the entry about the threat on the TAP Dashboard. | keyword | -| proofpoint_tap.message_delivered.to_addresses | A list of email addresses contained within the To: header, excluding friendly names. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | - diff --git a/packages/proofpoint_tap/0.1.0/img/proofpoint_tap-logo.svg b/packages/proofpoint_tap/0.1.0/img/proofpoint_tap-logo.svg deleted file mode 100755 index 9a147bc479..0000000000 --- a/packages/proofpoint_tap/0.1.0/img/proofpoint_tap-logo.svg +++ /dev/null @@ -1,42 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/proofpoint_tap/0.1.0/img/proofpoint_tap-screenshot.png b/packages/proofpoint_tap/0.1.0/img/proofpoint_tap-screenshot.png deleted file mode 100755 index d707ccb1c0..0000000000 Binary files a/packages/proofpoint_tap/0.1.0/img/proofpoint_tap-screenshot.png and /dev/null differ diff --git a/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 07ee296840..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.clicks_blocked\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"aa104adb-fbc4-4019-9fda-9f1ca4886d64\",\"w\":48,\"x\":0,\"y\":67},\"panelIndex\":\"aa104adb-fbc4-4019-9fda-9f1ca4886d64\",\"panelRefName\":\"panel_aa104adb-fbc4-4019-9fda-9f1ca4886d64\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4ff0e011-970a-4b60-9158-962f4e89fbbe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4ff0e011-970a-4b60-9158-962f4e89fbbe\":{\"columnOrder\":[\"dc762ac8-6645-45a7-ba44-b3fbd0309338\"],\"columns\":{\"dc762ac8-6645-45a7-ba44-b3fbd0309338\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Clicks\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"dc762ac8-6645-45a7-ba44-b3fbd0309338\",\"layerId\":\"4ff0e011-970a-4b60-9158-962f4e89fbbe\",\"layerType\":\"data\"}},\"title\":\"Count of Clicks [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"39f0263c-ab86-416a-8048-83d13edbdbab\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"39f0263c-ab86-416a-8048-83d13edbdbab\",\"title\":\"Count of Clicks [Logs Proofpoint TAP]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-09466534-a461-4fbb-850b-fba8df6b7c37\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"09466534-a461-4fbb-850b-fba8df6b7c37\":{\"columnOrder\":[\"caef084e-7dca-43d6-8538-a2806796463e\",\"8c76f7ef-0d3f-4558-8835-17fa53443a49\",\"8c76f7ef-0d3f-4558-8835-17fa53443a49X0\"],\"columns\":{\"8c76f7ef-0d3f-4558-8835-17fa53443a49\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"formula\",\"params\":{\"formula\":\"count()\",\"isFormulaBroken\":false},\"references\":[\"8c76f7ef-0d3f-4558-8835-17fa53443a49X0\"],\"scale\":\"ratio\"},\"8c76f7ef-0d3f-4558-8835-17fa53443a49X0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Part of count()\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"caef084e-7dca-43d6-8538-a2806796463e\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Classification\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"fallback\":true,\"type\":\"alphabetical\"},\"orderDirection\":\"asc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.clicks_blocked.classification\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.clicks_blocked\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"caef084e-7dca-43d6-8538-a2806796463e\"],\"layerId\":\"09466534-a461-4fbb-850b-fba8df6b7c37\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"8c76f7ef-0d3f-4558-8835-17fa53443a49\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Blocked Clicks by Classification [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d6f150e5-a82f-453c-867a-3c0f40ba826b\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"d6f150e5-a82f-453c-867a-3c0f40ba826b\",\"title\":\"Distribution of Blocked Clicks by Classification [Logs Proofpoint TAP]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-062ab937-584b-4266-b89a-e0965350fd15\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"062ab937-584b-4266-b89a-e0965350fd15\":{\"columnOrder\":[\"b4231a92-a121-4d7b-8975-7deb595868c2\",\"e4a9c4a7-4e05-4669-8842-47a87900ad7c\"],\"columns\":{\"b4231a92-a121-4d7b-8975-7deb595868c2\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"URL\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e4a9c4a7-4e05-4669-8842-47a87900ad7c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"url.full\"},\"e4a9c4a7-4e05-4669-8842-47a87900ad7c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b4231a92-a121-4d7b-8975-7deb595868c2\",\"isTransposed\":false},{\"columnId\":\"e4a9c4a7-4e05-4669-8842-47a87900ad7c\",\"isTransposed\":false}],\"layerId\":\"062ab937-584b-4266-b89a-e0965350fd15\",\"layerType\":\"data\"}},\"title\":\"Top 10 Malicious URL [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b921de2f-edd5-4539-bb51-c94c5ddf4541\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"b921de2f-edd5-4539-bb51-c94c5ddf4541\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ec2f7bac-2077-4709-9d52-3ae3c0a582de\":{\"columnOrder\":[\"394062e2-3219-4ff0-b930-7dceb79cb5cd\",\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\"],\"columns\":{\"394062e2-3219-4ff0-b930-7dceb79cb5cd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Recipient\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"email.to.address\"},\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"394062e2-3219-4ff0-b930-7dceb79cb5cd\",\"isTransposed\":false},{\"columnId\":\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\",\"isTransposed\":false}],\"layerId\":\"ec2f7bac-2077-4709-9d52-3ae3c0a582de\",\"layerType\":\"data\"}},\"title\":\"Top 10 Recipient [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4240bdb9-8306-43fe-8b7a-815e70e28fec\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"4240bdb9-8306-43fe-8b7a-815e70e28fec\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f7d425df-4f7d-4e18-993d-b8a10cdffe22\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f7d425df-4f7d-4e18-993d-b8a10cdffe22\":{\"columnOrder\":[\"967f19a8-3944-4a64-a05f-037bcf1f238c\",\"ea922d0b-14cf-4625-b038-71d6a627f340\"],\"columns\":{\"967f19a8-3944-4a64-a05f-037bcf1f238c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Threat Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ea922d0b-14cf-4625-b038-71d6a627f340\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.clicks_blocked.threat.status\"},\"ea922d0b-14cf-4625-b038-71d6a627f340\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.clicks_blocked\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"967f19a8-3944-4a64-a05f-037bcf1f238c\"],\"layerId\":\"f7d425df-4f7d-4e18-993d-b8a10cdffe22\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ea922d0b-14cf-4625-b038-71d6a627f340\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Blocked Clicks by Threat Status [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"37d32a2d-1d55-4da8-a1f0-4d5ad81c0f89\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"37d32a2d-1d55-4da8-a1f0-4d5ad81c0f89\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4080ef48-91f4-4339-a059-fa6a9d0fcce8\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4080ef48-91f4-4339-a059-fa6a9d0fcce8\":{\"columnOrder\":[\"2f67b930-a92f-41ef-96cd-5d9cc5de8d8d\",\"366f6367-65c3-4e65-8c28-f41b1ef719cf\"],\"columns\":{\"2f67b930-a92f-41ef-96cd-5d9cc5de8d8d\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"366f6367-65c3-4e65-8c28-f41b1ef719cf\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"366f6367-65c3-4e65-8c28-f41b1ef719cf\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"2f67b930-a92f-41ef-96cd-5d9cc5de8d8d\",\"isTransposed\":false},{\"columnId\":\"366f6367-65c3-4e65-8c28-f41b1ef719cf\",\"isTransposed\":false}],\"layerId\":\"4080ef48-91f4-4339-a059-fa6a9d0fcce8\",\"layerType\":\"data\"}},\"title\":\"Top 10 Click IP [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3afffe1a-ab24-4a60-bb83-1973840a6b89\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"3afffe1a-ab24-4a60-bb83-1973840a6b89\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"1d744b4f-b6df-4195-bfea-8e64340b7da1\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"48984da5-6c09-4c75-86d5-b9c1791d120d\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":\\\"Clicks\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"35e48033-3f9a-4228-98be-980fff6c70a1\\\",\\\"metrics\\\":[{\\\"label\\\":\\\"Count\\\",\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"COARSE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"colorRampName\\\":\\\"theclassic\\\",\\\"type\\\":\\\"HEATMAP\\\"},\\\"type\\\":\\\"HEATMAP\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":true},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"hideLayerControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-1y/d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.14}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Clicks on URL by Region [Logs Proofpoint TAP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":270,\"minLat\":-66.51326,\"minLon\":-270},\"mapCenter\":{\"lat\":51.78838,\"lon\":18.18583,\"zoom\":1.14},\"openTOCDetails\":[]},\"gridData\":{\"h\":22,\"i\":\"2e6e0f5d-6968-46c7-9ccf-d0324b2e467f\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"2e6e0f5d-6968-46c7-9ccf-d0324b2e467f\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h/h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs Proofpoint TAP] Blocked Clicks", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4", - "name": "aa104adb-fbc4-4019-9fda-9f1ca4886d64:panel_aa104adb-fbc4-4019-9fda-9f1ca4886d64", - "type": "search" - }, - { - "id": "logs-*", - "name": "39f0263c-ab86-416a-8048-83d13edbdbab:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "39f0263c-ab86-416a-8048-83d13edbdbab:indexpattern-datasource-layer-4ff0e011-970a-4b60-9158-962f4e89fbbe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6f150e5-a82f-453c-867a-3c0f40ba826b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6f150e5-a82f-453c-867a-3c0f40ba826b:indexpattern-datasource-layer-09466534-a461-4fbb-850b-fba8df6b7c37", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b921de2f-edd5-4539-bb51-c94c5ddf4541:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b921de2f-edd5-4539-bb51-c94c5ddf4541:indexpattern-datasource-layer-062ab937-584b-4266-b89a-e0965350fd15", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4240bdb9-8306-43fe-8b7a-815e70e28fec:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4240bdb9-8306-43fe-8b7a-815e70e28fec:indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "37d32a2d-1d55-4da8-a1f0-4d5ad81c0f89:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "37d32a2d-1d55-4da8-a1f0-4d5ad81c0f89:indexpattern-datasource-layer-f7d425df-4f7d-4e18-993d-b8a10cdffe22", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3afffe1a-ab24-4a60-bb83-1973840a6b89:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3afffe1a-ab24-4a60-bb83-1973840a6b89:indexpattern-datasource-layer-4080ef48-91f4-4339-a059-fa6a9d0fcce8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2e6e0f5d-6968-46c7-9ccf-d0324b2e467f:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 370accc59d..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.clicks_permitted\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":22,\"i\":\"7fe02808-920c-4356-a052-d449b2e57ed5\",\"w\":48,\"x\":0,\"y\":66},\"panelIndex\":\"7fe02808-920c-4356-a052-d449b2e57ed5\",\"panelRefName\":\"panel_7fe02808-920c-4356-a052-d449b2e57ed5\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4ff0e011-970a-4b60-9158-962f4e89fbbe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4ff0e011-970a-4b60-9158-962f4e89fbbe\":{\"columnOrder\":[\"dc762ac8-6645-45a7-ba44-b3fbd0309338\"],\"columns\":{\"dc762ac8-6645-45a7-ba44-b3fbd0309338\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Clicks\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"dc762ac8-6645-45a7-ba44-b3fbd0309338\",\"layerId\":\"4ff0e011-970a-4b60-9158-962f4e89fbbe\",\"layerType\":\"data\"}},\"title\":\"Count of Clicks [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2d93f439-bff8-4e48-b469-fca11e18ba81\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"2d93f439-bff8-4e48-b469-fca11e18ba81\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1c93261b-da1f-4d85-aaaf-3457bdcc6ff4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1c93261b-da1f-4d85-aaaf-3457bdcc6ff4\":{\"columnOrder\":[\"f13e79eb-00ed-4e68-98b5-b5c927055fec\",\"0466e119-38e8-4d0a-a48f-9b2e7a89d213\"],\"columns\":{\"0466e119-38e8-4d0a-a48f-9b2e7a89d213\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f13e79eb-00ed-4e68-98b5-b5c927055fec\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Classification\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0466e119-38e8-4d0a-a48f-9b2e7a89d213\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.clicks_permitted.classification\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.clicks_permitted\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"f13e79eb-00ed-4e68-98b5-b5c927055fec\"],\"layerId\":\"1c93261b-da1f-4d85-aaaf-3457bdcc6ff4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"0466e119-38e8-4d0a-a48f-9b2e7a89d213\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Permitted Clicks by Classification [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"05a16b7a-9e32-4398-b547-b44ba5dd1572\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"05a16b7a-9e32-4398-b547-b44ba5dd1572\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c4191f86-9c54-4a06-a3dd-842b3ef7c241\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c4191f86-9c54-4a06-a3dd-842b3ef7c241\":{\"columnOrder\":[\"a3e04efb-2f37-464b-a6f2-23c0e19d790d\",\"40a5f8c4-9eb3-4dcf-8520-acdb820944df\"],\"columns\":{\"40a5f8c4-9eb3-4dcf-8520-acdb820944df\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"a3e04efb-2f37-464b-a6f2-23c0e19d790d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Threat Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"40a5f8c4-9eb3-4dcf-8520-acdb820944df\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.clicks_permitted.threat.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.clicks_permitted\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"a3e04efb-2f37-464b-a6f2-23c0e19d790d\"],\"layerId\":\"c4191f86-9c54-4a06-a3dd-842b3ef7c241\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"40a5f8c4-9eb3-4dcf-8520-acdb820944df\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Permitted Clicks by Threat Status [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"771e46d7-ce5c-4c0d-81b2-841e283abf2c\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"771e46d7-ce5c-4c0d-81b2-841e283abf2c\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-062ab937-584b-4266-b89a-e0965350fd15\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"062ab937-584b-4266-b89a-e0965350fd15\":{\"columnOrder\":[\"b4231a92-a121-4d7b-8975-7deb595868c2\",\"e4a9c4a7-4e05-4669-8842-47a87900ad7c\"],\"columns\":{\"b4231a92-a121-4d7b-8975-7deb595868c2\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"URL\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e4a9c4a7-4e05-4669-8842-47a87900ad7c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"url.full\"},\"e4a9c4a7-4e05-4669-8842-47a87900ad7c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b4231a92-a121-4d7b-8975-7deb595868c2\",\"isTransposed\":false},{\"columnId\":\"e4a9c4a7-4e05-4669-8842-47a87900ad7c\",\"isTransposed\":false}],\"layerId\":\"062ab937-584b-4266-b89a-e0965350fd15\",\"layerType\":\"data\"}},\"title\":\"Top 10 Malicious URL [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"08dc3a8e-380f-4998-b83f-2791b6b8a4a5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"08dc3a8e-380f-4998-b83f-2791b6b8a4a5\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ec2f7bac-2077-4709-9d52-3ae3c0a582de\":{\"columnOrder\":[\"394062e2-3219-4ff0-b930-7dceb79cb5cd\",\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\"],\"columns\":{\"394062e2-3219-4ff0-b930-7dceb79cb5cd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Recipient\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"email.to.address\"},\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"394062e2-3219-4ff0-b930-7dceb79cb5cd\",\"isTransposed\":false},{\"columnId\":\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\",\"isTransposed\":false}],\"layerId\":\"ec2f7bac-2077-4709-9d52-3ae3c0a582de\",\"layerType\":\"data\"}},\"title\":\"Top 10 Recipient [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"85ab74a3-eb94-47f2-9592-6654f540d9d5\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"85ab74a3-eb94-47f2-9592-6654f540d9d5\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4080ef48-91f4-4339-a059-fa6a9d0fcce8\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4080ef48-91f4-4339-a059-fa6a9d0fcce8\":{\"columnOrder\":[\"2f67b930-a92f-41ef-96cd-5d9cc5de8d8d\",\"366f6367-65c3-4e65-8c28-f41b1ef719cf\"],\"columns\":{\"2f67b930-a92f-41ef-96cd-5d9cc5de8d8d\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"366f6367-65c3-4e65-8c28-f41b1ef719cf\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"366f6367-65c3-4e65-8c28-f41b1ef719cf\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"2f67b930-a92f-41ef-96cd-5d9cc5de8d8d\",\"isTransposed\":false},{\"columnId\":\"366f6367-65c3-4e65-8c28-f41b1ef719cf\",\"isTransposed\":false}],\"layerId\":\"4080ef48-91f4-4339-a059-fa6a9d0fcce8\",\"layerType\":\"data\"}},\"title\":\"Top 10 Click IP [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bae14c77-2488-49e8-87e1-f60be58b1ad9\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"bae14c77-2488-49e8-87e1-f60be58b1ad9\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"1d744b4f-b6df-4195-bfea-8e64340b7da1\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"48984da5-6c09-4c75-86d5-b9c1791d120d\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":\\\"Clicks\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"35e48033-3f9a-4228-98be-980fff6c70a1\\\",\\\"metrics\\\":[{\\\"label\\\":\\\"Count\\\",\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"COARSE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"colorRampName\\\":\\\"theclassic\\\",\\\"type\\\":\\\"HEATMAP\\\"},\\\"type\\\":\\\"HEATMAP\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":true},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"hideLayerControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-1y/d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.14}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Clicks on URL by Region [Logs Proofpoint TAP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":180,\"minLat\":-66.51326,\"minLon\":-180},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":1.14},\"openTOCDetails\":[]},\"gridData\":{\"h\":21,\"i\":\"b4c89de9-9f07-4261-8fd5-554b89dbb714\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"b4c89de9-9f07-4261-8fd5-554b89dbb714\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h/h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs Proofpoint TAP] Permitted Clicks", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4", - "name": "7fe02808-920c-4356-a052-d449b2e57ed5:panel_7fe02808-920c-4356-a052-d449b2e57ed5", - "type": "search" - }, - { - "id": "logs-*", - "name": "2d93f439-bff8-4e48-b469-fca11e18ba81:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2d93f439-bff8-4e48-b469-fca11e18ba81:indexpattern-datasource-layer-4ff0e011-970a-4b60-9158-962f4e89fbbe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "05a16b7a-9e32-4398-b547-b44ba5dd1572:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "05a16b7a-9e32-4398-b547-b44ba5dd1572:indexpattern-datasource-layer-1c93261b-da1f-4d85-aaaf-3457bdcc6ff4", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "771e46d7-ce5c-4c0d-81b2-841e283abf2c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "771e46d7-ce5c-4c0d-81b2-841e283abf2c:indexpattern-datasource-layer-c4191f86-9c54-4a06-a3dd-842b3ef7c241", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "08dc3a8e-380f-4998-b83f-2791b6b8a4a5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "08dc3a8e-380f-4998-b83f-2791b6b8a4a5:indexpattern-datasource-layer-062ab937-584b-4266-b89a-e0965350fd15", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "85ab74a3-eb94-47f2-9592-6654f540d9d5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "85ab74a3-eb94-47f2-9592-6654f540d9d5:indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bae14c77-2488-49e8-87e1-f60be58b1ad9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bae14c77-2488-49e8-87e1-f60be58b1ad9:indexpattern-datasource-layer-4080ef48-91f4-4339-a059-fa6a9d0fcce8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b4c89de9-9f07-4261-8fd5-554b89dbb714:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 0f242ce67d..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_blocked\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"e5247373-1ae6-403b-89b5-93281d642883\",\"w\":48,\"x\":0,\"y\":111},\"panelIndex\":\"e5247373-1ae6-403b-89b5-93281d642883\",\"panelRefName\":\"panel_e5247373-1ae6-403b-89b5-93281d642883\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-66e9770d-b676-49a0-b502-b3cf64aae59d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"66e9770d-b676-49a0-b502-b3cf64aae59d\":{\"columnOrder\":[\"7afa9eab-9e68-42c1-a5f8-7891197560e2\"],\"columns\":{\"7afa9eab-9e68-42c1-a5f8-7891197560e2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Messages\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"7afa9eab-9e68-42c1-a5f8-7891197560e2\",\"layerId\":\"66e9770d-b676-49a0-b502-b3cf64aae59d\",\"layerType\":\"data\"}},\"title\":\"Count of Messages [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2cfc095d-92da-4512-bf45-21f3a7508129\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"2cfc095d-92da-4512-bf45-21f3a7508129\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e7630b81-f809-4d49-b269-1788bdbdf649\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e7630b81-f809-4d49-b269-1788bdbdf649\":{\"columnOrder\":[\"8a033b2f-c808-4ae0-b593-862e401fd4d0\",\"ba6e6c21-db26-4ce1-9608-ebc8562ee460\"],\"columns\":{\"8a033b2f-c808-4ae0-b593-862e401fd4d0\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba6e6c21-db26-4ce1-9608-ebc8562ee460\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"},\"ba6e6c21-db26-4ce1-9608-ebc8562ee460\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"8a033b2f-c808-4ae0-b593-862e401fd4d0\",\"isTransposed\":false},{\"columnId\":\"ba6e6c21-db26-4ce1-9608-ebc8562ee460\",\"isTransposed\":false}],\"layerId\":\"e7630b81-f809-4d49-b269-1788bdbdf649\",\"layerType\":\"data\"}},\"title\":\"Top 10 Sender IP [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"efdb9e8c-8541-401c-acc6-767c1a637db4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"efdb9e8c-8541-401c-acc6-767c1a637db4\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-402e61cc-9dba-466f-9269-27b48dd2e4a1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"402e61cc-9dba-466f-9269-27b48dd2e4a1\":{\"columnOrder\":[\"d1076744-9ca0-4908-a16f-ef349e2cd32a\",\"9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241\"],\"columns\":{\"9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"d1076744-9ca0-4908-a16f-ef349e2cd32a\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Disposition\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_blocked.message_parts.disposition\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_blocked\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d1076744-9ca0-4908-a16f-ef349e2cd32a\"],\"layerId\":\"402e61cc-9dba-466f-9269-27b48dd2e4a1\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Blocked Messages by Disposition [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"637266a0-908f-40ee-aa10-55569e7cbd29\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"637266a0-908f-40ee-aa10-55569e7cbd29\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a0987be1-b682-412e-8d46-a4ad00e985c1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a0987be1-b682-412e-8d46-a4ad00e985c1\":{\"columnOrder\":[\"74697bb2-b72f-4b6e-b651-06f50ef31467\",\"87ce1993-56c0-4458-9cb1-ae12af5a629a\"],\"columns\":{\"74697bb2-b72f-4b6e-b651-06f50ef31467\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Rewritten URL\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"87ce1993-56c0-4458-9cb1-ae12af5a629a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_blocked.completely_rewritten\"},\"87ce1993-56c0-4458-9cb1-ae12af5a629a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_blocked\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"74697bb2-b72f-4b6e-b651-06f50ef31467\"],\"layerId\":\"a0987be1-b682-412e-8d46-a4ad00e985c1\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"87ce1993-56c0-4458-9cb1-ae12af5a629a\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Blocked Messages by Rewritten URL [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3e565fd9-f29d-41b5-a084-7393d29028d9\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"3e565fd9-f29d-41b5-a084-7393d29028d9\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ec2f7bac-2077-4709-9d52-3ae3c0a582de\":{\"columnOrder\":[\"394062e2-3219-4ff0-b930-7dceb79cb5cd\",\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\"],\"columns\":{\"394062e2-3219-4ff0-b930-7dceb79cb5cd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Recipient\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"email.to.address\"},\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"394062e2-3219-4ff0-b930-7dceb79cb5cd\",\"isTransposed\":false},{\"columnId\":\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\",\"isTransposed\":false}],\"layerId\":\"ec2f7bac-2077-4709-9d52-3ae3c0a582de\",\"layerType\":\"data\"}},\"title\":\"Top 10 Recipient [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2371e369-c82c-4443-bbf5-9d2b119fb9e9\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"2371e369-c82c-4443-bbf5-9d2b119fb9e9\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e327fec5-d799-4b3f-acfc-32c1ecaac682\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e327fec5-d799-4b3f-acfc-32c1ecaac682\":{\"columnOrder\":[\"f096fb9b-5208-4f47-b5a5-0ad3de754fda\",\"8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8\"],\"columns\":{\"8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f096fb9b-5208-4f47-b5a5-0ad3de754fda\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Classification\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_blocked.threat_info_map.classification\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_blocked\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"f096fb9b-5208-4f47-b5a5-0ad3de754fda\"],\"layerId\":\"e327fec5-d799-4b3f-acfc-32c1ecaac682\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Blocked Messages by Threat Classification [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a3d367ee-91bb-421d-b6fc-27daabd46a54\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"a3d367ee-91bb-421d-b6fc-27daabd46a54\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f2e404cb-ffef-4218-a7d7-20a1972f7fe5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f2e404cb-ffef-4218-a7d7-20a1972f7fe5\":{\"columnOrder\":[\"86527e47-1073-45bd-8f35-657f4d277b62\",\"f40e0576-52c6-4c09-8b8e-446699fed30e\"],\"columns\":{\"86527e47-1073-45bd-8f35-657f4d277b62\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Threat Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f40e0576-52c6-4c09-8b8e-446699fed30e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_blocked.threat_info_map.threat.status\"},\"f40e0576-52c6-4c09-8b8e-446699fed30e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_blocked\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"86527e47-1073-45bd-8f35-657f4d277b62\"],\"layerId\":\"f2e404cb-ffef-4218-a7d7-20a1972f7fe5\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f40e0576-52c6-4c09-8b8e-446699fed30e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Blocked Messages by Threat Status [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3a258b28-29d4-4719-a65e-db1153b954fc\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"3a258b28-29d4-4719-a65e-db1153b954fc\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-01c9ddee-f668-4ee5-8bb6-98e74d2e1439\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"01c9ddee-f668-4ee5-8bb6-98e74d2e1439\":{\"columnOrder\":[\"7d6f8989-f0ce-4a9c-b24e-42c9ad42431d\",\"47666138-8fdd-4735-9a26-d5586276afe9\"],\"columns\":{\"47666138-8fdd-4735-9a26-d5586276afe9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7d6f8989-f0ce-4a9c-b24e-42c9ad42431d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Sandbox Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"47666138-8fdd-4735-9a26-d5586276afe9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_blocked.message_parts.sandbox_status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_blocked\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"7d6f8989-f0ce-4a9c-b24e-42c9ad42431d\"],\"layerId\":\"01c9ddee-f668-4ee5-8bb6-98e74d2e1439\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"47666138-8fdd-4735-9a26-d5586276afe9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Blocked Messages by Sandbox Status [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"850608eb-ca33-452f-a129-c4719224c52f\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"850608eb-ca33-452f-a129-c4719224c52f\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b71a1c6d-1b9f-4b5f-ad26-7de6a5601691\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b71a1c6d-1b9f-4b5f-ad26-7de6a5601691\":{\"columnOrder\":[\"73dab922-14a4-4c5c-a297-9873a91dad59\",\"b12333e5-b88d-4a3e-96bb-467efc2745b5\"],\"columns\":{\"73dab922-14a4-4c5c-a297-9873a91dad59\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Threat Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b12333e5-b88d-4a3e-96bb-467efc2745b5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_blocked.threat_info_map.threat.type\"},\"b12333e5-b88d-4a3e-96bb-467efc2745b5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_blocked\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"73dab922-14a4-4c5c-a297-9873a91dad59\"],\"layerId\":\"b71a1c6d-1b9f-4b5f-ad26-7de6a5601691\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b12333e5-b88d-4a3e-96bb-467efc2745b5\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Blocked Messages by Threat Type [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c9517aa1-8122-434d-b93d-719030617688\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"c9517aa1-8122-434d-b93d-719030617688\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-657c0ea2-d756-4c8e-8638-4a2cf8a00bad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"657c0ea2-d756-4c8e-8638-4a2cf8a00bad\":{\"columnOrder\":[\"4507c7f7-7878-40d4-905f-50360a596573\",\"d7959ce0-0861-4dd4-bdb3-42d8578ebd2f\"],\"columns\":{\"4507c7f7-7878-40d4-905f-50360a596573\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Email Mailer\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7959ce0-0861-4dd4-bdb3-42d8578ebd2f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"email.x_mailer\"},\"d7959ce0-0861-4dd4-bdb3-42d8578ebd2f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d7959ce0-0861-4dd4-bdb3-42d8578ebd2f\"],\"layerId\":\"657c0ea2-d756-4c8e-8638-4a2cf8a00bad\",\"layerType\":\"data\",\"seriesType\":\"bar\",\"xAccessor\":\"4507c7f7-7878-40d4-905f-50360a596573\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Messages by Email X_Mailer [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6b458dd4-988b-44d1-bd30-1bfadd99712b\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"6b458dd4-988b-44d1-bd30-1bfadd99712b\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8bc257b1-f278-4281-b618-12892df43c90\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8bc257b1-f278-4281-b618-12892df43c90\":{\"columnOrder\":[\"bd52eba0-e079-4b31-b053-d6d8e519b21d\",\"a9cf6093-c996-4557-8819-3d2b273e62b0\"],\"columns\":{\"a9cf6093-c996-4557-8819-3d2b273e62b0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bd52eba0-e079-4b31-b053-d6d8e519b21d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Quarantine Folder\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a9cf6093-c996-4557-8819-3d2b273e62b0\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_blocked.quarantine.folder\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_blocked\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"a9cf6093-c996-4557-8819-3d2b273e62b0\"],\"layerId\":\"8bc257b1-f278-4281-b618-12892df43c90\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar\",\"showGridlines\":false,\"xAccessor\":\"bd52eba0-e079-4b31-b053-d6d8e519b21d\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Blocked Messages by Quarantine Folder [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"91bf4cc9-d875-476b-afa9-353e6a6115d2\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"91bf4cc9-d875-476b-afa9-353e6a6115d2\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4b31f83f-2fc1-4509-8a5b-0c80eea8c627\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4b31f83f-2fc1-4509-8a5b-0c80eea8c627\":{\"columnOrder\":[\"aec564b0-2091-4304-8a29-d839f9aec0aa\",\"efe56213-9c9c-4215-91cd-907114802d3a\"],\"columns\":{\"aec564b0-2091-4304-8a29-d839f9aec0aa\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Quarantine Rule\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"efe56213-9c9c-4215-91cd-907114802d3a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_blocked.quarantine.rule\"},\"efe56213-9c9c-4215-91cd-907114802d3a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_blocked\\\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"efe56213-9c9c-4215-91cd-907114802d3a\"],\"layerId\":\"4b31f83f-2fc1-4509-8a5b-0c80eea8c627\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar\",\"showGridlines\":false,\"xAccessor\":\"aec564b0-2091-4304-8a29-d839f9aec0aa\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Blocked Messages by Quarantine Rule [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f8ff2974-b1e9-4a81-a5af-8f5d6d13abce\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"f8ff2974-b1e9-4a81-a5af-8f5d6d13abce\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"c6a42104-e390-4c56-8ef8-5bd774773e72\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"f8e2c82c-56b8-425d-a79d-ab24baf35f89\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":\\\"Sender\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"ce99667c-f3a0-4d3c-b0d0-6e6ba88f1a9e\\\",\\\"metrics\\\":[{\\\"label\\\":\\\"Count\\\",\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"COARSE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"colorRampName\\\":\\\"theclassic\\\",\\\"type\\\":\\\"HEATMAP\\\"},\\\"type\\\":\\\"HEATMAP\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":33.09876,\\\"lon\\\":73.8871},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":true},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"hideLayerControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-1y/d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.91}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Sender of Messages by Region [Logs Proofpoint TAP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":89.78601,\"maxLon\":720,\"minLat\":-89.78601,\"minLon\":-540},\"mapCenter\":{\"lat\":0,\"lon\":96.98463,\"zoom\":0.12},\"openTOCDetails\":[]},\"gridData\":{\"h\":21,\"i\":\"d40b322b-8b5a-4614-9a7f-f6bf33ba8e7e\",\"w\":48,\"x\":0,\"y\":90},\"panelIndex\":\"d40b322b-8b5a-4614-9a7f-f6bf33ba8e7e\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h/h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs Proofpoint TAP] Blocked Messages", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d", - "name": "e5247373-1ae6-403b-89b5-93281d642883:panel_e5247373-1ae6-403b-89b5-93281d642883", - "type": "search" - }, - { - "id": "logs-*", - "name": "2cfc095d-92da-4512-bf45-21f3a7508129:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2cfc095d-92da-4512-bf45-21f3a7508129:indexpattern-datasource-layer-66e9770d-b676-49a0-b502-b3cf64aae59d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efdb9e8c-8541-401c-acc6-767c1a637db4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "efdb9e8c-8541-401c-acc6-767c1a637db4:indexpattern-datasource-layer-e7630b81-f809-4d49-b269-1788bdbdf649", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "637266a0-908f-40ee-aa10-55569e7cbd29:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "637266a0-908f-40ee-aa10-55569e7cbd29:indexpattern-datasource-layer-402e61cc-9dba-466f-9269-27b48dd2e4a1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3e565fd9-f29d-41b5-a084-7393d29028d9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3e565fd9-f29d-41b5-a084-7393d29028d9:indexpattern-datasource-layer-a0987be1-b682-412e-8d46-a4ad00e985c1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2371e369-c82c-4443-bbf5-9d2b119fb9e9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2371e369-c82c-4443-bbf5-9d2b119fb9e9:indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a3d367ee-91bb-421d-b6fc-27daabd46a54:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a3d367ee-91bb-421d-b6fc-27daabd46a54:indexpattern-datasource-layer-e327fec5-d799-4b3f-acfc-32c1ecaac682", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3a258b28-29d4-4719-a65e-db1153b954fc:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3a258b28-29d4-4719-a65e-db1153b954fc:indexpattern-datasource-layer-f2e404cb-ffef-4218-a7d7-20a1972f7fe5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "850608eb-ca33-452f-a129-c4719224c52f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "850608eb-ca33-452f-a129-c4719224c52f:indexpattern-datasource-layer-01c9ddee-f668-4ee5-8bb6-98e74d2e1439", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9517aa1-8122-434d-b93d-719030617688:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9517aa1-8122-434d-b93d-719030617688:indexpattern-datasource-layer-b71a1c6d-1b9f-4b5f-ad26-7de6a5601691", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6b458dd4-988b-44d1-bd30-1bfadd99712b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6b458dd4-988b-44d1-bd30-1bfadd99712b:indexpattern-datasource-layer-657c0ea2-d756-4c8e-8638-4a2cf8a00bad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "91bf4cc9-d875-476b-afa9-353e6a6115d2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "91bf4cc9-d875-476b-afa9-353e6a6115d2:indexpattern-datasource-layer-8bc257b1-f278-4281-b618-12892df43c90", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f8ff2974-b1e9-4a81-a5af-8f5d6d13abce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f8ff2974-b1e9-4a81-a5af-8f5d6d13abce:indexpattern-datasource-layer-4b31f83f-2fc1-4509-8a5b-0c80eea8c627", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d40b322b-8b5a-4614-9a7f-f6bf33ba8e7e:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 6fbbba0559..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/dashboard/proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,138 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_delivered\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"a0cc1e4c-3327-478b-94ec-519ebf9582ab\",\"w\":48,\"x\":0,\"y\":96},\"panelIndex\":\"a0cc1e4c-3327-478b-94ec-519ebf9582ab\",\"panelRefName\":\"panel_a0cc1e4c-3327-478b-94ec-519ebf9582ab\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-66e9770d-b676-49a0-b502-b3cf64aae59d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"66e9770d-b676-49a0-b502-b3cf64aae59d\":{\"columnOrder\":[\"7afa9eab-9e68-42c1-a5f8-7891197560e2\"],\"columns\":{\"7afa9eab-9e68-42c1-a5f8-7891197560e2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Messages\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"7afa9eab-9e68-42c1-a5f8-7891197560e2\",\"layerId\":\"66e9770d-b676-49a0-b502-b3cf64aae59d\",\"layerType\":\"data\"}},\"title\":\"Count of Messages [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"057e2ef6-0316-4896-ab34-8aafca79b009\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"057e2ef6-0316-4896-ab34-8aafca79b009\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e7630b81-f809-4d49-b269-1788bdbdf649\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e7630b81-f809-4d49-b269-1788bdbdf649\":{\"columnOrder\":[\"8a033b2f-c808-4ae0-b593-862e401fd4d0\",\"ba6e6c21-db26-4ce1-9608-ebc8562ee460\"],\"columns\":{\"8a033b2f-c808-4ae0-b593-862e401fd4d0\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba6e6c21-db26-4ce1-9608-ebc8562ee460\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"},\"ba6e6c21-db26-4ce1-9608-ebc8562ee460\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"8a033b2f-c808-4ae0-b593-862e401fd4d0\",\"isTransposed\":false},{\"columnId\":\"ba6e6c21-db26-4ce1-9608-ebc8562ee460\",\"isTransposed\":false}],\"layerId\":\"e7630b81-f809-4d49-b269-1788bdbdf649\",\"layerType\":\"data\"}},\"title\":\"Top 10 Sender IP [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e54a8fb5-eee6-409a-8065-91a4e7b3ac4f\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"e54a8fb5-eee6-409a-8065-91a4e7b3ac4f\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-410012cf-d8df-4277-ac28-305ea82a09a3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"410012cf-d8df-4277-ac28-305ea82a09a3\":{\"columnOrder\":[\"05e673b3-ec58-44eb-ad0b-c88a43e44a8a\",\"68cf8e68-186a-40c7-a199-0463ca8741d8\"],\"columns\":{\"05e673b3-ec58-44eb-ad0b-c88a43e44a8a\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Rewritten URL\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"68cf8e68-186a-40c7-a199-0463ca8741d8\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_delivered.completely_rewritten\"},\"68cf8e68-186a-40c7-a199-0463ca8741d8\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_delivered\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"05e673b3-ec58-44eb-ad0b-c88a43e44a8a\"],\"layerId\":\"410012cf-d8df-4277-ac28-305ea82a09a3\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"68cf8e68-186a-40c7-a199-0463ca8741d8\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Delivered Messages by Rewritten URL [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f5b71bf4-d93b-4383-aee3-0fba04633f7e\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"f5b71bf4-d93b-4383-aee3-0fba04633f7e\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b0d8b2b8-81ef-4c98-bad2-20e10a9d4006\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b0d8b2b8-81ef-4c98-bad2-20e10a9d4006\":{\"columnOrder\":[\"02195bc5-0e17-4c5d-bf4c-5bcf165cd993\",\"22bcb44a-ba59-4c78-a069-277e45c5d6ef\"],\"columns\":{\"02195bc5-0e17-4c5d-bf4c-5bcf165cd993\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Disposition\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"22bcb44a-ba59-4c78-a069-277e45c5d6ef\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_delivered.message_parts.disposition\"},\"22bcb44a-ba59-4c78-a069-277e45c5d6ef\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_delivered\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"02195bc5-0e17-4c5d-bf4c-5bcf165cd993\"],\"layerId\":\"b0d8b2b8-81ef-4c98-bad2-20e10a9d4006\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"22bcb44a-ba59-4c78-a069-277e45c5d6ef\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Delivered Messages by Disposition [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ddaa2940-7c3a-4d0c-8fad-a87d3d92725a\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"ddaa2940-7c3a-4d0c-8fad-a87d3d92725a\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ec2f7bac-2077-4709-9d52-3ae3c0a582de\":{\"columnOrder\":[\"394062e2-3219-4ff0-b930-7dceb79cb5cd\",\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\"],\"columns\":{\"394062e2-3219-4ff0-b930-7dceb79cb5cd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Recipient\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"email.to.address\"},\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"394062e2-3219-4ff0-b930-7dceb79cb5cd\",\"isTransposed\":false},{\"columnId\":\"8c5a8f23-a89c-459e-8fdb-07844dc1c19f\",\"isTransposed\":false}],\"layerId\":\"ec2f7bac-2077-4709-9d52-3ae3c0a582de\",\"layerType\":\"data\"}},\"title\":\"Top 10 Recipient [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3dc5d286-d7b8-4a47-bd70-7699375f31de\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"3dc5d286-d7b8-4a47-bd70-7699375f31de\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-5b8645f9-f56a-44ea-b567-dad4d9da2824\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"5b8645f9-f56a-44ea-b567-dad4d9da2824\":{\"columnOrder\":[\"bc4689d4-0411-44f9-add5-ffa0705584dc\",\"612fda22-416a-4171-8854-f9cb30a4ae05\"],\"columns\":{\"612fda22-416a-4171-8854-f9cb30a4ae05\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bc4689d4-0411-44f9-add5-ffa0705584dc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Classification\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"612fda22-416a-4171-8854-f9cb30a4ae05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_delivered.threat_info_map.classification\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_delivered\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"bc4689d4-0411-44f9-add5-ffa0705584dc\"],\"layerId\":\"5b8645f9-f56a-44ea-b567-dad4d9da2824\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"612fda22-416a-4171-8854-f9cb30a4ae05\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Delivered Messages by Threat Classification [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"080a6554-cbad-4aa0-b8a6-d82de9dab805\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"080a6554-cbad-4aa0-b8a6-d82de9dab805\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-17b04f1e-6124-4c6c-9464-e29a98d97bcf\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"17b04f1e-6124-4c6c-9464-e29a98d97bcf\":{\"columnOrder\":[\"20a072f6-3895-45a1-a585-875852453a05\",\"a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0\"],\"columns\":{\"20a072f6-3895-45a1-a585-875852453a05\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Threat Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_delivered.threat_info_map.threat.status\"},\"a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_delivered\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"20a072f6-3895-45a1-a585-875852453a05\"],\"layerId\":\"17b04f1e-6124-4c6c-9464-e29a98d97bcf\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Delivered Messages by Threat Status [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ec9ba9eb-371c-430a-afc5-f6edf039bd91\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"ec9ba9eb-371c-430a-afc5-f6edf039bd91\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-590e841c-2ef7-4ace-b981-4bb9d3160054\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"590e841c-2ef7-4ace-b981-4bb9d3160054\":{\"columnOrder\":[\"7066eb8e-8f19-4826-adbb-7550c8ea2636\",\"1bc5c276-8229-422d-bb16-a63859e6f34c\"],\"columns\":{\"1bc5c276-8229-422d-bb16-a63859e6f34c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"7066eb8e-8f19-4826-adbb-7550c8ea2636\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Sandbox Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"1bc5c276-8229-422d-bb16-a63859e6f34c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_delivered.message_parts.sandbox_status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_delivered\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"7066eb8e-8f19-4826-adbb-7550c8ea2636\"],\"layerId\":\"590e841c-2ef7-4ace-b981-4bb9d3160054\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"1bc5c276-8229-422d-bb16-a63859e6f34c\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Delivered Messages by Sandbox Status [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c1acfbb3-c3ca-436d-b54e-47f288677136\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"c1acfbb3-c3ca-436d-b54e-47f288677136\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ecc13edd-9962-402c-b12e-180cccc46f08\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ecc13edd-9962-402c-b12e-180cccc46f08\":{\"columnOrder\":[\"21d701b1-4d50-4480-94e0-bfd2616489f5\",\"0bc203c5-ff36-4db6-ad1a-441828203815\"],\"columns\":{\"0bc203c5-ff36-4db6-ad1a-441828203815\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"21d701b1-4d50-4480-94e0-bfd2616489f5\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Threat Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0bc203c5-ff36-4db6-ad1a-441828203815\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"proofpoint_tap.message_delivered.threat_info_map.threat.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"proofpoint_tap.message_delivered\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"21d701b1-4d50-4480-94e0-bfd2616489f5\"],\"layerId\":\"ecc13edd-9962-402c-b12e-180cccc46f08\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"0bc203c5-ff36-4db6-ad1a-441828203815\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Delivered Messages by Threat Type [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f1256b4b-8872-4d25-82cd-5a7004108d91\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"f1256b4b-8872-4d25-82cd-5a7004108d91\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-657c0ea2-d756-4c8e-8638-4a2cf8a00bad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"657c0ea2-d756-4c8e-8638-4a2cf8a00bad\":{\"columnOrder\":[\"4507c7f7-7878-40d4-905f-50360a596573\",\"d7959ce0-0861-4dd4-bdb3-42d8578ebd2f\"],\"columns\":{\"4507c7f7-7878-40d4-905f-50360a596573\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Email Mailer\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7959ce0-0861-4dd4-bdb3-42d8578ebd2f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"email.x_mailer\"},\"d7959ce0-0861-4dd4-bdb3-42d8578ebd2f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d7959ce0-0861-4dd4-bdb3-42d8578ebd2f\"],\"layerId\":\"657c0ea2-d756-4c8e-8638-4a2cf8a00bad\",\"layerType\":\"data\",\"seriesType\":\"bar\",\"xAccessor\":\"4507c7f7-7878-40d4-905f-50360a596573\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Messages by Email X_Mailer [Logs Proofpoint TAP]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f721f663-e2fd-44c9-88bc-639bff7bc700\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"f721f663-e2fd-44c9-88bc-639bff7bc700\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"c6a42104-e390-4c56-8ef8-5bd774773e72\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"f8e2c82c-56b8-425d-a79d-ab24baf35f89\\\",\\\"includeInFitToBounds\\\":true,\\\"label\\\":\\\"Sender\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"ce99667c-f3a0-4d3c-b0d0-6e6ba88f1a9e\\\",\\\"metrics\\\":[{\\\"label\\\":\\\"Count\\\",\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"COARSE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"colorRampName\\\":\\\"theclassic\\\",\\\"type\\\":\\\"HEATMAP\\\"},\\\"type\\\":\\\"HEATMAP\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":33.09876,\\\"lon\\\":73.8871},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":true},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"hideLayerControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-1y/d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.91}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Sender of Messages by Region [Logs Proofpoint TAP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":180,\"minLat\":-66.51326,\"minLon\":0},\"mapCenter\":{\"lat\":33.09876,\"lon\":73.8871,\"zoom\":1.91},\"openTOCDetails\":[]},\"gridData\":{\"h\":21,\"i\":\"de4c11a4-6831-4ad4-92b6-7dc434430690\",\"w\":48,\"x\":0,\"y\":75},\"panelIndex\":\"de4c11a4-6831-4ad4-92b6-7dc434430690\",\"type\":\"map\",\"version\":\"7.17.0\"}]", - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-24h/h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs Proofpoint TAP] Delivered Messages", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d", - "name": "a0cc1e4c-3327-478b-94ec-519ebf9582ab:panel_a0cc1e4c-3327-478b-94ec-519ebf9582ab", - "type": "search" - }, - { - "id": "logs-*", - "name": "057e2ef6-0316-4896-ab34-8aafca79b009:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "057e2ef6-0316-4896-ab34-8aafca79b009:indexpattern-datasource-layer-66e9770d-b676-49a0-b502-b3cf64aae59d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e54a8fb5-eee6-409a-8065-91a4e7b3ac4f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e54a8fb5-eee6-409a-8065-91a4e7b3ac4f:indexpattern-datasource-layer-e7630b81-f809-4d49-b269-1788bdbdf649", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5b71bf4-d93b-4383-aee3-0fba04633f7e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5b71bf4-d93b-4383-aee3-0fba04633f7e:indexpattern-datasource-layer-410012cf-d8df-4277-ac28-305ea82a09a3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ddaa2940-7c3a-4d0c-8fad-a87d3d92725a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ddaa2940-7c3a-4d0c-8fad-a87d3d92725a:indexpattern-datasource-layer-b0d8b2b8-81ef-4c98-bad2-20e10a9d4006", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3dc5d286-d7b8-4a47-bd70-7699375f31de:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3dc5d286-d7b8-4a47-bd70-7699375f31de:indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "080a6554-cbad-4aa0-b8a6-d82de9dab805:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "080a6554-cbad-4aa0-b8a6-d82de9dab805:indexpattern-datasource-layer-5b8645f9-f56a-44ea-b567-dad4d9da2824", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ec9ba9eb-371c-430a-afc5-f6edf039bd91:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ec9ba9eb-371c-430a-afc5-f6edf039bd91:indexpattern-datasource-layer-17b04f1e-6124-4c6c-9464-e29a98d97bcf", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1acfbb3-c3ca-436d-b54e-47f288677136:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1acfbb3-c3ca-436d-b54e-47f288677136:indexpattern-datasource-layer-590e841c-2ef7-4ace-b981-4bb9d3160054", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f1256b4b-8872-4d25-82cd-5a7004108d91:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f1256b4b-8872-4d25-82cd-5a7004108d91:indexpattern-datasource-layer-ecc13edd-9962-402c-b12e-180cccc46f08", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f721f663-e2fd-44c9-88bc-639bff7bc700:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f721f663-e2fd-44c9-88bc-639bff7bc700:indexpattern-datasource-layer-657c0ea2-d756-4c8e-8638-4a2cf8a00bad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "de4c11a4-6831-4ad4-92b6-7dc434430690:layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-22c1fd60-b5a6-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-22c1fd60-b5a6-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 0f2025d8a3..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-22c1fd60-b5a6-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4ff0e011-970a-4b60-9158-962f4e89fbbe": { - "columnOrder": [ - "dc762ac8-6645-45a7-ba44-b3fbd0309338" - ], - "columns": { - "dc762ac8-6645-45a7-ba44-b3fbd0309338": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Clicks", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "dc762ac8-6645-45a7-ba44-b3fbd0309338", - "layerId": "4ff0e011-970a-4b60-9158-962f4e89fbbe", - "layerType": "data" - } - }, - "title": "Count of Clicks [Logs Proofpoint TAP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-22c1fd60-b5a6-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-4ff0e011-970a-4b60-9158-962f4e89fbbe", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-2e596430-b5ae-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-2e596430-b5ae-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 9ff144aee8..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-2e596430-b5ae-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e7630b81-f809-4d49-b269-1788bdbdf649": { - "columnOrder": [ - "8a033b2f-c808-4ae0-b593-862e401fd4d0", - "ba6e6c21-db26-4ce1-9608-ebc8562ee460" - ], - "columns": { - "8a033b2f-c808-4ae0-b593-862e401fd4d0": { - "customLabel": true, - "dataType": "ip", - "isBucketed": true, - "label": "IP", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "ba6e6c21-db26-4ce1-9608-ebc8562ee460", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "source.ip" - }, - "ba6e6c21-db26-4ce1-9608-ebc8562ee460": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "8a033b2f-c808-4ae0-b593-862e401fd4d0", - "isTransposed": false - }, - { - "columnId": "ba6e6c21-db26-4ce1-9608-ebc8562ee460", - "isTransposed": false - } - ], - "layerId": "e7630b81-f809-4d49-b269-1788bdbdf649", - "layerType": "data" - } - }, - "title": "Top 10 Sender IP [Logs Proofpoint TAP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-2e596430-b5ae-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-e7630b81-f809-4d49-b269-1788bdbdf649", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-31d88f20-b5ca-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-31d88f20-b5ca-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index ea814f0572..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-31d88f20-b5ca-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "17b04f1e-6124-4c6c-9464-e29a98d97bcf": { - "columnOrder": [ - "20a072f6-3895-45a1-a585-875852453a05", - "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0" - ], - "columns": { - "20a072f6-3895-45a1-a585-875852453a05": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Threat Status", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_delivered.threat_info_map.threat.status" - }, - "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "20a072f6-3895-45a1-a585-875852453a05" - ], - "layerId": "17b04f1e-6124-4c6c-9464-e29a98d97bcf", - "layerType": "data", - "legendDisplay": "default", - "metric": "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Delivered Messages by Threat Status [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-31d88f20-b5ca-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-17b04f1e-6124-4c6c-9464-e29a98d97bcf", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-32f38a20-b5cc-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-32f38a20-b5cc-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index a4e657b967..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-32f38a20-b5cc-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4080ef48-91f4-4339-a059-fa6a9d0fcce8": { - "columnOrder": [ - "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d", - "366f6367-65c3-4e65-8c28-f41b1ef719cf" - ], - "columns": { - "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d": { - "customLabel": true, - "dataType": "ip", - "isBucketed": true, - "label": "IP", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "366f6367-65c3-4e65-8c28-f41b1ef719cf", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "destination.ip" - }, - "366f6367-65c3-4e65-8c28-f41b1ef719cf": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d", - "isTransposed": false - }, - { - "columnId": "366f6367-65c3-4e65-8c28-f41b1ef719cf", - "isTransposed": false - } - ], - "layerId": "4080ef48-91f4-4339-a059-fa6a9d0fcce8", - "layerType": "data" - } - }, - "title": "Top 10 Click IP [Logs Proofpoint TAP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-32f38a20-b5cc-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-4080ef48-91f4-4339-a059-fa6a9d0fcce8", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-3872f3b0-b5ad-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-3872f3b0-b5ad-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 1fb9462f4d..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-3872f3b0-b5ad-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "66e9770d-b676-49a0-b502-b3cf64aae59d": { - "columnOrder": [ - "7afa9eab-9e68-42c1-a5f8-7891197560e2" - ], - "columns": { - "7afa9eab-9e68-42c1-a5f8-7891197560e2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Messages", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "7afa9eab-9e68-42c1-a5f8-7891197560e2", - "layerId": "66e9770d-b676-49a0-b502-b3cf64aae59d", - "layerType": "data" - } - }, - "title": "Count of Messages [Logs Proofpoint TAP]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-3872f3b0-b5ad-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-66e9770d-b676-49a0-b502-b3cf64aae59d", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-3d9cb8d0-b5b2-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-3d9cb8d0-b5b2-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index b418416124..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-3d9cb8d0-b5b2-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "8bc257b1-f278-4281-b618-12892df43c90": { - "columnOrder": [ - "bd52eba0-e079-4b31-b053-d6d8e519b21d", - "a9cf6093-c996-4557-8819-3d2b273e62b0" - ], - "columns": { - "a9cf6093-c996-4557-8819-3d2b273e62b0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "bd52eba0-e079-4b31-b053-d6d8e519b21d": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Quarantine Folder", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "a9cf6093-c996-4557-8819-3d2b273e62b0", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_blocked.quarantine.folder" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" - }, - "visualization": { - "layers": [ - { - "accessors": [ - "a9cf6093-c996-4557-8819-3d2b273e62b0" - ], - "layerId": "8bc257b1-f278-4281-b618-12892df43c90", - "layerType": "data", - "position": "top", - "seriesType": "bar", - "showGridlines": false, - "xAccessor": "bd52eba0-e079-4b31-b053-d6d8e519b21d" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar", - "title": "Empty XY chart", - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Distribution of Blocked Messages by Quarantine Folder [Logs Proofpoint TAP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-3d9cb8d0-b5b2-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-8bc257b1-f278-4281-b618-12892df43c90", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-4363e9b0-b5a7-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-4363e9b0-b5a7-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index f1cd9a906c..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-4363e9b0-b5a7-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "09466534-a461-4fbb-850b-fba8df6b7c37": { - "columnOrder": [ - "caef084e-7dca-43d6-8538-a2806796463e", - "8c76f7ef-0d3f-4558-8835-17fa53443a49", - "8c76f7ef-0d3f-4558-8835-17fa53443a49X0" - ], - "columns": { - "8c76f7ef-0d3f-4558-8835-17fa53443a49": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "formula", - "params": { - "formula": "count()", - "isFormulaBroken": false - }, - "references": [ - "8c76f7ef-0d3f-4558-8835-17fa53443a49X0" - ], - "scale": "ratio" - }, - "8c76f7ef-0d3f-4558-8835-17fa53443a49X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of count()", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "caef084e-7dca-43d6-8538-a2806796463e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Classification", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.clicks_blocked.classification" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.clicks_blocked\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "caef084e-7dca-43d6-8538-a2806796463e" - ], - "layerId": "09466534-a461-4fbb-850b-fba8df6b7c37", - "layerType": "data", - "legendDisplay": "default", - "metric": "8c76f7ef-0d3f-4558-8835-17fa53443a49", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Blocked Clicks by Classification [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-4363e9b0-b5a7-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-09466534-a461-4fbb-850b-fba8df6b7c37", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-458b3ce0-b5af-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-458b3ce0-b5af-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 7146fe2aed..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-458b3ce0-b5af-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "402e61cc-9dba-466f-9269-27b48dd2e4a1": { - "columnOrder": [ - "d1076744-9ca0-4908-a16f-ef349e2cd32a", - "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241" - ], - "columns": { - "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "d1076744-9ca0-4908-a16f-ef349e2cd32a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Disposition", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_blocked.message_parts.disposition" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "d1076744-9ca0-4908-a16f-ef349e2cd32a" - ], - "layerId": "402e61cc-9dba-466f-9269-27b48dd2e4a1", - "layerType": "data", - "legendDisplay": "default", - "metric": "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Blocked Messages by Disposition [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-458b3ce0-b5af-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-402e61cc-9dba-466f-9269-27b48dd2e4a1", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-47aeba50-b5c9-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-47aeba50-b5c9-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 2959bdf251..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-47aeba50-b5c9-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "b0d8b2b8-81ef-4c98-bad2-20e10a9d4006": { - "columnOrder": [ - "02195bc5-0e17-4c5d-bf4c-5bcf165cd993", - "22bcb44a-ba59-4c78-a069-277e45c5d6ef" - ], - "columns": { - "02195bc5-0e17-4c5d-bf4c-5bcf165cd993": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Disposition", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "22bcb44a-ba59-4c78-a069-277e45c5d6ef", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_delivered.message_parts.disposition" - }, - "22bcb44a-ba59-4c78-a069-277e45c5d6ef": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "02195bc5-0e17-4c5d-bf4c-5bcf165cd993" - ], - "layerId": "b0d8b2b8-81ef-4c98-bad2-20e10a9d4006", - "layerType": "data", - "legendDisplay": "default", - "metric": "22bcb44a-ba59-4c78-a069-277e45c5d6ef", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Delivered Messages by Disposition [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-47aeba50-b5c9-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-b0d8b2b8-81ef-4c98-bad2-20e10a9d4006", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-4b9175c0-b5a8-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-4b9175c0-b5a8-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 6559cea675..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-4b9175c0-b5a8-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "ec2f7bac-2077-4709-9d52-3ae3c0a582de": { - "columnOrder": [ - "394062e2-3219-4ff0-b930-7dceb79cb5cd", - "8c5a8f23-a89c-459e-8fdb-07844dc1c19f" - ], - "columns": { - "394062e2-3219-4ff0-b930-7dceb79cb5cd": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Recipient", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "email.to.address" - }, - "8c5a8f23-a89c-459e-8fdb-07844dc1c19f": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "394062e2-3219-4ff0-b930-7dceb79cb5cd", - "isTransposed": false - }, - { - "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", - "isTransposed": false - } - ], - "layerId": "ec2f7bac-2077-4709-9d52-3ae3c0a582de", - "layerType": "data" - } - }, - "title": "Top 10 Recipient [Logs Proofpoint TAP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-4b9175c0-b5a8-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-5820b4a0-b5b1-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-5820b4a0-b5b1-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index a8d881f6f2..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-5820b4a0-b5b1-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "01c9ddee-f668-4ee5-8bb6-98e74d2e1439": { - "columnOrder": [ - "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d", - "47666138-8fdd-4735-9a26-d5586276afe9" - ], - "columns": { - "47666138-8fdd-4735-9a26-d5586276afe9": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Sandbox Status", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "47666138-8fdd-4735-9a26-d5586276afe9", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_blocked.message_parts.sandbox_status" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d" - ], - "layerId": "01c9ddee-f668-4ee5-8bb6-98e74d2e1439", - "layerType": "data", - "legendDisplay": "default", - "metric": "47666138-8fdd-4735-9a26-d5586276afe9", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Blocked Messages by Sandbox Status [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-5820b4a0-b5b1-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-01c9ddee-f668-4ee5-8bb6-98e74d2e1439", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-72f5f2d0-b5b2-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-72f5f2d0-b5b2-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index b6b7806761..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-72f5f2d0-b5b2-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4b31f83f-2fc1-4509-8a5b-0c80eea8c627": { - "columnOrder": [ - "aec564b0-2091-4304-8a29-d839f9aec0aa", - "efe56213-9c9c-4215-91cd-907114802d3a" - ], - "columns": { - "aec564b0-2091-4304-8a29-d839f9aec0aa": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Quarantine Rule", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "efe56213-9c9c-4215-91cd-907114802d3a", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_blocked.quarantine.rule" - }, - "efe56213-9c9c-4215-91cd-907114802d3a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "efe56213-9c9c-4215-91cd-907114802d3a" - ], - "layerId": "4b31f83f-2fc1-4509-8a5b-0c80eea8c627", - "layerType": "data", - "position": "top", - "seriesType": "bar", - "showGridlines": false, - "xAccessor": "aec564b0-2091-4304-8a29-d839f9aec0aa" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Distribution of Blocked Messages by Quarantine Rule [Logs Proofpoint TAP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-72f5f2d0-b5b2-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-4b31f83f-2fc1-4509-8a5b-0c80eea8c627", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-80dd97f0-b5ca-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-80dd97f0-b5ca-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index c44707ee39..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-80dd97f0-b5ca-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "590e841c-2ef7-4ace-b981-4bb9d3160054": { - "columnOrder": [ - "7066eb8e-8f19-4826-adbb-7550c8ea2636", - "1bc5c276-8229-422d-bb16-a63859e6f34c" - ], - "columns": { - "1bc5c276-8229-422d-bb16-a63859e6f34c": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "7066eb8e-8f19-4826-adbb-7550c8ea2636": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Sandbox Status", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "1bc5c276-8229-422d-bb16-a63859e6f34c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_delivered.message_parts.sandbox_status" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "7066eb8e-8f19-4826-adbb-7550c8ea2636" - ], - "layerId": "590e841c-2ef7-4ace-b981-4bb9d3160054", - "layerType": "data", - "legendDisplay": "default", - "metric": "1bc5c276-8229-422d-bb16-a63859e6f34c", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Delivered Messages by Sandbox Status [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-80dd97f0-b5ca-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-590e841c-2ef7-4ace-b981-4bb9d3160054", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-89f9d420-b5a7-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-89f9d420-b5a7-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 64a8ebea53..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-89f9d420-b5a7-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "f7d425df-4f7d-4e18-993d-b8a10cdffe22": { - "columnOrder": [ - "967f19a8-3944-4a64-a05f-037bcf1f238c", - "ea922d0b-14cf-4625-b038-71d6a627f340" - ], - "columns": { - "967f19a8-3944-4a64-a05f-037bcf1f238c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Threat Status", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "ea922d0b-14cf-4625-b038-71d6a627f340", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.clicks_blocked.threat.status" - }, - "ea922d0b-14cf-4625-b038-71d6a627f340": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.clicks_blocked\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "967f19a8-3944-4a64-a05f-037bcf1f238c" - ], - "layerId": "f7d425df-4f7d-4e18-993d-b8a10cdffe22", - "layerType": "data", - "legendDisplay": "default", - "metric": "ea922d0b-14cf-4625-b038-71d6a627f340", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Blocked Clicks by Threat Status [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-89f9d420-b5a7-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-f7d425df-4f7d-4e18-993d-b8a10cdffe22", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-a0565740-b5af-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-a0565740-b5af-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index a751663f75..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-a0565740-b5af-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "a0987be1-b682-412e-8d46-a4ad00e985c1": { - "columnOrder": [ - "74697bb2-b72f-4b6e-b651-06f50ef31467", - "87ce1993-56c0-4458-9cb1-ae12af5a629a" - ], - "columns": { - "74697bb2-b72f-4b6e-b651-06f50ef31467": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Rewritten URL", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "87ce1993-56c0-4458-9cb1-ae12af5a629a", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_blocked.completely_rewritten" - }, - "87ce1993-56c0-4458-9cb1-ae12af5a629a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "74697bb2-b72f-4b6e-b651-06f50ef31467" - ], - "layerId": "a0987be1-b682-412e-8d46-a4ad00e985c1", - "layerType": "data", - "legendDisplay": "default", - "metric": "87ce1993-56c0-4458-9cb1-ae12af5a629a", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Blocked Messages by Rewritten URL [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-a0565740-b5af-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-a0987be1-b682-412e-8d46-a4ad00e985c1", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-a1aed070-b5b1-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-a1aed070-b5b1-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 1ee34ed790..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-a1aed070-b5b1-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "b71a1c6d-1b9f-4b5f-ad26-7de6a5601691": { - "columnOrder": [ - "73dab922-14a4-4c5c-a297-9873a91dad59", - "b12333e5-b88d-4a3e-96bb-467efc2745b5" - ], - "columns": { - "73dab922-14a4-4c5c-a297-9873a91dad59": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Threat Type", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "b12333e5-b88d-4a3e-96bb-467efc2745b5", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_blocked.threat_info_map.threat.type" - }, - "b12333e5-b88d-4a3e-96bb-467efc2745b5": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "73dab922-14a4-4c5c-a297-9873a91dad59" - ], - "layerId": "b71a1c6d-1b9f-4b5f-ad26-7de6a5601691", - "layerType": "data", - "legendDisplay": "default", - "metric": "b12333e5-b88d-4a3e-96bb-467efc2745b5", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Blocked Messages by Threat Type [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-a1aed070-b5b1-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-b71a1c6d-1b9f-4b5f-ad26-7de6a5601691", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-b2134d80-b5aa-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-b2134d80-b5aa-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index d36afe3d9c..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-b2134d80-b5aa-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "1c93261b-da1f-4d85-aaaf-3457bdcc6ff4": { - "columnOrder": [ - "f13e79eb-00ed-4e68-98b5-b5c927055fec", - "0466e119-38e8-4d0a-a48f-9b2e7a89d213" - ], - "columns": { - "0466e119-38e8-4d0a-a48f-9b2e7a89d213": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "f13e79eb-00ed-4e68-98b5-b5c927055fec": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Classification", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0466e119-38e8-4d0a-a48f-9b2e7a89d213", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.clicks_permitted.classification" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.clicks_permitted\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "f13e79eb-00ed-4e68-98b5-b5c927055fec" - ], - "layerId": "1c93261b-da1f-4d85-aaaf-3457bdcc6ff4", - "layerType": "data", - "legendDisplay": "default", - "metric": "0466e119-38e8-4d0a-a48f-9b2e7a89d213", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Permitted Clicks by Classification [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-b2134d80-b5aa-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-1c93261b-da1f-4d85-aaaf-3457bdcc6ff4", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-bb5e8d80-b5ca-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-bb5e8d80-b5ca-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 0f67deea68..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-bb5e8d80-b5ca-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "ecc13edd-9962-402c-b12e-180cccc46f08": { - "columnOrder": [ - "21d701b1-4d50-4480-94e0-bfd2616489f5", - "0bc203c5-ff36-4db6-ad1a-441828203815" - ], - "columns": { - "0bc203c5-ff36-4db6-ad1a-441828203815": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "21d701b1-4d50-4480-94e0-bfd2616489f5": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Threat Type", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0bc203c5-ff36-4db6-ad1a-441828203815", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_delivered.threat_info_map.threat.type" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "21d701b1-4d50-4480-94e0-bfd2616489f5" - ], - "layerId": "ecc13edd-9962-402c-b12e-180cccc46f08", - "layerType": "data", - "legendDisplay": "default", - "metric": "0bc203c5-ff36-4db6-ad1a-441828203815", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Delivered Messages by Threat Type [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-bb5e8d80-b5ca-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-ecc13edd-9962-402c-b12e-180cccc46f08", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-d3107d90-b5c9-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-d3107d90-b5c9-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index f7ce515a06..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-d3107d90-b5c9-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5b8645f9-f56a-44ea-b567-dad4d9da2824": { - "columnOrder": [ - "bc4689d4-0411-44f9-add5-ffa0705584dc", - "612fda22-416a-4171-8854-f9cb30a4ae05" - ], - "columns": { - "612fda22-416a-4171-8854-f9cb30a4ae05": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "bc4689d4-0411-44f9-add5-ffa0705584dc": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Classification", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "612fda22-416a-4171-8854-f9cb30a4ae05", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_delivered.threat_info_map.classification" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "bc4689d4-0411-44f9-add5-ffa0705584dc" - ], - "layerId": "5b8645f9-f56a-44ea-b567-dad4d9da2824", - "layerType": "data", - "legendDisplay": "default", - "metric": "612fda22-416a-4171-8854-f9cb30a4ae05", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Delivered Messages by Threat Classification [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-d3107d90-b5c9-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-5b8645f9-f56a-44ea-b567-dad4d9da2824", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-d3560780-b5c8-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-d3560780-b5c8-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 6660eaa4fe..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-d3560780-b5c8-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "410012cf-d8df-4277-ac28-305ea82a09a3": { - "columnOrder": [ - "05e673b3-ec58-44eb-ad0b-c88a43e44a8a", - "68cf8e68-186a-40c7-a199-0463ca8741d8" - ], - "columns": { - "05e673b3-ec58-44eb-ad0b-c88a43e44a8a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Rewritten URL", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "68cf8e68-186a-40c7-a199-0463ca8741d8", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_delivered.completely_rewritten" - }, - "68cf8e68-186a-40c7-a199-0463ca8741d8": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "05e673b3-ec58-44eb-ad0b-c88a43e44a8a" - ], - "layerId": "410012cf-d8df-4277-ac28-305ea82a09a3", - "layerType": "data", - "legendDisplay": "default", - "metric": "68cf8e68-186a-40c7-a199-0463ca8741d8", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Delivered Messages by Rewritten URL [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-d3560780-b5c8-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-410012cf-d8df-4277-ac28-305ea82a09a3", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-dc148bf0-b5a8-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-dc148bf0-b5a8-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 0a16c6c33b..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-dc148bf0-b5a8-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "062ab937-584b-4266-b89a-e0965350fd15": { - "columnOrder": [ - "b4231a92-a121-4d7b-8975-7deb595868c2", - "e4a9c4a7-4e05-4669-8842-47a87900ad7c" - ], - "columns": { - "b4231a92-a121-4d7b-8975-7deb595868c2": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "URL", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "e4a9c4a7-4e05-4669-8842-47a87900ad7c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "url.full" - }, - "e4a9c4a7-4e05-4669-8842-47a87900ad7c": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "b4231a92-a121-4d7b-8975-7deb595868c2", - "isTransposed": false - }, - { - "columnId": "e4a9c4a7-4e05-4669-8842-47a87900ad7c", - "isTransposed": false - } - ], - "layerId": "062ab937-584b-4266-b89a-e0965350fd15", - "layerType": "data" - } - }, - "title": "Top 10 Malicious URL [Logs Proofpoint TAP]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-dc148bf0-b5a8-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-062ab937-584b-4266-b89a-e0965350fd15", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-e3c98870-b5b0-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-e3c98870-b5b0-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index d771fbe8c0..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-e3c98870-b5b0-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "f2e404cb-ffef-4218-a7d7-20a1972f7fe5": { - "columnOrder": [ - "86527e47-1073-45bd-8f35-657f4d277b62", - "f40e0576-52c6-4c09-8b8e-446699fed30e" - ], - "columns": { - "86527e47-1073-45bd-8f35-657f4d277b62": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Threat Status", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "f40e0576-52c6-4c09-8b8e-446699fed30e", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_blocked.threat_info_map.threat.status" - }, - "f40e0576-52c6-4c09-8b8e-446699fed30e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "86527e47-1073-45bd-8f35-657f4d277b62" - ], - "layerId": "f2e404cb-ffef-4218-a7d7-20a1972f7fe5", - "layerType": "data", - "legendDisplay": "default", - "metric": "f40e0576-52c6-4c09-8b8e-446699fed30e", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Blocked Messages by Threat Status [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-e3c98870-b5b0-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-f2e404cb-ffef-4218-a7d7-20a1972f7fe5", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-e741c9d0-b5b1-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-e741c9d0-b5b1-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 0261506f72..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-e741c9d0-b5b1-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "657c0ea2-d756-4c8e-8638-4a2cf8a00bad": { - "columnOrder": [ - "4507c7f7-7878-40d4-905f-50360a596573", - "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f" - ], - "columns": { - "4507c7f7-7878-40d4-905f-50360a596573": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Email Mailer", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "email.x_mailer" - }, - "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f" - ], - "layerId": "657c0ea2-d756-4c8e-8638-4a2cf8a00bad", - "layerType": "data", - "seriesType": "bar", - "xAccessor": "4507c7f7-7878-40d4-905f-50360a596573" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Distribution of Messages by Email X_Mailer [Logs Proofpoint TAP]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-e741c9d0-b5b1-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-657c0ea2-d756-4c8e-8638-4a2cf8a00bad", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-eff98e20-b5aa-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-eff98e20-b5aa-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 9b59636ba2..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-eff98e20-b5aa-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c4191f86-9c54-4a06-a3dd-842b3ef7c241": { - "columnOrder": [ - "a3e04efb-2f37-464b-a6f2-23c0e19d790d", - "40a5f8c4-9eb3-4dcf-8520-acdb820944df" - ], - "columns": { - "40a5f8c4-9eb3-4dcf-8520-acdb820944df": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "a3e04efb-2f37-464b-a6f2-23c0e19d790d": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Threat Status", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "40a5f8c4-9eb3-4dcf-8520-acdb820944df", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.clicks_permitted.threat.status" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.clicks_permitted\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "a3e04efb-2f37-464b-a6f2-23c0e19d790d" - ], - "layerId": "c4191f86-9c54-4a06-a3dd-842b3ef7c241", - "layerType": "data", - "legendDisplay": "default", - "metric": "40a5f8c4-9eb3-4dcf-8520-acdb820944df", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Permitted Clicks by Threat Status [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-eff98e20-b5aa-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-c4191f86-9c54-4a06-a3dd-842b3ef7c241", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-fb0adc60-b5af-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-fb0adc60-b5af-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index ed61751782..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/lens/proofpoint_tap-fb0adc60-b5af-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e327fec5-d799-4b3f-acfc-32c1ecaac682": { - "columnOrder": [ - "f096fb9b-5208-4f47-b5a5-0ad3de754fda", - "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8" - ], - "columns": { - "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "f096fb9b-5208-4f47-b5a5-0ad3de754fda": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Classification", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "proofpoint_tap.message_blocked.threat_info_map.classification" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "f096fb9b-5208-4f47-b5a5-0ad3de754fda" - ], - "layerId": "e327fec5-d799-4b3f-acfc-32c1ecaac682", - "layerType": "data", - "legendDisplay": "default", - "metric": "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "Distribution of Blocked Messages by Threat Classification [Logs Proofpoint TAP]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-fb0adc60-b5af-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "lens": "7.16.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-e327fec5-d799-4b3f-acfc-32c1ecaac682", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/map/proofpoint_tap-31abbc50-b5d6-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/0.1.0/kibana/map/proofpoint_tap-31abbc50-b5d6-11ec-a9d0-e94ed15a14b9.json deleted file mode 100755 index 08fc3fa636..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/map/proofpoint_tap-31abbc50-b5d6-11ec-a9d0-e94ed15a14b9.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"c6a42104-e390-4c56-8ef8-5bd774773e72\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"f8e2c82c-56b8-425d-a79d-ab24baf35f89\",\"includeInFitToBounds\":true,\"label\":\"Sender\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"ce99667c-f3a0-4d3c-b0d0-6e6ba88f1a9e\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"label\":\"Count\",\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":33.09876,\"lon\":73.8871},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"zoom\":1.91}", - "title": "Sender of Messages by Region [Logs Proofpoint TAP]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-31abbc50-b5d6-11ec-a9d0-e94ed15a14b9", - "migrationVersion": { - "map": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/map/proofpoint_tap-40a91cd0-c197-11ec-aabc-2f1ab05698f9.json b/packages/proofpoint_tap/0.1.0/kibana/map/proofpoint_tap-40a91cd0-c197-11ec-aabc-2f1ab05698f9.json deleted file mode 100755 index 766158e48e..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/map/proofpoint_tap-40a91cd0-c197-11ec-aabc-2f1ab05698f9.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"1d744b4f-b6df-4195-bfea-8e64340b7da1\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"48984da5-6c09-4c75-86d5-b9c1791d120d\",\"includeInFitToBounds\":true,\"label\":\"Clicks\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"destination.geo.location\",\"id\":\"35e48033-3f9a-4228-98be-980fff6c70a1\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"label\":\"Count\",\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"zoom\":1.14}", - "title": "Clicks on URL by Region [Logs Proofpoint TAP]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-40a91cd0-c197-11ec-aabc-2f1ab05698f9", - "migrationVersion": { - "map": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/search/proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d.json b/packages/proofpoint_tap/0.1.0/kibana/search/proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d.json deleted file mode 100755 index 7ab5f27bd4..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/search/proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "attributes": { - "columns": [ - "email.message_id", - "email.sender.address", - "email.to.address", - "email.subject", - "source.ip" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Messages Essential Details [Logs Proofpoint TAP]" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/kibana/search/proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4.json b/packages/proofpoint_tap/0.1.0/kibana/search/proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4.json deleted file mode 100755 index ada0cb93cf..0000000000 --- a/packages/proofpoint_tap/0.1.0/kibana/search/proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.created", - "email.message_id", - "email.from.address", - "email.to.address" - ], - "description": "", - "grid": {}, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Clicks Essential Details [Logs Proofpoint TAP]" - }, - "coreMigrationVersion": "7.17.0", - "id": "proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/proofpoint_tap/0.1.0/manifest.yml b/packages/proofpoint_tap/0.1.0/manifest.yml deleted file mode 100755 index 69c83c7db5..0000000000 --- a/packages/proofpoint_tap/0.1.0/manifest.yml +++ /dev/null @@ -1,84 +0,0 @@ -format_version: 1.0.0 -name: proofpoint_tap -title: Proofpoint TAP -version: 0.1.0 -license: basic -description: Collect logs from Proofpoint TAP with Elastic Agent. -type: integration -categories: - - security -release: beta -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/proofpoint_tap-screenshot.png - title: Proofpoint TAP blocked clicks dashboard screenshot - size: 600x600 - type: image/png -icons: - - src: /img/proofpoint_tap-logo.svg - title: Proofpoint TAP logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: Proofpoint TAP - title: Proofpoint_TAP logs - description: Collect proofpoint_tap logs. - inputs: - - type: httpjson - title: Collect Proofpoint TAP logs via API - description: Collecting Proofpoint TAP logs via API. - vars: - - name: url - type: text - title: URL - description: Proofpoint TAP URL. Find URL in the console dashboard at the beginning of the web address. - required: true - - name: principal - type: text - title: Principal - description: Principal for the Basic Authentication. - required: true - - name: secret - type: password - title: Secret Key - description: Secret Key for the Basic Authentication. - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -owner: - github: elastic/security-external-integrations diff --git a/packages/pulse_connect_secure/1.0.0/changelog.yml b/packages/pulse_connect_secure/1.0.0/changelog.yml deleted file mode 100755 index 08294e1f18..0000000000 --- a/packages/pulse_connect_secure/1.0.0/changelog.yml +++ /dev/null @@ -1,36 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2780 -- version: "0.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.2.0" - changes: - - description: Add support for parsing syslog priority values - type: enhancement - link: https://github.com/elastic/integrations/pull/2552 -- version: "0.1.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2434 -- version: "0.0.2" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "0.0.1" - changes: - - description: initial release - type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/1998 diff --git a/packages/pulse_connect_secure/1.0.0/data_stream/log/agent/stream/tcp.yml.hbs b/packages/pulse_connect_secure/1.0.0/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 7dd7052361..0000000000 --- a/packages/pulse_connect_secure/1.0.0/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/pulse_connect_secure/1.0.0/data_stream/log/agent/stream/udp.yml.hbs b/packages/pulse_connect_secure/1.0.0/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index dfe707f6ab..0000000000 --- a/packages/pulse_connect_secure/1.0.0/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,15 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/pulse_connect_secure/1.0.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pulse_connect_secure/1.0.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 57cbefc730..0000000000 --- a/packages/pulse_connect_secure/1.0.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,134 +0,0 @@ ---- -description: Pipeline for parsing Pulse Connect Secure logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - - set: - field: observer.vendor - value: Pulse Secure - - set: - field: observer.product - value: Pulse Secure Connect - - set: - field: observer.type - value: vpn - - grok: - field: event.original - patterns: - - '^(<%{NONNEGINT:log.syslog.priority:long}>%{NUMBER}?|%{SYSLOGTIMESTAMP} %{SYSLOGHOST:host.hostname} %{INT}) %{TIMESTAMP_ISO8601:_tmp.timestamp} %{IP:observer.ip} PulseSecure: - - - %{DATE2} - %{SYSLOGHOST:observer.name} - \[%{IPORHOST:client.address}\] %{USERNAME:user.name}?\(%{DATA:pulse_secure.realm}?\)\[%{DATA:pulse_secure.role}\] - %{GREEDYDATA:message}' - pattern_definitions: - TIMESTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' - DATE2: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND})?' - - date: - field: _tmp.timestamp - target_field: '@timestamp' - timezone: "{{ event.timezone }}" - formats: - - ISO8601 - if: ctx.event?.timezone != null - - date: - field: _tmp.timestamp - target_field: '@timestamp' - formats: - - ISO8601 - if: ctx.event?.timezone == null - - set: - field: event.created - copy_from: '@timestamp' - - convert: - field: client.address - target_field: client.ip - type: ip - ignore_missing: true - - set: - field: event.kind - value: event - - set: - field: event.category - value: network - - grok: - field: message - patterns: - - 'Agent login %{WORD:_tmp.outcome} for %{DATA}%{SESSION} from %{IP} with %{GREEDYDATA:user_agent.original}.' - - 'VPN Tunneling: Session %{WORD:_tmp.type} for user %{SESSION} with %{NOTSPACE:network.type} address %{IP:client.nat.ip}(, hostname %{HOSTNAME:host.name})?' - - "Session %{WORD} from user agent '%{GREEDYDATA:user_agent.original}' %{SESSION}." - - 'Login %{WORD:_tmp.outcome}( %{GREEDYDATA})?. Reason: %{GREEDYDATA:event.reason}' - - '^Primary authentication %{WORD_tmp.outcome}' - - '%{SESSION}' - pattern_definitions: - SESSION: \(session:%{SPACE}?%{NOTSPACE:pulse_secure.session.id}\) - ignore_failure: true - - lowercase: - field: network.type - ignore_missing: true - - user_agent: - field: user_agent.original - ignore_failure: true - ignore_missing: true - - set: - field: event.outcome - value: failure - if: 'ctx._tmp?.outcome != null && ["failed"].contains(ctx._tmp?.outcome)' - - set: - field: event.outcome - value: success - if: 'ctx._tmp?.outcome != null && ["successful", "succeeded"].contains(ctx._tmp?.outcome)' - - append: - field: event.type - value: - - connection - - session - - start - if: ctx._tmp?.type != null && ctx._tmp?.type == "started" - - append: - field: event.type - value: - - connection - - session - - end - if: ctx._tmp?.type != null && ctx._tmp?.type == "ended" - # IP Geolocation Lookup - - geoip: - field: client.ip - target_field: client.geo - ignore_missing: true - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: client.ip - target_field: client.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: client.as.asn - target_field: client.as.number - ignore_missing: true - - rename: - field: client.as.organization_name - target_field: client.as.organization.name - ignore_missing: true - - set: - field: source - copy_from: client - - - - - remove: - field: - - _tmp - ignore_missing: true - - remove: - field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: - - set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/agent.yml b/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/agent.yml deleted file mode 100755 index 79a7a39864..0000000000 --- a/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,180 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/base-fields.yml b/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 6ced01af01..0000000000 --- a/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: pulse_connect_secure -- name: event.dataset - type: constant_keyword - description: Event dataset - value: pulse_connect_secure.log -- name: log.source.address - description: Source address from which the log event was read / sent from. - type: keyword -- name: log.flags - description: Flags for the log file. - type: keyword -- name: log.offset - type: long - description: Log offset -- name: input.type - type: keyword - description: Input type diff --git a/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/ecs.yml b/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/ecs.yml deleted file mode 100755 index c3692c7bef..0000000000 --- a/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,202 +0,0 @@ -- description: |- - Date/time when the event originated. - This is the date/time extracted from the event, typically representing when the event was generated by the source. - If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. - Required field for all events. - name: '@timestamp' - type: date -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. - Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. - Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. - Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. - name: event.outcome - type: keyword -- description: |- - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: client.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: client.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: client.as.organization.name - type: keyword -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Region name. - name: client.geo.region_name - type: keyword -- description: City name. - name: client.geo.city_name - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: client.geo.location - type: geo_point -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - Translated IP of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.ip - type: ip -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip diff --git a/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/fields.yml b/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/fields.yml deleted file mode 100755 index 865977f758..0000000000 --- a/packages/pulse_connect_secure/1.0.0/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: pulse_secure.session.id - type: keyword - description: > - test - -- name: pulse_secure.realm - type: keyword - description: > - test - -- name: pulse_secure.role - type: keyword - description: >- - test diff --git a/packages/pulse_connect_secure/1.0.0/data_stream/log/manifest.yml b/packages/pulse_connect_secure/1.0.0/data_stream/log/manifest.yml deleted file mode 100755 index d6c7538634..0000000000 --- a/packages/pulse_connect_secure/1.0.0/data_stream/log/manifest.yml +++ /dev/null @@ -1,100 +0,0 @@ -type: logs -title: Pulse Connect Secure -streams: - - input: udp - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: text - title: Syslog Port - multi: false - required: true - show_user: true - default: 9514 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - pulse_connect_secure-log - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: udp.yml.hbs - title: Pulse Connect Secure logs (udp) - description: Collect Pulse Connect Secure logs using udp input - - input: tcp - vars: - - name: syslog_host - type: text - title: Syslog Host - multi: false - required: true - show_user: true - default: localhost - - name: syslog_port - type: text - title: Syslog Port - multi: false - required: true - show_user: true - default: 9514 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - pulse_connect_secure-log - - name: ssl - type: yaml - title: TLS configuration - multi: false - required: false - show_user: true - description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: tcp.yml.hbs - title: Pulse Connect Secure logs (tcp) - description: Collect Pulse Connect Secure logs using tcp input diff --git a/packages/pulse_connect_secure/1.0.0/data_stream/log/sample_event.json b/packages/pulse_connect_secure/1.0.0/data_stream/log/sample_event.json deleted file mode 100755 index 507cf48f59..0000000000 --- a/packages/pulse_connect_secure/1.0.0/data_stream/log/sample_event.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "@timestamp": "2021-10-19T09:10:35.000+02:00", - "agent": { - "ephemeral_id": "48b94170-8de9-42a4-8608-50484a347a6a", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "client": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "data_stream": { - "dataset": "pulse_connect_secure.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2021-10-19T09:10:35.000+02:00", - "dataset": "pulse_connect_secure.log", - "ingested": "2022-02-03T09:39:02Z", - "kind": "event", - "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.\n", - "outcome": "success", - "timezone": "+02:00" - }, - "host": { - "hostname": "pcs-node1" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.7:51695" - } - }, - "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", - "observer": { - "ip": "10.5.2.3", - "name": "pcs-node1", - "product": "Pulse Secure Connect", - "type": "vpn", - "vendor": "Pulse Secure" - }, - "pulse_secure": { - "realm": "REALM", - "role": "REALM_ROLES", - "session": { - "id": "sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75" - } - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "pulse_connect_secure-log" - ], - "user": { - "name": "user.name" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Other", - "original": "Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - } - } -} \ No newline at end of file diff --git a/packages/pulse_connect_secure/1.0.0/docs/README.md b/packages/pulse_connect_secure/1.0.0/docs/README.md deleted file mode 100755 index be731bdde2..0000000000 --- a/packages/pulse_connect_secure/1.0.0/docs/README.md +++ /dev/null @@ -1,231 +0,0 @@ -# Pulse Connect Secure Integration - -This integration is for [Pulse Connect Secure](https://www.pulsesecure.net/products/remote-access-overview/). - -## Log - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2021-10-19T09:10:35.000+02:00", - "agent": { - "ephemeral_id": "48b94170-8de9-42a4-8608-50484a347a6a", - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0-beta1" - }, - "client": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "data_stream": { - "dataset": "pulse_connect_secure.log", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "584f3aea-648c-4e58-aba4-32b8f88d4396", - "snapshot": false, - "version": "8.0.0-beta1" - }, - "event": { - "agent_id_status": "verified", - "category": "network", - "created": "2021-10-19T09:10:35.000+02:00", - "dataset": "pulse_connect_secure.log", - "ingested": "2022-02-03T09:39:02Z", - "kind": "event", - "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.\n", - "outcome": "success", - "timezone": "+02:00" - }, - "host": { - "hostname": "pcs-node1" - }, - "input": { - "type": "udp" - }, - "log": { - "source": { - "address": "172.19.0.7:51695" - } - }, - "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", - "observer": { - "ip": "10.5.2.3", - "name": "pcs-node1", - "product": "Pulse Secure Connect", - "type": "vpn", - "vendor": "Pulse Secure" - }, - "pulse_secure": { - "realm": "REALM", - "role": "REALM_ROLES", - "session": { - "id": "sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75" - } - }, - "source": { - "address": "89.160.20.156", - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "pulse_connect_secure-log" - ], - "user": { - "name": "user.name" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Other", - "original": "Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| client.as.organization.name | Organization name. | keyword | -| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| pulse_secure.realm | test | keyword | -| pulse_secure.role | test | keyword | -| pulse_secure.session.id | test | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | - diff --git a/packages/pulse_connect_secure/1.0.0/img/pulse_connect_secure.svg b/packages/pulse_connect_secure/1.0.0/img/pulse_connect_secure.svg deleted file mode 100755 index be2244431b..0000000000 --- a/packages/pulse_connect_secure/1.0.0/img/pulse_connect_secure.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/pulse_connect_secure/1.0.0/manifest.yml b/packages/pulse_connect_secure/1.0.0/manifest.yml deleted file mode 100755 index 221ee6509d..0000000000 --- a/packages/pulse_connect_secure/1.0.0/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: pulse_connect_secure -title: Pulse Connect Secure -version: 1.0.0 -release: ga -description: Collect logs from Pulse Connect Secure with Elastic Agent. -type: integration -icons: - - src: /img/pulse_connect_secure.svg - title: pulse_connect_secure - size: 300x70 - type: image/svg+xml -format_version: 1.0.0 -license: basic -categories: [network, security] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -policy_templates: - - name: pulse_connect_secure - title: Pulse Connect Secure logs - description: Collect logs from Pulse Connect Secure instances - inputs: - - type: udp - title: "Collect Pulse Connect Secure logs (input: udp)" - description: "Collecting logs from Pulse Connect Secure instances (input: udp)" - - type: tcp - title: "Collect Pulse Connect Secure logs (input: tcp)" - description: "Collecting logs from Pulse Connect Secure instances (input: tcp)" -owner: - github: elastic/security-external-integrations diff --git a/packages/sentinel_one/0.1.0/changelog.yml b/packages/sentinel_one/0.1.0/changelog.yml deleted file mode 100755 index d293eb7aeb..0000000000 --- a/packages/sentinel_one/0.1.0/changelog.yml +++ /dev/null @@ -1,6 +0,0 @@ -# newer versions go on top -- version: "0.1.0" - changes: - - description: Initial Release - type: enhancement - link: https://github.com/elastic/integrations/pull/3232 diff --git a/packages/sentinel_one/0.1.0/data_stream/activity/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/0.1.0/data_stream/activity/agent/stream/httpjson.yml.hbs deleted file mode 100755 index ce51b9aa5e..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/activity/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,51 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/web/api/v2.1/activities -request.transforms: - - set: - target: header.Authorization - value: 'ApiToken {{api_token}}' - - set: - target: url.params.limit - value: '100' - - set: - target: url.params.sortBy - value: 'createdAt' - - set: - target: url.params.sortOrder - value: 'asc' - - set: - target: url.params.createdAt__gte - value: '[[formatDate (parseDate .cursor.last_create_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.pagination: - - set: - target: url.params.cursor - value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_create_at: - value: '[[.last_event.createdAt]]' -response.split: - target: body.data -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/sentinel_one/0.1.0/data_stream/activity/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/0.1.0/data_stream/activity/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9718321412..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/activity/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,408 +0,0 @@ ---- -description: Pipeline for processing activity logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [malware] - - set: - field: event.type - value: [info] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.createdAt - - json.updatedAt - - json.id - target_field: _id - ignore_missing: true - - date: - field: json.updatedAt - target_field: sentinel_one.activity.updated_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.description - target_field: message - ignore_missing: true - - rename: - field: json.hash - target_field: process.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.hash.sha1}}}' - if: ctx.process?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.osFamily - target_field: os.family - ignore_missing: true - - rename: - field: json.agentUpdatedVersion - target_field: observer.version - ignore_missing: true - - rename: - field: json.groupId - target_field: user.group.id - ignore_missing: true - - rename: - field: json.groupName - target_field: user.group.name - ignore_missing: true - - rename: - field: json.accountId - target_field: sentinel_one.activity.account.id - ignore_missing: true - - rename: - field: json.userId - target_field: user.id - ignore_missing: true - - rename: - field: json.accountName - target_field: sentinel_one.activity.account.name - ignore_missing: true - - rename: - field: json.agentId - target_field: sentinel_one.activity.agent.id - ignore_missing: true - - rename: - field: json.comments - target_field: sentinel_one.activity.comments - ignore_missing: true - - date: - field: json.createdAt - target_field: '@timestamp' - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.primaryDescription - target_field: sentinel_one.activity.description.primary - ignore_missing: true - - rename: - field: json.secondaryDescription - target_field: sentinel_one.activity.description.secondary - ignore_missing: true - - rename: - field: json.id - target_field: sentinel_one.activity.id - ignore_missing: true - - rename: - field: json.siteId - target_field: sentinel_one.activity.site.id - ignore_missing: true - - rename: - field: json.siteName - target_field: sentinel_one.activity.site.name - ignore_missing: true - - rename: - field: json.threatId - target_field: sentinel_one.activity.threat.id - ignore_missing: true - - convert: - field: json.activityType - target_field: sentinel_one.activity.type - type: long - ignore_failure: true - - convert: - field: json.data.accountId - target_field: sentinel_one.activity.data.account.id - type: string - ignore_failure: true - - rename: - field: json.data.accountName - target_field: sentinel_one.activity.data.account.name - ignore_missing: true - - rename: - field: json.data.fullScopeDetails - target_field: sentinel_one.activity.data.fullscope.details - ignore_missing: true - - rename: - field: json.data.fullScopeDetailsPath - target_field: sentinel_one.activity.data.fullscope.details_path - ignore_missing: true - - rename: - field: json.data.groupName - target_field: sentinel_one.activity.data.group_name - ignore_missing: true - - rename: - field: json.data.scopeLevel - target_field: sentinel_one.activity.data.scope.level - ignore_missing: true - - rename: - field: json.data.scopeName - target_field: sentinel_one.activity.data.scope.name - ignore_missing: true - - rename: - field: json.data.siteName - target_field: sentinel_one.activity.data.site.name - ignore_missing: true - - rename: - field: json.data.username - target_field: user.full_name - ignore_missing: true - - append: - field: related.user - value: '{{{user.full_name}}}' - if: ctx.user?.full_name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.data.byUser - target_field: sentinel_one.activity.data.user.name - ignore_missing: true - - append: - field: related.user - value: '{{{sentinel_one.activity.data.user.name}}}' - if: ctx.sentinel_one?.activity?.data?.user?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.data.role - target_field: sentinel_one.activity.data.role - ignore_missing: true - - rename: - field: json.data.roleName - target_field: sentinel_one.activity.data.role_name - ignore_missing: true - - rename: - field: json.data.scopeLevelName - target_field: sentinel_one.activity.data.scope_level.name - ignore_missing: true - - rename: - field: json.data.userScope - target_field: sentinel_one.activity.data.user.scope - ignore_missing: true - - convert: - field: json.data.newValue - target_field: sentinel_one.activity.data.new.value - type: boolean - ignore_failure: true - - convert: - field: json.data.externalIp - type: ip - ignore_failure: true - - geoip: - field: json.data.externalIp - target_field: host.geo - ignore_missing: true - - convert: - field: json.data.ipAddress - type: ip - ignore_failure: true - - geoip: - field: json.data.ipAddress - target_field: host.geo - ignore_missing: true - if: ctx.host?.geo == null - - append: - field: host.ip - value: '{{{json.data.ipAddress}}}' - allow_duplicates: false - ignore_failure: true - - append: - field: host.ip - value: '{{{json.data.externalIp}}}' - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{json.data.ipAddress}}}' - if: ctx.json?.data?.ipAddress != null - allow_duplicates: false - ignore_failure: true - - append: - field: related.ip - value: '{{{json.data.externalIp}}}' - if: ctx.json?.data?.externalIp != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.data.reason - target_field: sentinel_one.activity.data.reason - ignore_missing: true - - rename: - field: json.data.source - target_field: sentinel_one.activity.data.source - ignore_missing: true - - rename: - field: json.data.recoveryEmail - target_field: user.email - ignore_missing: true - - rename: - field: json.data.computerName - target_field: host.name - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.name}}}' - if: ctx.host?.name != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.data.system - target_field: sentinel_one.activity.data.system - type: boolean - ignore_failure: true - - rename: - field: json.data.uuid - target_field: sentinel_one.activity.data.uuid - ignore_missing: true - - rename: - field: json.data.group - target_field: sentinel_one.activity.data.group - ignore_missing: true - - rename: - field: json.data.optionalGroups - target_field: sentinel_one.activity.data.optionals_groups - ignore_missing: true - - date: - field: json.data.createdAt - target_field: sentinel_one.activity.data.created_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.data.status - target_field: sentinel_one.activity.data.status - ignore_missing: true - - rename: - field: json.data.fileContentHash - target_field: file.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{file.hash.sha1}}}' - if: ctx.file?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.data.osFamily - target_field: host.os.family - ignore_missing: true - - rename: - field: json.data.confidenceLevel - target_field: sentinel_one.activity.data.confidence.level - ignore_missing: true - - rename: - field: json.data.escapedMaliciousProcessArguments - target_field: sentinel_one.activity.data.malicious.process.arguments - ignore_missing: true - - rename: - field: json.data.fileDisplayName - target_field: file.name - ignore_missing: true - - rename: - field: json.data.filePath - target_field: file.path - ignore_missing: true - - rename: - field: json.data.threatClassification - target_field: sentinel_one.activity.data.threat.classification.name - ignore_missing: true - - rename: - field: json.data.threatClassificationSource - target_field: sentinel_one.activity.data.threat.classification.source - ignore_missing: true - - rename: - field: json.data.globalStatus - target_field: sentinel_one.activity.data.global.status - ignore_missing: true - - rename: - field: json.data.newStatus - target_field: sentinel_one.activity.data.new.status - ignore_missing: true - - rename: - field: json.data.originalStatus - target_field: sentinel_one.activity.data.original.status - ignore_missing: true - - rename: - field: json.data.downloadUrl - target_field: sentinel_one.activity.data.downloaded.url - ignore_missing: true - - rename: - field: json.data.description - target_field: sentinel_one.activity.data.description - ignore_missing: true - - rename: - field: json.data.policy - target_field: sentinel_one.activity.data.policy - ignore_missing: true - - convert: - field: json.data.policyName - target_field: sentinel_one.activity.data.policy_name - type: string - ignore_failure: true - - rename: - field: json.data.changedKeys - target_field: sentinel_one.activity.data.changed_keys - ignore_missing: true - - rename: - field: json.data.newConfidenceLevel - target_field: sentinel_one.activity.data.new.confidence_level - ignore_missing: true - - rename: - field: json.data.oldConfidenceLevel - target_field: sentinel_one.activity.data.old.confidence_level - ignore_missing: true - - rename: - field: json.data.attr - target_field: sentinel_one.activity.data.attr - ignore_missing: true - - remove: - field: - - json.data.accountId - - json.data.newValue - - json.data.ipAddress - - json.data.externalIp - - json.data.system - - json.data.policyName - ignore_missing: true - - rename: - field: json.data - target_field: sentinel_one.activity.data.flattened - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/sentinel_one/0.1.0/data_stream/activity/fields/agent.yml b/packages/sentinel_one/0.1.0/data_stream/activity/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/activity/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/sentinel_one/0.1.0/data_stream/activity/fields/base-fields.yml b/packages/sentinel_one/0.1.0/data_stream/activity/fields/base-fields.yml deleted file mode 100755 index 281aed0955..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/activity/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sentinel_one.activity -- name: event.module - type: constant_keyword - description: Event module - value: sentinel_one -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sentinel_one/0.1.0/data_stream/activity/fields/ecs.yml b/packages/sentinel_one/0.1.0/data_stream/activity/fields/ecs.yml deleted file mode 100755 index 7fc58ed847..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/activity/fields/ecs.yml +++ /dev/null @@ -1,118 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Observer version. - name: observer.version - type: keyword -- description: OS family (such as redhat, debian, freebsd, windows). - name: os.family - type: keyword -- description: SHA1 hash. - name: process.hash.sha1 - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier for the group on the system/platform. - name: user.group.id - type: keyword -- description: Name of the group. - name: user.group.name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/sentinel_one/0.1.0/data_stream/activity/fields/fields.yml b/packages/sentinel_one/0.1.0/data_stream/activity/fields/fields.yml deleted file mode 100755 index d1a883dc12..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/activity/fields/fields.yml +++ /dev/null @@ -1,222 +0,0 @@ -- name: sentinel_one.activity - type: group - fields: - - name: account - type: group - fields: - - name: id - type: keyword - description: Related account ID (if applicable). - - name: name - type: keyword - description: Related account name (if applicable). - - name: agent - type: group - fields: - - name: id - type: keyword - description: Related agent (if applicable). - - name: comments - type: keyword - description: Comments. - - name: data - type: group - fields: - - name: account - type: group - fields: - - name: id - type: keyword - description: Related account ID (if applicable). - - name: name - type: keyword - description: Related account name (if applicable). - - name: attr - type: keyword - description: Attribute. - - name: changed_keys - type: keyword - description: Changed keys. - - name: confidence - type: group - fields: - - name: level - type: keyword - description: Confidence level. - - name: created_at - type: date - description: Created time. - - name: description - type: keyword - description: Description. - - name: downloaded - type: group - fields: - - name: url - type: keyword - description: Downloaded URL. - - name: flattened - type: flattened - description: Extra activity specific data. - - name: fullscope - type: group - fields: - - name: details - type: keyword - description: fullscope details. - - name: details_path - type: keyword - description: fullscope details path. - - name: global - type: group - fields: - - name: status - type: keyword - description: Global status. - - name: group - type: keyword - description: Related group (if applicable). - - name: group_name - type: keyword - description: Related group name (if applicable). - - name: malicious - type: group - fields: - - name: process - type: group - fields: - - name: arguments - type: keyword - description: Malicious process arguments. - - name: new - type: group - fields: - - name: confidence_level - type: keyword - description: New confidence level. - - name: status - type: keyword - description: Status. - - name: value - type: boolean - description: Value. - - name: old - type: group - fields: - - name: confidence_level - type: keyword - description: Old confidence level. - - name: optionals_groups - type: keyword - description: Optionals groups. - - name: original - type: group - fields: - - name: status - type: keyword - description: Original status. - - name: policy - type: flattened - description: Policy. - - name: policy_name - type: keyword - description: Policy name. - - name: reason - type: keyword - description: Reason. - - name: role - type: keyword - description: Role. - - name: role_name - type: keyword - description: Role name. - - name: scope - type: group - fields: - - name: level - type: keyword - description: Scope Level. - - name: name - type: keyword - description: Scope name. - - name: scope_level - type: group - fields: - - name: name - type: keyword - description: Scope level name. - - name: site - type: group - fields: - - name: name - type: keyword - description: Related site name (if applicable). - - name: source - type: keyword - description: Source. - - name: status - type: keyword - description: Status. - - name: system - type: boolean - description: System. - - name: threat - type: group - fields: - - name: classification - type: group - fields: - - name: name - type: keyword - description: Threat classification name. - - name: source - type: keyword - description: Threat classification source. - - name: user - type: group - fields: - - name: name - type: keyword - description: User name. - - name: scope - type: keyword - description: User scope. - - name: uuid - type: keyword - description: UUID. - - name: description - type: group - fields: - - name: primary - type: keyword - description: Primary description. - - name: secondary - type: keyword - description: Secondary description. - - name: id - type: keyword - description: Activity ID. - - name: site - type: group - fields: - - name: id - type: keyword - description: Related site ID (if applicable). - - name: name - type: keyword - description: Related site name (if applicable). - - name: threat - type: group - fields: - - name: id - type: keyword - description: Related threat ID (if applicable). - - name: type - type: long - description: Activity type. - - name: updated_at - type: date - description: Activity last updated time (UTC). -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/sentinel_one/0.1.0/data_stream/activity/manifest.yml b/packages/sentinel_one/0.1.0/data_stream/activity/manifest.yml deleted file mode 100755 index c3ede624da..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/activity/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Collect Activity logs from SentinelOne -type: logs -streams: - - input: httpjson - title: Activity logs - description: Collect activity logs from SentinelOne. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the activities from SentinelOne. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the SentinelOne API. - default: 1m - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - sentinel_one-activity - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/sentinel_one/0.1.0/data_stream/activity/sample_event.json b/packages/sentinel_one/0.1.0/data_stream/activity/sample_event.json deleted file mode 100755 index 5ce2457ed7..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/activity/sample_event.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "@timestamp": "2022-04-05T16:01:56.995Z", - "agent": { - "ephemeral_id": "f2ec0399-ee92-4b20-8a43-508d761cfc8b", - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.3" - }, - "data_stream": { - "dataset": "sentinel_one.activity", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "snapshot": false, - "version": "8.1.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2022-05-09T12:53:01.467Z", - "dataset": "sentinel_one.activity", - "ingested": "2022-05-09T12:53:02Z", - "kind": "event", - "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:01:56.995120Z\",\"data\":{\"accountId\":1234567890123456800,\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"created Default account.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:01:56.992136Z\",\"userId\":\"1234567890123456789\"}", - "type": [ - "info" - ] - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "test user" - ] - }, - "sentinel_one": { - "activity": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "data": { - "account": { - "id": "1234567890123456800", - "name": "Default" - }, - "fullscope": { - "details": "Account Default", - "details_path": "test/path" - }, - "scope": { - "level": "Account", - "name": "Default" - } - }, - "description": { - "primary": "created Default account." - }, - "id": "1234567890123456789", - "type": 1234, - "updated_at": "2022-04-05T16:01:56.992Z" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-activity" - ], - "user": { - "full_name": "test user", - "id": "1234567890123456789" - } -} \ No newline at end of file diff --git a/packages/sentinel_one/0.1.0/data_stream/agent/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/0.1.0/data_stream/agent/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 6d48f7a428..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/agent/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,51 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/web/api/v2.1/agents -request.transforms: - - set: - target: header.Authorization - value: 'ApiToken {{api_token}}' - - set: - target: url.params.limit - value: '100' - - set: - target: url.params.sortBy - value: 'updatedAt' - - set: - target: url.params.sortOrder - value: 'asc' - - set: - target: url.params.updatedAt__gte - value: '[[formatDate (parseDate .cursor.last_update_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.pagination: - - set: - target: url.params.cursor - value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_at: - value: '[[.last_event.updatedAt]]' -response.split: - target: body.data -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/sentinel_one/0.1.0/data_stream/agent/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/0.1.0/data_stream/agent/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 911dcb4776..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/agent/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,610 +0,0 @@ ---- -description: Pipeline for processing agent logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [host] - - set: - field: event.type - value: [info] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - rename: - field: json.accountId - target_field: sentinel_one.agent.account.id - ignore_missing: true - - rename: - field: json.accountName - target_field: sentinel_one.agent.account.name - ignore_missing: true - - rename: - field: json.activeDirectory.computerDistinguishedName - target_field: sentinel_one.agent.active_directory.computer.name - ignore_missing: true - - rename: - field: json.activeDirectory.computerMemberOf - target_field: sentinel_one.agent.active_directory.computer.member_of - ignore_missing: true - - rename: - field: json.activeDirectory.lastUserDistinguishedName - target_field: sentinel_one.agent.active_directory.last_user.distinguished_name - ignore_missing: true - - rename: - field: json.activeDirectory.lastUserMemberOf - target_field: sentinel_one.agent.active_directory.last_user.member_of - ignore_missing: true - - rename: - field: json.activeDirectory.userPrincipalName - target_field: sentinel_one.agent.active_directory.user.principal_name - ignore_missing: true - - rename: - field: json.activeDirectory.mail - target_field: sentinel_one.agent.active_directory.mail - ignore_missing: true - - convert: - field: json.activeThreats - target_field: sentinel_one.agent.active_threats_count - type: long - ignore_failure: true - - rename: - field: json.agentVersion - target_field: observer.version - ignore_missing: true - - convert: - field: json.allowRemoteShell - target_field: sentinel_one.agent.allow_remote_shell - type: boolean - ignore_failure: true - - rename: - field: json.appsVulnerabilityStatus - target_field: sentinel_one.agent.apps_vulnerability_status - ignore_missing: true - - rename: - field: json.cloudProviders - target_field: sentinel_one.agent.cloud_provider - ignore_missing: true - - rename: - field: json.computerName - target_field: host.name - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.name}}}' - if: ctx.host?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.consoleMigrationStatus - target_field: sentinel_one.agent.console_migration_status - ignore_missing: true - - convert: - field: json.coreCount - target_field: sentinel_one.agent.core.count - type: long - ignore_failure: true - - convert: - field: json.cpuCount - target_field: sentinel_one.agent.cpu.count - type: long - ignore_failure: true - - rename: - field: json.cpuId - target_field: sentinel_one.agent.cpu.id - ignore_missing: true - - date: - field: json.createdAt - target_field: sentinel_one.agent.created_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.detectionState - target_field: sentinel_one.agent.detection_state - ignore_missing: true - - rename: - field: json.domain - target_field: host.domain - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.domain}}}' - if: ctx.host?.domain != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.encryptedApplications - target_field: sentinel_one.agent.encrypted_application - type: boolean - ignore_failure: true - - rename: - field: json.externalId - target_field: sentinel_one.agent.external.id - ignore_missing: true - - geoip: - field: json.externalIp - target_field: host.geo - ignore_missing: true - if: ctx.json?.externalIp != null && ctx.json?.externalIp != '' - - convert: - field: json.externalIp - target_field: host.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.firewallEnabled - target_field: sentinel_one.agent.firewall_enabled - type: boolean - ignore_failure: true - - date: - field: json.firstFullModeTime - target_field: sentinel_one.agent.first_full_mode_time - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.groupId - target_field: group.id - ignore_missing: true - - rename: - field: json.groupIp - target_field: sentinel_one.agent.group.ip - ignore_missing: true - - rename: - field: json.groupName - target_field: group.name - ignore_missing: true - - date: - field: json.groupUpdatedAt - target_field: sentinel_one.agent.group.updated_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.id - target_field: host.id - ignore_missing: true - - convert: - field: json.infected - target_field: sentinel_one.agent.infected - type: boolean - ignore_failure: true - - convert: - field: json.inRemoteShellSession - target_field: sentinel_one.agent.in_remote_shell_session - type: boolean - ignore_failure: true - - rename: - field: json.installerType - target_field: sentinel_one.agent.installer_type - ignore_missing: true - - convert: - field: json.isActive - target_field: sentinel_one.agent.is_active - type: boolean - ignore_failure: true - - convert: - field: json.isDecommissioned - target_field: sentinel_one.agent.is_decommissioned - type: boolean - ignore_failure: true - - convert: - field: json.isPendingUninstall - target_field: sentinel_one.agent.is_pending_uninstall - type: boolean - ignore_failure: true - - convert: - field: json.isUninstalled - target_field: sentinel_one.agent.is_uninstalled - type: boolean - ignore_failure: true - - convert: - field: json.isUpToDate - target_field: sentinel_one.agent.is_up_to_date - type: boolean - ignore_failure: true - - date: - field: json.lastActiveDate - target_field: sentinel_one.agent.last_active_date - formats: - - ISO8601 - ignore_failure: true - - convert: - field: json.lastIpToMgmt - target_field: sentinel_one.agent.last_ip_to_mgmt - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{sentinel_one.agent.last_ip_to_mgmt}}}' - if: ctx.sentinel_one?.agent?.last_ip_to_mgmt != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.lastLoggedInUserName - target_field: sentinel_one.agent.last_logged_in_user_name - ignore_missing: true - - append: - field: related.user - value: '{{{sentinel_one.agent.last_logged_in_user_name}}}' - if: ctx.sentinel_one?.agent?.last_logged_in_user_name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.licenseKey - target_field: sentinel_one.agent.license.key - ignore_missing: true - - convert: - field: json.locationEnabled - target_field: sentinel_one.agent.location.enabled - type: boolean - ignore_failure: true - - rename: - field: json.locations - target_field: sentinel_one.agent.locations - ignore_missing: true - - rename: - field: json.locationType - target_field: sentinel_one.agent.location.type - ignore_missing: true - - rename: - field: json.machineType - target_field: sentinel_one.agent.machine.type - ignore_missing: true - - rename: - field: json.mitigationMode - target_field: sentinel_one.agent.mitigation_mode - ignore_missing: true - - rename: - field: json.mitigationModeSuspicious - target_field: sentinel_one.agent.mitigation_mode_suspicious - ignore_missing: true - - rename: - field: json.modelName - target_field: sentinel_one.agent.model_name - ignore_missing: true - - foreach: - field: json.networkInterfaces - processor: - convert: - field: _ingest._value.gatewayIp - target_field: _ingest._value.gateway.ip - type: ip - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - append: - field: related.ip - value: "{{{_ingest._value.gatewayIp}}}" - allow_duplicates: false - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - gsub: - field: _ingest._value.gatewayMacAddress - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - uppercase: - field: _ingest._value.gatewayMacAddress - target_field: _ingest._value.gateway.mac - ignore_missing: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - convert: - field: _ingest._value.inet - type: ip - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - foreach: - field: _ingest._value.inet - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - convert: - field: _ingest._value.inet6 - type: ip - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - foreach: - field: _ingest._value.inet6 - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - append: - field: host.mac - value: "{{{_ingest._value.physical}}}" - ignore_failure: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - foreach: - field: json.networkInterfaces - processor: - remove: - field: - - _ingest._value.physical - - _ingest._value.gatewayMacAddress - - _ingest._value.gatewayIp - ignore_missing: true - ignore_failure: true - if: ctx.json?.networkInterfaces != null && ctx.json?.networkInterfaces instanceof List - - gsub: - field: host.mac - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: host.mac - ignore_missing: true - - rename: - field: json.networkInterfaces - target_field: sentinel_one.agent.network_interfaces - ignore_missing: true - - convert: - field: json.networkQuarantineEnabled - target_field: sentinel_one.agent.network_quarantine_enabled - type: boolean - ignore_failure: true - - rename: - field: json.networkStatus - target_field: sentinel_one.agent.network_status - ignore_missing: true - - rename: - field: json.operationalState - target_field: sentinel_one.agent.operational_state - ignore_missing: true - - rename: - field: json.operationalStateExpiration - target_field: sentinel_one.agent.operational_state_expiration - ignore_missing: true - - rename: - field: json.osArch - target_field: sentinel_one.agent.os.arch - ignore_missing: true - - rename: - field: json.osName - target_field: host.os.name - ignore_missing: true - - rename: - field: json.osRevision - target_field: host.os.version - ignore_missing: true - - date: - field: json.osStartTime - target_field: sentinel_one.agent.os.start_time - formats: - - ISO8601 - ignore_failure: true - - lowercase: - field: json.osType - target_field: host.os.type - ignore_failure: true - - rename: - field: json.osUsername - target_field: user.name - ignore_missing: true - - append: - field: related.user - value: '{{{user.name}}}' - if: ctx.user?.name != null - allow_duplicates: false - ignore_failure: true - - date: - field: json.policyUpdatedAt - target_field: sentinel_one.agent.policy.updated_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.rangerStatus - target_field: sentinel_one.agent.ranger.status - ignore_missing: true - - rename: - field: json.rangerVersion - target_field: sentinel_one.agent.ranger.version - ignore_missing: true - - date: - field: json.registeredAt - target_field: sentinel_one.agent.registered_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.remoteProfilingState - target_field: sentinel_one.agent.remote_profiling_state - ignore_missing: true - - rename: - field: json.remoteProfilingStateExpiration - target_field: sentinel_one.agent.remote_profiling_state_expiration - ignore_missing: true - - date: - field: json.scanAbortedAt - target_field: sentinel_one.agent.scan.aborted_at - formats: - - ISO8601 - ignore_failure: true - - date: - field: json.scanFinishedAt - target_field: sentinel_one.agent.scan.finished_at - formats: - - ISO8601 - ignore_failure: true - - date: - field: json.scanStartedAt - target_field: sentinel_one.agent.scan.started_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.scanStatus - target_field: sentinel_one.agent.scan.status - ignore_missing: true - - rename: - field: json.siteId - target_field: sentinel_one.agent.site.id - ignore_missing: true - - rename: - field: json.siteName - target_field: sentinel_one.agent.site.name - ignore_missing: true - - rename: - field: json.storageName - target_field: sentinel_one.agent.storage.name - ignore_missing: true - - rename: - field: json.storageType - target_field: sentinel_one.agent.storage.type - ignore_missing: true - - convert: - field: json.threatRebootRequired - target_field: sentinel_one.agent.threat_reboot_required - type: boolean - ignore_failure: true - - convert: - field: json.totalMemory - target_field: sentinel_one.agent.total_memory - type: long - ignore_failure: true - - date: - field: json.updatedAt - target_field: '@timestamp' - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.userActionsNeeded - target_field: sentinel_one.agent.user_action_needed - ignore_missing: true - - rename: - field: json.uuid - target_field: sentinel_one.agent.uuid - ignore_missing: true - - rename: - field: json.tags.sentinelone - target_field: sentinel_one.agent.tags - ignore_missing: true - - foreach: - field: sentinel_one.agent.tags - processor: - date: - field: _ingest._value.assignedAt - target_field: _ingest._value.assigned_at - formats: - - ISO8601 - ignore_failure: true - ignore_failure: true - if: ctx.sentinel_one?.agent?.tags != null && ctx.sentinel_one?.agent?.tags instanceof List - - foreach: - field: sentinel_one.agent.tags - processor: - rename: - field: _ingest._value.assignedBy - target_field: _ingest._value.assigned_by - ignore_missing: true - ignore_failure: true - if: ctx.sentinel_one?.agent?.tags != null && ctx.sentinel_one?.agent?.tags instanceof List - - foreach: - field: sentinel_one.agent.tags - processor: - rename: - field: _ingest._value.assignedById - target_field: _ingest._value.assigned_by_id - ignore_missing: true - ignore_failure: true - if: ctx.sentinel_one?.agent?.tags != null && ctx.sentinel_one?.agent?.tags instanceof List - - foreach: - field: sentinel_one.agent.tags - processor: - remove: - field: - - _ingest._value.assignedAt - ignore_missing: true - ignore_failure: true - if: ctx.sentinel_one?.agent?.tags != null && ctx.sentinel_one?.agent?.tags instanceof List - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - remove: - field: - - json - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: - - set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/sentinel_one/0.1.0/data_stream/agent/fields/agent.yml b/packages/sentinel_one/0.1.0/data_stream/agent/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/agent/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/sentinel_one/0.1.0/data_stream/agent/fields/base-fields.yml b/packages/sentinel_one/0.1.0/data_stream/agent/fields/base-fields.yml deleted file mode 100755 index 2efd12d530..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/agent/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: sentinel_one -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sentinel_one.agent -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sentinel_one/0.1.0/data_stream/agent/fields/ecs.yml b/packages/sentinel_one/0.1.0/data_stream/agent/fields/ecs.yml deleted file mode 100755 index 948296bc66..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/agent/fields/ecs.yml +++ /dev/null @@ -1,91 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/sentinel_one/0.1.0/data_stream/agent/fields/fields.yml b/packages/sentinel_one/0.1.0/data_stream/agent/fields/fields.yml deleted file mode 100755 index 27de0f644d..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/agent/fields/fields.yml +++ /dev/null @@ -1,314 +0,0 @@ -- name: sentinel_one.agent - type: group - fields: - - name: account - type: group - fields: - - name: id - type: keyword - description: A reference to the containing account. - - name: name - type: keyword - description: Name of the containing account. - - name: active_directory - type: group - fields: - - name: computer - type: group - fields: - - name: member_of - type: keyword - description: Computer member of. - - name: name - type: keyword - description: Computer distinguished name. - - name: last_user - type: group - fields: - - name: distinguished_name - type: keyword - description: Last user distinguished name. - - name: member_of - type: keyword - description: Last user member of. - - name: mail - type: keyword - description: Mail. - - name: user - type: group - fields: - - name: principal_name - type: keyword - description: User principal name. - - name: active_threats_count - type: long - description: Current number of active threats. - - name: allow_remote_shell - type: boolean - description: Agent is capable and policy enabled for remote shell. - - name: apps_vulnerability_status - type: keyword - description: Apps vulnerability status. - - name: cloud_provider - type: flattened - description: Cloud providers for this agent. - - name: console_migration_status - type: keyword - description: What step the agent is at in the process of migrating to another console, if any. - - name: core - type: group - fields: - - name: count - type: long - description: CPU cores. - - name: cpu - type: group - fields: - - name: count - type: long - description: Number of CPUs. - - name: id - type: keyword - description: CPU model. - - name: created_at - type: date - description: Created at. - - name: detection_state - type: keyword - description: Detection State. - - name: encrypted_application - type: boolean - description: Disk encryption status. - - name: external - type: group - fields: - - name: id - type: keyword - description: External ID set by customer. - - name: firewall_enabled - type: boolean - description: Firewall enabled. - - name: first_full_mode_time - type: date - description: Date of the first time the Agent moved to full or slim detection modes. - - name: group - type: group - fields: - - name: ip - type: keyword - description: Group subnet address. - - name: updated_at - type: date - description: Group updated at. - - name: in_remote_shell_session - type: boolean - description: Is the Agent in a remote shell session. - - name: infected - type: boolean - description: Indicates if the Agent has active threats. - - name: installer_type - type: keyword - description: Installer package type (file extension). - - name: is_active - type: boolean - description: Indicates if the agent was recently active. - - name: is_decommissioned - type: boolean - description: Is Agent decommissioned. - - name: is_pending_uninstall - type: boolean - description: Agent with a pending uninstall request. - - name: is_uninstalled - type: boolean - description: Indicates if Agent was removed from the device. - - name: is_up_to_date - type: boolean - description: Indicates if the agent version is up to date. - - name: last_active_date - type: date - description: Last active date. - - name: last_ip_to_mgmt - type: ip - description: The last IP used to connect to the Management console. - - name: last_logged_in_user_name - type: keyword - description: Last logged in user name. - - name: license - type: group - fields: - - name: key - type: keyword - description: License key. - - name: location - type: group - fields: - - name: type - type: keyword - description: Reported location type. - - name: enabled - type: boolean - description: Location enabled. - - name: locations - type: group - description: A list of locations reported by the Agent. - fields: - - name: id - type: keyword - description: Location ID. - - name: name - type: keyword - description: Location name. - - name: scope - type: keyword - description: Location scope. - - name: machine - type: group - fields: - - name: type - type: keyword - description: Machine type. - - name: mitigation_mode - type: keyword - description: Agent mitigation mode policy. - - name: mitigation_mode_suspicious - type: keyword - description: Mitigation mode policy for suspicious activity. - - name: model_name - type: keyword - description: Device model. - - name: network_interfaces - type: group - description: Device's network interfaces. - fields: - - name: gateway - type: group - fields: - - name: ip - type: ip - description: The default gateway ip. - - name: mac - type: keyword - description: The default gateway mac address. - - name: id - type: keyword - description: Id. - - name: inet - type: ip - description: IPv4 addresses. - - name: inet6 - type: ip - description: IPv6 addresses. - - name: name - type: keyword - description: Name. - - name: network_quarantine_enabled - type: boolean - description: Network quarantine enabled. - - name: network_status - type: keyword - description: Agent's network connectivity status. - - name: operational_state - type: keyword - description: Agent operational state. - - name: operational_state_expiration - type: keyword - description: Agent operational state expiration. - - name: os - type: group - fields: - - name: arch - type: keyword - description: OS architecture. - - name: start_time - type: date - description: Last boot time. - - name: policy - type: group - fields: - - name: updated_at - type: date - description: Policy updated at. - - name: ranger - type: group - fields: - - name: status - type: keyword - description: Is Agent disabled as a Ranger. - - name: version - type: keyword - description: The version of Ranger. - - name: registered_at - type: date - description: Time of first registration to management console (similar to createdAt). - - name: remote_profiling_state - type: keyword - description: Agent remote profiling state. - - name: remote_profiling_state_expiration - type: keyword - description: Agent remote profiling state expiration in seconds. - - name: scan - type: group - fields: - - name: aborted_at - type: date - description: Abort time of last scan (if applicable). - - name: finished_at - type: date - description: Finish time of last scan (if applicable). - - name: started_at - type: date - description: Start time of last scan. - - name: status - type: keyword - description: Last scan status. - - name: site - type: group - fields: - - name: id - type: keyword - description: A reference to the containing site. - - name: name - type: keyword - description: Name of the containing site. - - name: storage - type: group - fields: - - name: name - type: keyword - description: Storage name. - - name: type - type: keyword - description: Storage type. - - name: tags - type: group - fields: - - name: assigned_at - type: date - description: When tag assigned to the agent. - - name: assigned_by - type: keyword - description: full user name who assigned the tag to the agent. - - name: assigned_by_id - type: keyword - description: User ID who assigned the tag to the agent. - - name: id - type: keyword - description: Tag ID. - - name: key - type: keyword - description: Tag key. - - name: value - type: keyword - description: Tag value. - - name: threat_reboot_required - type: boolean - description: Flag representing if the Agent has at least one threat with at least one mitigation action that is pending reboot to succeed. - - name: total_memory - type: long - description: Memory size (MB). - - name: user_action_needed - type: keyword - description: A list of pending user actions. - - name: uuid - type: keyword - description: Agent's universally unique identifier. diff --git a/packages/sentinel_one/0.1.0/data_stream/agent/manifest.yml b/packages/sentinel_one/0.1.0/data_stream/agent/manifest.yml deleted file mode 100755 index 9a9d0fa9e4..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/agent/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Collect Agent logs from SentinelOne -type: logs -streams: - - input: httpjson - title: Agent logs - description: Collect agent logs from SentinelOne. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the agents from SentinelOne. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the SentinelOne API. - default: 5m - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - sentinel_one-agent - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/sentinel_one/0.1.0/data_stream/agent/sample_event.json b/packages/sentinel_one/0.1.0/data_stream/agent/sample_event.json deleted file mode 100755 index 4ec2ea0220..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/agent/sample_event.json +++ /dev/null @@ -1,189 +0,0 @@ -{ - "@timestamp": "2022-04-07T08:31:47.481Z", - "agent": { - "ephemeral_id": "4ae89055-8911-4591-a3f2-0213bdb1a131", - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.3" - }, - "data_stream": { - "dataset": "sentinel_one.agent", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "snapshot": false, - "version": "8.1.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "host" - ], - "created": "2022-05-09T12:53:53.924Z", - "dataset": "sentinel_one.agent", - "ingested": "2022-05-09T12:53:57Z", - "kind": "event", - "original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.x\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}", - "type": [ - "info" - ] - }, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "host": { - "domain": "WORKGROUP", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "id": "13491234512345", - "ip": "81.2.69.143", - "mac": [ - "00-00-5E-00-53-00" - ], - "name": "user-test", - "os": { - "name": "Linux Server", - "type": "linux", - "version": "1234" - } - }, - "input": { - "type": "httpjson" - }, - "observer": { - "version": "12.x.x.x" - }, - "related": { - "hosts": [ - "user-test", - "WORKGROUP" - ], - "ip": [ - "81.2.69.143", - "81.2.69.145", - "81.2.69.144", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, - "sentinel_one": { - "agent": { - "account": { - "id": "12345123451234512345", - "name": "Account Name" - }, - "active_threats_count": 7, - "allow_remote_shell": true, - "apps_vulnerability_status": "not_applicable", - "console_migration_status": "N/A", - "core": { - "count": 2 - }, - "cpu": { - "count": 2, - "id": "CPU Name" - }, - "created_at": "2022-03-18T09:12:00.519Z", - "encrypted_application": false, - "firewall_enabled": true, - "group": { - "ip": "81.2.69.x" - }, - "in_remote_shell_session": false, - "infected": true, - "installer_type": ".msi", - "is_active": true, - "is_decommissioned": false, - "is_pending_uninstall": false, - "is_uninstalled": false, - "is_up_to_date": true, - "last_active_date": "2022-03-17T09:51:28.506Z", - "last_ip_to_mgmt": "81.2.69.145", - "location": { - "enabled": true, - "type": "not_applicable" - }, - "machine": { - "type": "server" - }, - "mitigation_mode": "detect", - "mitigation_mode_suspicious": "detect", - "model_name": "Compute Engine", - "network_interfaces": [ - { - "gateway": { - "ip": "81.2.69.145", - "mac": "00-00-5E-00-53-00" - }, - "id": "1234567890123456789", - "inet": [ - "81.2.69.144" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet" - } - ], - "network_quarantine_enabled": false, - "network_status": "connected", - "operational_state": "na", - "os": { - "arch": "64 bit", - "start_time": "2022-04-06T08:27:14.000Z" - }, - "ranger": { - "status": "Enabled", - "version": "21.x.x.x" - }, - "registered_at": "2022-04-06T08:26:45.515Z", - "remote_profiling_state": "disabled", - "scan": { - "finished_at": "2022-04-06T09:18:21.090Z", - "started_at": "2022-04-06T08:26:52.838Z", - "status": "finished" - }, - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "tags": [ - { - "assigned_at": "2018-02-27T04:49:26.257Z", - "assigned_by": "test-user", - "assigned_by_id": "123456789012345678", - "id": "123456789012345678", - "key": "key123", - "value": "value123" - } - ], - "threat_reboot_required": false, - "total_memory": 1234, - "user_action_needed": [ - "reboot_needed" - ], - "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-agent" - ] -} \ No newline at end of file diff --git a/packages/sentinel_one/0.1.0/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/0.1.0/data_stream/alert/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 7b99acb278..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/alert/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,51 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/web/api/v2.1/cloud-detection/alerts -request.transforms: - - set: - target: header.Authorization - value: 'ApiToken {{api_token}}' - - set: - target: url.params.limit - value: '100' - - set: - target: url.params.sortBy - value: 'alertInfoCreatedAt' - - set: - target: url.params.sortOrder - value: 'asc' - - set: - target: url.params.createdAt__gte - value: '[[formatDate (parseDate .cursor.last_create_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.pagination: - - set: - target: url.params.cursor - value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_create_at: - value: '[[.last_event.alertInfo.createdAt]]' -response.split: - target: body.data -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/sentinel_one/0.1.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/0.1.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 830b1753c4..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,621 +0,0 @@ ---- -description: Pipeline for processing alert logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [malware] - - set: - field: event.type - value: [info] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.alertInfo.createdAt - - json.alertInfo.updatedAt - - json.alertInfo.alertId - target_field: _id - ignore_missing: true - - rename: - field: json.agentDetectionInfo.machineType - target_field: host.type - ignore_missing: true - - rename: - field: json.agentDetectionInfo.name - target_field: host.name - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.name}}}' - if: ctx.host?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.agentDetectionInfo.osFamily - target_field: host.os.family - ignore_missing: true - - rename: - field: json.agentDetectionInfo.osRevision - target_field: host.os.version - ignore_missing: true - - rename: - field: json.agentDetectionInfo.siteId - target_field: sentinel_one.alert.agent.site_id - ignore_missing: true - - rename: - field: json.agentDetectionInfo.uuid - target_field: observer.serial_number - ignore_missing: true - - rename: - field: json.agentDetectionInfo.osName - target_field: host.os.name - ignore_missing: true - - rename: - field: json.agentDetectionInfo.version - target_field: observer.version - ignore_missing: true - - date: - field: json.alertInfo.createdAt - target_field: '@timestamp' - if: ctx.json?.alertInfo?.createdAt != null - ignore_failure: true - formats: - - ISO8601 - - convert: - field: json.alertInfo.srcIp - target_field: source.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.alertInfo.incidentStatus - target_field: sentinel_one.alert.info.status - ignore_missing: true - - rename: - field: json.alertInfo.registryOldValue - target_field: sentinel_one.alert.info.registry.old_value - ignore_missing: true - - rename: - field: json.alertInfo.alertId - target_field: event.id - ignore_missing: true - - convert: - field: json.alertInfo.dstPort - target_field: destination.port - type: long - ignore_failure: true - - rename: - field: json.alertInfo.indicatorName - target_field: sentinel_one.alert.info.indicator.name - ignore_missing: true - - rename: - field: json.alertInfo.registryPath - target_field: registry.path - ignore_missing: true - - rename: - field: json.alertInfo.loginType - target_field: sentinel_one.alert.info.login.type - ignore_missing: true - - convert: - field: json.alertInfo.dstIp - target_field: destination.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{destination.ip}}}' - if: ctx.destination?.ip != null - allow_duplicates: false - ignore_failure: true - - date: - field: json.alertInfo.updatedAt - target_field: sentinel_one.alert.info.updated_at - if: ctx.json?.alertInfo?.updatedAt != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.alertInfo.indicatorDescription - target_field: sentinel_one.alert.info.indicator.description - ignore_missing: true - - rename: - field: json.alertInfo.loginsUserName - target_field: user.name - ignore_missing: true - - append: - field: related.user - value: '{{{user.name}}}' - allow_duplicates: false - ignore_failure: true - - rename: - field: json.alertInfo.loginIsSuccessful - target_field: sentinel_one.alert.info.login.is_successful - ignore_missing: true - - rename: - field: json.alertInfo.indicatorCategory - target_field: sentinel_one.alert.info.indicator.category - ignore_missing: true - - rename: - field: json.alertInfo.modulePath - target_field: dll.path - ignore_missing: true - - rename: - field: json.alertInfo.loginAccountSid - target_field: sentinel_one.alert.info.login.account.sid - ignore_missing: true - - rename: - field: json.alertInfo.dnsResponse - target_field: sentinel_one.alert.info.dns.response - ignore_missing: true - - rename: - field: json.alertInfo.netEventDirection - target_field: network.direction - ignore_missing: true - - rename: - field: json.alertInfo.registryValue - target_field: registry.value - ignore_missing: true - - convert: - field: json.alertInfo.srcMachineIp - target_field: host.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.alertInfo.registryOldValueType - target_field: sentinel_one.alert.info.registry.old_value_type - ignore_missing: true - - rename: - field: json.alertInfo.eventType - target_field: sentinel_one.alert.info.event_type - ignore_missing: true - - rename: - field: json.alertInfo.analystVerdict - target_field: sentinel_one.alert.analyst_verdict - ignore_missing: true - - rename: - field: json.alertInfo.dvEventId - target_field: sentinel_one.alert.dv_event.id - ignore_missing: true - - rename: - field: json.alertInfo.dnsRequest - target_field: dns.question.name - ignore_missing: true - - rename: - field: json.alertInfo.loginIsAdministratorEquivalent - target_field: sentinel_one.alert.info.login.is_administrator - ignore_missing: true - - rename: - field: json.alertInfo.loginAccountDomain - target_field: user.domain - ignore_missing: true - - rename: - field: json.alertInfo.tiIndicatorType - target_field: sentinel_one.alert.info.ti_indicator.type - ignore_missing: true - - rename: - field: json.alertInfo.moduleSha1 - target_field: dll.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{dll.hash.sha1}}}' - if: ctx.dll?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.alertInfo.source - target_field: sentinel_one.alert.info.source - ignore_missing: true - - convert: - field: json.alertInfo.srcPort - target_field: source.port - type: long - ignore_failure: true - - rename: - field: json.alertInfo.tiIndicatorValue - target_field: sentinel_one.alert.info.ti_indicator.value - ignore_missing: true - - rename: - field: json.alertInfo.tiIndicatorSource - target_field: sentinel_one.alert.info.ti_indicator.source - ignore_missing: true - - date: - field: json.alertInfo.reportedAt - target_field: sentinel_one.alert.info.reported_at - if: ctx.json?.alertInfo?.reportedAt != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.alertInfo.registryKeyPath - target_field: registry.key - ignore_missing: true - - rename: - field: json.alertInfo.tiIndicatorComparisonMethod - target_field: sentinel_one.alert.info.ti_indicator.comparison_method - ignore_missing: true - - rename: - field: json.alertInfo.hitType - target_field: sentinel_one.alert.info.hit.type - ignore_missing: true - - rename: - field: json.containerInfo.id - target_field: container.id - ignore_missing: true - - rename: - field: json.containerInfo.image - target_field: container.image.name - ignore_missing: true - - rename: - field: json.containerInfo.labels - target_field: sentinel_one.alert.container.info.labels - ignore_missing: true - - rename: - field: json.containerInfo.name - target_field: container.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.cluster - target_field: orchestrator.cluster.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerKind - target_field: sentinel_one.alert.kubernetes.controller.kind - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerLabels - target_field: sentinel_one.alert.kubernetes.controller.labels - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerName - target_field: sentinel_one.alert.kubernetes.controller.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.namespace - target_field: orchestrator.namespace - ignore_missing: true - - rename: - field: json.kubernetesInfo.namespaceLabels - target_field: sentinel_one.alert.kubernetes.namespace.labels - ignore_missing: true - - rename: - field: json.kubernetesInfo.node - target_field: sentinel_one.alert.kubernetes.node - ignore_missing: true - - rename: - field: json.kubernetesInfo.pod - target_field: sentinel_one.alert.kubernetes.pod.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.podLabels - target_field: sentinel_one.alert.kubernetes.pod.labels - ignore_missing: true - - rename: - field: json.osName - target_field: os.name - ignore_missing: true - - rename: - field: json.ruleInfo.type - target_field: rule.category - ignore_missing: true - - rename: - field: json.ruleInfo.description - target_field: rule.description - ignore_missing: true - - rename: - field: json.ruleInfo.id - target_field: rule.id - ignore_missing: true - - rename: - field: json.ruleInfo.name - target_field: rule.name - ignore_missing: true - - rename: - field: json.ruleInfo.scopeLevel - target_field: sentinel_one.alert.rule.scope_level - ignore_missing: true - - rename: - field: json.ruleInfo.severity - target_field: sentinel_one.alert.rule.severity - ignore_missing: true - - rename: - field: json.ruleInfo.treatAsThreat - target_field: sentinel_one.alert.rule.treat_as_threat - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.commandline - target_field: process.parent.command_line - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.fileHashMd5 - target_field: process.parent.hash.md5 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.parent.hash.md5}}}' - if: ctx.process?.parent?.hash?.md5 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceParentProcessInfo.fileHashSha1 - target_field: process.parent.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.parent.hash.sha1}}}' - if: ctx.process?.parent?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceParentProcessInfo.fileHashSha256 - target_field: process.parent.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.parent.hash.sha256}}}' - if: ctx.process?.parent?.hash?.sha256 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceParentProcessInfo.filePath - target_field: process.parent.executable - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.fileSignerIdentity - target_field: process.parent.code_signature.signing_id - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.integrityLevel - target_field: sentinel_one.alert.process.parent.integrity_level - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.name - target_field: process.parent.name - ignore_missing: true - - convert: - field: json.sourceParentProcessInfo.pid - target_field: process.parent.pid - type: long - ignore_failure: true - - date: - field: json.sourceParentProcessInfo.pidStarttime - target_field: process.parent.start - if: ctx.json?.sourceParentProcessInfo?.pidStarttime != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.sourceParentProcessInfo.storyline - target_field: sentinel_one.alert.process.parent.storyline - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.subsystem - target_field: sentinel_one.alert.process.parent.subsystem - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.uniqueId - target_field: process.parent.entity_id - ignore_missing: true - - rename: - field: json.sourceParentProcessInfo.user - target_field: process.parent.user.name - ignore_missing: true - - rename: - field: json.sourceProcessInfo.commandline - target_field: process.command_line - ignore_missing: true - - rename: - field: json.sourceProcessInfo.fileHashMd5 - target_field: process.hash.md5 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.hash.md5}}}' - if: ctx.process?.hash?.md5 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceProcessInfo.fileHashSha1 - target_field: process.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.hash.sha1}}}' - if: ctx.process?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceProcessInfo.fileHashSha256 - target_field: process.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: '{{{process.hash.sha256}}}' - if: ctx.process?.hash?.sha256 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sourceProcessInfo.filePath - target_field: process.executable - ignore_missing: true - - rename: - field: json.sourceProcessInfo.fileSignerIdentity - target_field: process.code_signature.signing_id - ignore_missing: true - - rename: - field: json.sourceProcessInfo.integrityLevel - target_field: sentinel_one.alert.process.integrity_level - ignore_missing: true - - rename: - field: json.sourceProcessInfo.name - target_field: process.name - ignore_missing: true - - convert: - field: json.sourceProcessInfo.pid - target_field: process.pid - type: long - ignore_failure: true - - date: - field: json.sourceProcessInfo.pidStarttime - target_field: process.start - if: ctx.json?.sourceProcessInfo?.pidStarttime != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.sourceProcessInfo.storyline - target_field: sentinel_one.alert.process.storyline - ignore_missing: true - - rename: - field: json.sourceProcessInfo.subsystem - target_field: sentinel_one.alert.process.subsystem - ignore_missing: true - - rename: - field: json.sourceProcessInfo.uniqueId - target_field: process.entity_id - ignore_missing: true - - rename: - field: json.sourceProcessInfo.user - target_field: process.user.name - ignore_missing: true - - date: - field: json.targetProcessInfo.tgtFileCreatedAt - target_field: file.created - if: ctx.json?.targetProcessInfo?.tgtFileCreatedAt != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.targetProcessInfo.tgtFileIsSigned - target_field: sentinel_one.alert.target.process.file.is_signed - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtFileOldPath - target_field: sentinel_one.alert.target.process.file.old_path - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtProcImagePath - target_field: sentinel_one.alert.target.process.proc.image_path - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtProcSignedStatus - target_field: sentinel_one.alert.target.process.proc.signed_status - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtFileHashSha256 - target_field: sentinel_one.alert.target.process.file.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: '{{{sentinel_one.alert.target.process.file.hash.sha256}}}' - if: ctx.sentinel_one?.alert?.target?.process?.file?.hash?.sha256 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.targetProcessInfo.tgtProcStorylineId - target_field: sentinel_one.alert.target.process.proc.storyline_id - ignore_missing: true - - convert: - field: json.targetProcessInfo.tgtProcPid - target_field: sentinel_one.alert.target.process.proc.pid - type: long - ignore_failure: true - - rename: - field: json.targetProcessInfo.tgtProcCmdLine - target_field: sentinel_one.alert.target.process.proc.cmdline - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtProcName - target_field: sentinel_one.alert.target.process.proc.name - ignore_missing: true - - date: - field: json.targetProcessInfo.tgtFileModifiedAt - target_field: file.mtime - if: ctx.json?.targetProcessInfo?.tgtFileModifiedAt != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.targetProcessInfo.tgtFileId - target_field: sentinel_one.alert.target.process.file.id - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtProcIntegrityLevel - target_field: sentinel_one.alert.target.process.proc.integrity_level - ignore_missing: true - - rename: - field: json.targetProcessInfo.tgtFileHashSha1 - target_field: sentinel_one.alert.target.process.file.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{sentinel_one.alert.target.process.file.hash.sha1}}}' - if: ctx.sentinel_one?.alert?.target?.process?.file?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.targetProcessInfo.tgtProcUid - target_field: sentinel_one.alert.target.process.proc.uid - ignore_missing: true - - date: - field: json.targetProcessInfo.tgtProcessStartTime - target_field: sentinel_one.alert.target.process.start_time - if: ctx.json?.targetProcessInfo?.tgtProcessStartTime != null - ignore_failure: true - formats: - - ISO8601 - - rename: - field: json.targetProcessInfo.tgtFilePath - target_field: sentinel_one.alert.target.process.file.path - ignore_missing: true - - remove: - field: json - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sentinel_one/0.1.0/data_stream/alert/fields/agent.yml b/packages/sentinel_one/0.1.0/data_stream/alert/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/alert/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/sentinel_one/0.1.0/data_stream/alert/fields/base-fields.yml b/packages/sentinel_one/0.1.0/data_stream/alert/fields/base-fields.yml deleted file mode 100755 index 33fc797d19..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/alert/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: sentinel_one -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sentinel_one.alert -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sentinel_one/0.1.0/data_stream/alert/fields/ecs.yml b/packages/sentinel_one/0.1.0/data_stream/alert/fields/ecs.yml deleted file mode 100755 index 14eee62b8f..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/alert/fields/ecs.yml +++ /dev/null @@ -1,260 +0,0 @@ -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: SHA1 hash. - name: dll.hash.sha1 - type: keyword -- description: Full file path of the library. - name: dll.path - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - File creation time. - Note that not all filesystems store the creation time. - name: file.created - type: date -- description: Last time the file content was modified. - name: file.mtime - type: date -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: Name of the cluster. - name: orchestrator.cluster.name - type: keyword -- description: Namespace in which the action is taking place. - name: orchestrator.namespace - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: os.name - type: keyword -- description: |- - The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - name: process.code_signature.signing_id - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA1 hash. - name: process.hash.sha1 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: |- - The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. - name: process.parent.code_signature.signing_id - type: keyword -- description: |- - Full command line that started the process, including the absolute path to the executable, and all arguments. - Some arguments may be filtered to protect sensitive information. - multi_fields: - - name: text - type: match_only_text - name: process.parent.command_line - type: wildcard -- description: |- - Unique identifier for the process. - The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. - Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - name: process.parent.entity_id - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.parent.executable - type: keyword -- description: MD5 hash. - name: process.parent.hash.md5 - type: keyword -- description: SHA1 hash. - name: process.parent.hash.sha1 - type: keyword -- description: SHA256 hash. - name: process.parent.hash.sha256 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.parent.name - type: keyword -- description: Process id. - name: process.parent.pid - type: long -- description: The time the process started. - name: process.parent.start - type: date -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: process.parent.user.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: The time the process started. - name: process.start - type: date -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: process.user.name - type: keyword -- description: Hive-relative path of keys. - name: registry.key - type: keyword -- description: Full path, including hive, key and value - name: registry.path - type: keyword -- description: Name of the value written. - name: registry.value - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: A categorization value keyword used by the entity using the rule for detection of this event. - name: rule.category - type: keyword -- description: The description of the rule generating the event. - name: rule.description - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/sentinel_one/0.1.0/data_stream/alert/fields/fields.yml b/packages/sentinel_one/0.1.0/data_stream/alert/fields/fields.yml deleted file mode 100755 index 1a86a7a3a8..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/alert/fields/fields.yml +++ /dev/null @@ -1,243 +0,0 @@ -- name: sentinel_one.alert - type: group - fields: - - name: agent - type: group - fields: - - name: site_id - type: keyword - description: Site id. - - name: analyst_verdict - type: keyword - description: Analyst verdict. - - name: container - type: group - fields: - - name: info - type: group - fields: - - name: labels - type: keyword - description: Container info labels. - - name: dv_event - type: group - fields: - - name: id - type: keyword - description: DV event id. - - name: info - type: group - fields: - - name: dns - type: group - fields: - - name: response - type: keyword - description: IP address, DNS, type, etc. in response. - - name: event_type - type: keyword - description: Event type. - - name: hit - type: group - fields: - - name: type - type: keyword - description: Type of hit reported from agent. - - name: indicator - type: group - fields: - - name: category - type: keyword - description: Indicator categories for this process. - - name: description - type: keyword - description: Indicator_description. - - name: name - type: keyword - description: Indicator names for this process. - - name: login - type: group - fields: - - name: account - type: group - fields: - - name: sid - type: keyword - description: SID of the account that attempted to login. - - name: is_administrator - type: keyword - description: Is the login attempt administrator equivalent. - - name: is_successful - type: keyword - description: Was the login attempt successful. - - name: type - type: keyword - description: Type of login which was performed. - - name: registry - type: group - fields: - - name: old_value - type: keyword - description: Registry previous value (in case of modification). - - name: old_value_type - type: keyword - description: Registry previous value type (in case of modification). - - name: reported_at - type: date - description: Timestamp of alert creation in STAR. - - name: source - type: keyword - description: Source reported from agent. - - name: status - type: keyword - description: Incident status. - - name: ti_indicator - type: group - fields: - - name: comparison_method - type: keyword - description: The comparison method used by SentinelOne to trigger the event. - - name: source - type: keyword - description: The value of the identified Threat Intelligence indicator. - - name: type - type: keyword - description: The type of the identified Threat Intelligence indicator. - - name: value - type: keyword - description: The value of the identified Threat Intelligence indicator. - - name: updated_at - type: date - description: Date of alert updated in Star MMS. - - name: kubernetes - type: group - fields: - - name: controller - type: group - fields: - - name: kind - type: keyword - description: Controller kind. - - name: labels - type: keyword - description: Controller labels. - - name: name - type: keyword - description: Controller name. - - name: namespace - type: group - fields: - - name: labels - type: keyword - description: Namespace labels. - - name: node - type: keyword - description: Node. - - name: pod - type: group - fields: - - name: labels - type: keyword - description: Pod Labels. - - name: name - type: keyword - description: Pod name. - - name: process - type: group - fields: - - name: integrity_level - type: keyword - description: Integrity level. - - name: parent - type: group - fields: - - name: integrity_level - type: keyword - description: Integrity level. - - name: storyline - type: keyword - description: StoryLine. - - name: subsystem - type: keyword - description: Subsystem. - - name: storyline - type: keyword - description: StoryLine. - - name: subsystem - type: keyword - description: Subsystem. - - name: rule - type: group - fields: - - name: scope_level - type: keyword - description: Scope level. - - name: severity - type: keyword - description: Rule severity. - - name: treat_as_threat - type: keyword - description: Rule treat as threat type. - - name: target - type: group - fields: - - name: process - type: group - fields: - - name: file - type: group - fields: - - name: hash - type: group - fields: - - name: sha1 - type: keyword - description: SHA1 Signature of File. - - name: sha256 - type: keyword - description: SHA256 Signature of File. - - name: id - type: keyword - description: Unique ID of file. - - name: is_signed - type: keyword - description: Is fle signed. - - name: old_path - type: keyword - description: Old path before 'Rename'. - - name: path - type: keyword - description: Path and filename. - - name: proc - type: group - fields: - - name: cmdline - type: keyword - description: Target Process Command Line. - - name: image_path - type: keyword - description: Target Process Image path - - name: integrity_level - type: keyword - description: Integrity level of target process. - - name: name - type: keyword - description: Target Process Name. - - name: pid - type: long - description: Target Process ID (PID). - - name: signed_status - type: keyword - description: Target Process Signed Status. - - name: storyline_id - type: keyword - description: Target Process StoryLine ID. - - name: uid - type: keyword - description: Target Process Unique ID. - - name: start_time - type: date - description: Target Process Start Time. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/sentinel_one/0.1.0/data_stream/alert/manifest.yml b/packages/sentinel_one/0.1.0/data_stream/alert/manifest.yml deleted file mode 100755 index 3aeb57a47b..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/alert/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Collect Alert logs from SentinelOne -type: logs -streams: - - input: httpjson - title: Alert logs - description: Collect alert logs from SentinelOne. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the alerts from SentinelOne. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the SentinelOne API. - default: 5m - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - sentinel_one-alert - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/sentinel_one/0.1.0/data_stream/alert/sample_event.json b/packages/sentinel_one/0.1.0/data_stream/alert/sample_event.json deleted file mode 100755 index d6432f36dc..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/alert/sample_event.json +++ /dev/null @@ -1,273 +0,0 @@ -{ - "@timestamp": "2018-02-27T04:49:26.257Z", - "agent": { - "ephemeral_id": "85d4ef1b-9fd3-4695-8ba0-0bb951030615", - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.3" - }, - "container": { - "id": "string", - "image": { - "name": "string" - }, - "name": "string" - }, - "data_stream": { - "dataset": "sentinel_one.alert", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "0.0.0.0", - "port": 1234 - }, - "dll": { - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - }, - "path": "string" - }, - "dns": { - "question": { - "name": "string" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "snapshot": false, - "version": "8.1.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2022-05-09T12:54:49.331Z", - "dataset": "sentinel_one.alert", - "id": "123456789123456789", - "ingested": "2022-05-09T12:54:52Z", - "kind": "event", - "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"123456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"0.0.0.0\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"string\",\"hitType\":\"Events\",\"incidentStatus\":\"string\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"string\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"0.0.0.0\",\"srcMachineIp\":\"0.0.0.0\",\"srcPort\":\"string\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}", - "type": [ - "info" - ] - }, - "file": { - "created": "2018-02-27T04:49:26.257Z", - "mtime": "2018-02-27T04:49:26.257Z" - }, - "host": { - "ip": "0.0.0.0", - "name": "string", - "os": { - "family": "string", - "name": "string", - "version": "string" - }, - "type": "string" - }, - "input": { - "type": "httpjson" - }, - "network": { - "direction": "string" - }, - "observer": { - "serial_number": "string", - "version": "3.x.x.x" - }, - "orchestrator": { - "cluster": { - "name": "string" - }, - "namespace": "string" - }, - "process": { - "code_signature": { - "signing_id": "string" - }, - "command_line": "string", - "entity_id": "string", - "executable": "string", - "hash": { - "md5": "5d41402abc4b2a76b9719d911017c592", - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "name": "string", - "parent": { - "code_signature": { - "signing_id": "string" - }, - "command_line": "string", - "entity_id": "string", - "executable": "string", - "hash": { - "md5": "5d41402abc4b2a76b9719d911017c592", - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "name": "string", - "pid": 12345, - "start": "2018-02-27T04:49:26.257Z", - "user": { - "name": "string" - } - }, - "pid": 12345, - "start": "2018-02-27T04:49:26.257Z", - "user": { - "name": "string" - } - }, - "registry": { - "key": "string", - "path": "string", - "value": "string" - }, - "related": { - "hash": [ - "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "5d41402abc4b2a76b9719d911017c592", - "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - ], - "hosts": [ - "string" - ], - "ip": [ - "0.0.0.0" - ], - "user": [ - "string" - ] - }, - "rule": { - "description": "string", - "id": "string", - "name": "string" - }, - "sentinel_one": { - "alert": { - "agent": { - "site_id": "123456789123456789" - }, - "analyst_verdict": "string", - "container": { - "info": { - "labels": "string" - } - }, - "dv_event": { - "id": "string" - }, - "info": { - "dns": { - "response": "string" - }, - "event_type": "string", - "hit": { - "type": "Events" - }, - "indicator": { - "category": "string", - "description": "string", - "name": "string" - }, - "login": { - "account": { - "sid": "string" - }, - "is_administrator": "string", - "is_successful": "string", - "type": "string" - }, - "registry": { - "old_value": "string", - "old_value_type": "string" - }, - "reported_at": "2018-02-27T04:49:26.257Z", - "source": "string", - "status": "string", - "ti_indicator": { - "comparison_method": "string", - "source": "string", - "type": "string", - "value": "string" - }, - "updated_at": "2018-02-27T04:49:26.257Z" - }, - "kubernetes": { - "controller": { - "kind": "string", - "labels": "string", - "name": "string" - }, - "namespace": { - "labels": "string" - }, - "node": "string", - "pod": { - "labels": "string", - "name": "string" - } - }, - "process": { - "integrity_level": "unknown", - "parent": { - "integrity_level": "unknown", - "storyline": "string", - "subsystem": "unknown" - }, - "storyline": "string", - "subsystem": "unknown" - }, - "rule": { - "scope_level": "string", - "severity": "Low", - "treat_as_threat": "UNDEFINED" - }, - "target": { - "process": { - "file": { - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "id": "string", - "is_signed": "string", - "old_path": "string", - "path": "string" - }, - "proc": { - "cmdline": "string", - "image_path": "string", - "integrity_level": "unknown", - "name": "string", - "pid": 12345, - "signed_status": "string", - "storyline_id": "string", - "uid": "string" - }, - "start_time": "2018-02-27T04:49:26.257Z" - } - } - } - }, - "source": { - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-alert" - ], - "user": { - "domain": "string", - "name": "string" - } -} \ No newline at end of file diff --git a/packages/sentinel_one/0.1.0/data_stream/group/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/0.1.0/data_stream/group/agent/stream/httpjson.yml.hbs deleted file mode 100755 index ab9e91fdfe..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/group/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,51 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/web/api/v2.1/groups -request.transforms: - - set: - target: header.Authorization - value: 'ApiToken {{api_token}}' - - set: - target: url.params.limit - value: '100' - - set: - target: url.params.sortBy - value: 'updatedAt' - - set: - target: url.params.sortOrder - value: 'asc' - - set: - target: url.params.updatedAt__gte - value: '[[formatDate (parseDate .cursor.last_update_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.pagination: - - set: - target: url.params.cursor - value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_at: - value: '[[.last_event.updatedAt]]' -response.split: - target: body.data -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/sentinel_one/0.1.0/data_stream/group/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/0.1.0/data_stream/group/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 6afca281ff..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/group/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,133 +0,0 @@ ---- -description: Pipeline for processing group logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [iam] - - set: - field: event.type - value: [info] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.createdAt - - json.updatedAt - - json.id - target_field: _id - ignore_missing: true - - date: - field: json.updatedAt - target_field: '@timestamp' - formats: - - ISO8601 - ignore_failure: true - - date: - field: json.createdAt - target_field: sentinel_one.group.created_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.creator - target_field: user.full_name - ignore_missing: true - - append: - field: related.user - value: '{{{user.full_name}}}' - if: ctx.user?.full_name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.creatorId - target_field: sentinel_one.group.creator.id - ignore_missing: true - - rename: - field: json.filterId - target_field: sentinel_one.group.filter.id - ignore_missing: true - - rename: - field: json.filterName - target_field: sentinel_one.group.filter.name - ignore_missing: true - - rename: - field: json.id - target_field: group.id - ignore_missing: true - - convert: - field: json.inherits - target_field: sentinel_one.group.inherits - type: boolean - ignore_failure: true - - convert: - field: json.isDefault - target_field: sentinel_one.group.is_default - type: boolean - ignore_failure: true - - rename: - field: json.name - target_field: group.name - ignore_missing: true - - convert: - field: json.rank - target_field: sentinel_one.group.rank - type: long - ignore_failure: true - - rename: - field: json.registrationToken - target_field: sentinel_one.group.registration_token - ignore_missing: true - - rename: - field: json.siteId - target_field: sentinel_one.group.site.id - ignore_missing: true - - convert: - field: json.totalAgents - target_field: sentinel_one.group.agent.count - type: long - ignore_failure: true - - rename: - field: json.type - target_field: sentinel_one.group.type - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/sentinel_one/0.1.0/data_stream/group/fields/agent.yml b/packages/sentinel_one/0.1.0/data_stream/group/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/group/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/sentinel_one/0.1.0/data_stream/group/fields/base-fields.yml b/packages/sentinel_one/0.1.0/data_stream/group/fields/base-fields.yml deleted file mode 100755 index 4b00f737cf..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/group/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sentinel_one.group -- name: event.module - type: constant_keyword - description: Event module - value: sentinel_one -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sentinel_one/0.1.0/data_stream/group/fields/ecs.yml b/packages/sentinel_one/0.1.0/data_stream/group/fields/ecs.yml deleted file mode 100755 index bbbdb79f4b..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/group/fields/ecs.yml +++ /dev/null @@ -1,58 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: User's full name, if available. - multi_fields: - - name: text - type: match_only_text - name: user.full_name - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword diff --git a/packages/sentinel_one/0.1.0/data_stream/group/fields/fields.yml b/packages/sentinel_one/0.1.0/data_stream/group/fields/fields.yml deleted file mode 100755 index 89cd8a3787..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/group/fields/fields.yml +++ /dev/null @@ -1,40 +0,0 @@ -- name: sentinel_one.group - type: group - fields: - - name: agent - type: group - fields: - - name: count - type: long - - name: created_at - type: date - - name: creator - type: group - fields: - - name: id - type: keyword - - name: filter - type: group - fields: - - name: id - type: keyword - - name: name - type: keyword - - name: inherits - type: boolean - - name: is_default - type: boolean - - name: rank - type: long - - name: registration_token - type: keyword - - name: site - type: group - fields: - - name: id - type: keyword - - name: type - type: keyword -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/sentinel_one/0.1.0/data_stream/group/manifest.yml b/packages/sentinel_one/0.1.0/data_stream/group/manifest.yml deleted file mode 100755 index 4cbbd473d3..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/group/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Collect Group logs from SentinelOne -type: logs -streams: - - input: httpjson - title: Group logs - description: Collect group logs from SentinelOne. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the groups from SentinelOne. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the SentinelOne API. - default: 5m - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - sentinel_one-group - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/sentinel_one/0.1.0/data_stream/group/sample_event.json b/packages/sentinel_one/0.1.0/data_stream/group/sample_event.json deleted file mode 100755 index 53add1ec91..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/group/sample_event.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "@timestamp": "2022-04-05T16:01:57.564Z", - "agent": { - "ephemeral_id": "c386c123-e979-4c16-b5e4-0bbc8f94062e", - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.3" - }, - "data_stream": { - "dataset": "sentinel_one.group", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "snapshot": false, - "version": "8.1.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-05-09T12:55:41.235Z", - "dataset": "sentinel_one.group", - "ingested": "2022-05-09T12:55:44Z", - "kind": "event", - "original": "{\"createdAt\":\"2022-04-05T16:01:56.928383Z\",\"creator\":\"Test User\",\"creatorId\":\"1234567890123456789\",\"filterId\":null,\"filterName\":null,\"id\":\"1234567890123456789\",\"inherits\":true,\"isDefault\":true,\"name\":\"Default Group\",\"rank\":null,\"registrationToken\":\"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=\",\"siteId\":\"1234567890123456789\",\"totalAgents\":1,\"type\":\"static\",\"updatedAt\":\"2022-04-05T16:01:57.564266Z\"}", - "type": [ - "info" - ] - }, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "Test User" - ] - }, - "sentinel_one": { - "group": { - "agent": { - "count": 1 - }, - "created_at": "2022-04-05T16:01:56.928Z", - "creator": { - "id": "1234567890123456789" - }, - "inherits": true, - "is_default": true, - "registration_token": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", - "site": { - "id": "1234567890123456789" - }, - "type": "static" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-group" - ], - "user": { - "full_name": "Test User" - } -} \ No newline at end of file diff --git a/packages/sentinel_one/0.1.0/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/sentinel_one/0.1.0/data_stream/threat/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 7d5345a4af..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/threat/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,51 +0,0 @@ -config_version: 2 -interval: {{interval}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -request.method: GET -request.url: {{url}}/web/api/v2.1/threats -request.transforms: - - set: - target: header.Authorization - value: 'ApiToken {{api_token}}' - - set: - target: url.params.limit - value: '100' - - set: - target: url.params.sortBy - value: 'updatedAt' - - set: - target: url.params.sortOrder - value: 'asc' - - set: - target: url.params.updatedAt__gte - value: '[[formatDate (parseDate .cursor.last_update_at)]]' - default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]' -response.pagination: - - set: - target: url.params.cursor - value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' - fail_on_template_error: true -cursor: - last_update_at: - value: '[[.last_event.threatInfo.updatedAt]]' -response.split: - target: body.data -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/sentinel_one/0.1.0/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one/0.1.0/data_stream/threat/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index c9f7239839..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,927 +0,0 @@ ---- -description: Pipeline for processing threat logs. -processors: - - set: - field: ecs.version - value: '8.2.0' - - set: - field: event.kind - value: event - - set: - field: event.category - value: [malware] - - set: - field: event.type - value: [info] - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - fingerprint: - fields: - - json.threatInfo.createdAt - - json.threatInfo.updatedAt - - json.id - target_field: _id - ignore_missing: true - - date: - field: json.threatInfo.updatedAt - target_field: '@timestamp' - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.agentDetectionInfo.accountId - target_field: sentinel_one.threat.detection.account.id - ignore_missing: true - - rename: - field: json.agentDetectionInfo.accountName - target_field: sentinel_one.threat.detection.account.name - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentDetectionState - target_field: sentinel_one.threat.detection.state - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentDomain - target_field: sentinel_one.threat.detection.agent.domain - ignore_missing: true - - convert: - field: json.agentDetectionInfo.agentIpV4 - target_field: sentinel_one.threat.detection.agent.ipv4 - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{sentinel_one.threat.detection.agent.ipv4}}}' - if: ctx.sentinel_one?.threat?.detection?.agent?.ipv4 != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.agentDetectionInfo.agentIpV6 - target_field: sentinel_one.threat.detection.agent.ipv6 - type: ip - ignore_failure: true - - append: - field: related.ip - value: '{{{sentinel_one.threat.detection.agent.ipv6}}}' - if: ctx.sentinel_one?.threat?.detection?.agent?.ipv6 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.agentDetectionInfo.agentLastLoggedInUpn - target_field: sentinel_one.threat.detection.agent.last_logged_in.upn - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentLastLoggedInUserMail - target_field: user.email - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentLastLoggedInUserName - target_field: user.name - ignore_missing: true - - append: - field: related.user - value: '{{{user.name}}}' - if: ctx.user?.name != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.agentDetectionInfo.agentMitigationMode - target_field: sentinel_one.threat.detection.agent.mitigation_mode - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentOsName - target_field: sentinel_one.threat.detection.agent.os.name - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentOsRevision - target_field: sentinel_one.threat.detection.agent.os.version - ignore_missing: true - - date: - field: json.agentDetectionInfo.agentRegisteredAt - target_field: sentinel_one.threat.detection.agent.registered_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.agentDetectionInfo.agentUuid - target_field: sentinel_one.threat.detection.agent.uuid - ignore_missing: true - - rename: - field: json.agentDetectionInfo.agentVersion - target_field: sentinel_one.threat.detection.agent.version - ignore_missing: true - - rename: - field: json.agentDetectionInfo.cloudProviders - target_field: sentinel_one.threat.detection.cloud_providers - ignore_missing: true - - convert: - field: json.agentDetectionInfo.externalIp - target_field: host.ip - type: ip - ignore_failure: true - - geoip: - field: host.ip - target_field: host.geo - ignore_missing: true - if: ctx.host?.ip != null && ctx.host?.ip != '' - - append: - field: related.ip - value: '{{{host.ip}}}' - if: ctx.host?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.agentDetectionInfo.groupId - target_field: sentinel_one.threat.detection.agent.group.id - ignore_missing: true - - rename: - field: json.agentDetectionInfo.groupName - target_field: sentinel_one.threat.detection.agent.group.name - ignore_missing: true - - rename: - field: json.agentDetectionInfo.siteId - target_field: sentinel_one.threat.detection.agent.site.id - ignore_missing: true - - rename: - field: json.agentDetectionInfo.siteName - target_field: sentinel_one.threat.detection.agent.site.name - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.accountId - target_field: sentinel_one.threat.agent.account.id - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.accountName - target_field: sentinel_one.threat.agent.account.name - ignore_missing: true - - convert: - field: json.agentRealtimeInfo.activeThreats - target_field: sentinel_one.threat.agent.active_threats - type: long - ignore_failure: true - - rename: - field: json.agentRealtimeInfo.agentComputerName - target_field: host.name - ignore_missing: true - - append: - field: related.hosts - value: '{{{host.name}}}' - if: ctx.host?.name != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.agentRealtimeInfo.agentDecommissionedAt - target_field: sentinel_one.threat.agent.decommissioned_at - type: boolean - ignore_failure: true - - rename: - field: json.agentRealtimeInfo.agentDomain - target_field: host.domain - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentId - target_field: host.id - ignore_missing: true - - convert: - field: json.agentRealtimeInfo.agentInfected - target_field: sentinel_one.threat.agent.infected - type: boolean - ignore_failure: true - - convert: - field: json.agentRealtimeInfo.agentIsActive - target_field: sentinel_one.threat.agent.is_active - type: boolean - ignore_failure: true - - convert: - field: json.agentRealtimeInfo.agentIsDecommissioned - target_field: sentinel_one.threat.agent.is_decommissioned - type: boolean - ignore_failure: true - - rename: - field: json.agentRealtimeInfo.agentMachineType - target_field: sentinel_one.threat.agent.machine_type - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentMitigationMode - target_field: sentinel_one.threat.agent.mitigation_mode - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentNetworkStatus - target_field: sentinel_one.threat.agent.network_status - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentOsName - target_field: host.os.name - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentOsRevision - target_field: sentinel_one.threat.agent.os.version - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentOsType - target_field: host.os.type - ignore_missing: true - - lowercase: - field: host.os.type - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentUuid - target_field: sentinel_one.threat.agent.uuid - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.agentVersion - target_field: observer.version - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.groupId - target_field: sentinel_one.threat.agent.group.id - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.groupName - target_field: sentinel_one.threat.agent.group.name - ignore_missing: true - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - convert: - field: _ingest._value.inet - type: ip - ignore_failure: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - foreach: - field: _ingest._value.inet - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - convert: - field: _ingest._value.inet6 - type: ip - ignore_failure: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - foreach: - field: _ingest._value.inet6 - processor: - append: - field: related.ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - append: - field: host.mac - value: "{{{_ingest._value.physical}}}" - allow_duplicates: false - ignore_failure: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - foreach: - field: json.agentRealtimeInfo.networkInterfaces - processor: - remove: - field: - - _ingest._value.physical - ignore_missing: true - ignore_failure: true - if: ctx.json?.agentRealtimeInfo?.networkInterfaces != null && ctx.json?.agentRealtimeInfo?.networkInterfaces instanceof List - - rename: - field: json.agentRealtimeInfo.networkInterfaces - target_field: sentinel_one.threat.agent.network_interface - ignore_missing: true - - gsub: - field: host.mac - pattern: '[-:.]' - replacement: '-' - ignore_missing: true - - uppercase: - field: host.mac - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.operationalState - target_field: sentinel_one.threat.agent.operational_state - ignore_missing: true - - convert: - field: json.agentRealtimeInfo.rebootRequired - target_field: sentinel_one.threat.agent.reboot_required - type: boolean - ignore_failure: true - - date: - field: json.agentRealtimeInfo.scanAbortedAt - target_field: sentinel_one.threat.agent.scan.aborted_at - formats: - - ISO8601 - ignore_failure: true - - date: - field: json.agentRealtimeInfo.scanFinishedAt - target_field: sentinel_one.threat.agent.scan.finished_at - formats: - - ISO8601 - ignore_failure: true - - date: - field: json.agentRealtimeInfo.scanStartedAt - target_field: sentinel_one.threat.agent.scan.started_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.agentRealtimeInfo.scanStatus - target_field: sentinel_one.threat.agent.scan.status - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.siteId - target_field: sentinel_one.threat.agent.site.id - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.siteName - target_field: sentinel_one.threat.agent.site.name - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.storageName - target_field: sentinel_one.threat.agent.storage.name - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.storageType - target_field: sentinel_one.threat.agent.storage.type - ignore_missing: true - - rename: - field: json.agentRealtimeInfo.userActionsNeeded - target_field: sentinel_one.threat.agent.user_action_needed - ignore_missing: true - - rename: - field: json.containerInfo.id - target_field: container.id - ignore_missing: true - - rename: - field: json.containerInfo.image - target_field: container.image.name - ignore_missing: true - - rename: - field: json.containerInfo.labels - target_field: sentinel_one.threat.container.labels - ignore_missing: true - - rename: - field: json.containerInfo.name - target_field: container.name - ignore_missing: true - - rename: - field: json.description - target_field: message - ignore_missing: true - - rename: - field: json.id - target_field: sentinel_one.threat.id - ignore_missing: true - - foreach: - field: json.indicators - processor: - rename: - field: _ingest._value.category - target_field: _ingest._value.category.name - ignore_missing: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - rename: - field: _ingest._value.categoryId - target_field: _ingest._value.category.id - ignore_missing: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.ids - processor: - append: - field: threat.tactic.id - value: '{{{_ingest._value}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.tactics - processor: - append: - field: threat.tactic.name - value: '{{{_ingest._value.name}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.tactics - processor: - append: - field: threat.framework - value: '{{{_ingest._value.source}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.tactics - processor: - foreach: - field: _ingest._value.techniques - processor: - append: - field: threat.technique.reference - value: '{{{_ingest._value.link}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - foreach: - field: _ingest._value.tactics - processor: - foreach: - field: _ingest._value.techniques - processor: - append: - field: threat.technique.id - value: '{{{_ingest._value.name}}}' - allow_duplicates: false - ignore_failure: true - ignore_failure: true - ignore_failure: true - ignore_failure: true - - foreach: - field: json.indicators - processor: - remove: - field: - - _ingest._value.ids - - _ingest._value.tactics - ignore_missing: true - ignore_failure: true - - rename: - field: json.indicators - target_field: sentinel_one.threat.indicators - ignore_missing: true - - rename: - field: json.kubernetesInfo.cluster - target_field: sentinel_one.threat.kubernetes.cluster - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerKind - target_field: sentinel_one.threat.kubernetes.controller.kind - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerLabels - target_field: sentinel_one.threat.kubernetes.controller.labels - ignore_missing: true - - rename: - field: json.kubernetesInfo.controllerName - target_field: sentinel_one.threat.kubernetes.controller.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.namespace - target_field: sentinel_one.threat.kubernetes.namespace.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.namespaceLabels - target_field: sentinel_one.threat.kubernetes.namespace.labels - ignore_missing: true - - rename: - field: json.kubernetesInfo.node - target_field: sentinel_one.threat.kubernetes.node - ignore_missing: true - - rename: - field: json.kubernetesInfo.pod - target_field: sentinel_one.threat.kubernetes.pod.name - ignore_missing: true - - rename: - field: json.kubernetesInfo.podLabels - target_field: sentinel_one.threat.kubernetes.pod.labels - ignore_missing: true - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.actionsCounters.failed - target_field: _ingest._value.action_counters.failed - type: long - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.actionsCounters.notFound - target_field: _ingest._value.action_counters.not_found - type: long - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.actionsCounters.pendingReboot - target_field: _ingest._value.action_counters.pending_reboot - type: long - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.actionsCounters.success - target_field: _ingest._value.action_counters.success - type: long - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.actionsCounters.total - target_field: _ingest._value.action_counters.total - type: long - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.agentSupportsReport - target_field: _ingest._value.agent_supports_report - type: boolean - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - convert: - field: _ingest._value.groupNotFound - target_field: _ingest._value.group_not_found - type: boolean - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - date: - field: _ingest._value.lastUpdate - target_field: _ingest._value.last_update - formats: - - ISO8601 - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - rename: - field: _ingest._value.latestReport - target_field: _ingest._value.latest_report - ignore_missing: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - date: - field: _ingest._value.mitigationEndedAt - target_field: _ingest._value.mitigation_ended_at - formats: - - ISO8601 - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - date: - field: _ingest._value.mitigationStartedAt - target_field: _ingest._value.mitigation_started_at - formats: - - ISO8601 - ignore_failure: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - foreach: - field: json.mitigationStatus - processor: - remove: - field: - - _ingest._value.actionsCounters - - _ingest._value.agentSupportsReport - - _ingest._value.groupNotFound - - _ingest._value.lastUpdate - - _ingest._value.mitigationEndedAt - - _ingest._value.mitigationStartedAt - ignore_missing: true - ignore_failure: true - if: ctx.json?.mitigationStatus != null && ctx.json?.mitigationStatus instanceof List - - rename: - field: json.mitigationStatus - target_field: sentinel_one.threat.mitigation_status - ignore_missing: true - - rename: - field: json.threatInfo.analystVerdict - target_field: sentinel_one.threat.analysis.verdict - ignore_missing: true - - rename: - field: json.threatInfo.analystVerdictDescription - target_field: sentinel_one.threat.analysis.description - ignore_missing: true - - convert: - field: json.threatInfo.automaticallyResolved - target_field: sentinel_one.threat.automatically_resolved - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.browserType - target_field: sentinel_one.threat.browser_type - ignore_missing: true - - rename: - field: json.threatInfo.certificateId - target_field: sentinel_one.threat.certificate.id - ignore_missing: true - - rename: - field: json.threatInfo.classification - target_field: sentinel_one.threat.classification - ignore_missing: true - - rename: - field: json.threatInfo.classificationSource - target_field: sentinel_one.threat.classification_source - ignore_missing: true - - rename: - field: json.threatInfo.cloudFilesHashVerdict - target_field: sentinel_one.threat.cloudfiles_hash_verdict - ignore_missing: true - - rename: - field: json.threatInfo.collectionId - target_field: sentinel_one.threat.collection.id - ignore_missing: true - - rename: - field: json.threatInfo.confidenceLevel - target_field: sentinel_one.threat.confidence_level - ignore_missing: true - - date: - field: json.threatInfo.createdAt - target_field: sentinel_one.threat.created_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.threatInfo.detectionEngines - target_field: sentinel_one.threat.detection.engines - ignore_missing: true - - rename: - field: json.threatInfo.detectionType - target_field: sentinel_one.threat.detection.type - ignore_missing: true - - rename: - field: json.threatInfo.engines - target_field: sentinel_one.threat.engines - ignore_missing: true - - convert: - field: json.threatInfo.externalTicketExists - target_field: sentinel_one.threat.external_ticket.exist - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.externalTicketId - target_field: sentinel_one.threat.external_ticket.id - ignore_missing: true - - convert: - field: json.threatInfo.failedActions - target_field: sentinel_one.threat.failed_actions - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.fileExtension - target_field: threat.indicator.file.extension - ignore_missing: true - - rename: - field: json.threatInfo.fileExtensionType - target_field: sentinel_one.threat.file.extension.type - ignore_missing: true - - rename: - field: json.threatInfo.filePath - target_field: threat.indicator.file.path - ignore_missing: true - - convert: - field: json.threatInfo.fileSize - target_field: threat.indicator.file.size - type: long - ignore_failure: true - - rename: - field: json.threatInfo.fileVerificationType - target_field: sentinel_one.threat.file.verification_type - ignore_missing: true - - date: - field: json.threatInfo.identifiedAt - target_field: sentinel_one.threat.file.identified_at - formats: - - ISO8601 - ignore_failure: true - - rename: - field: json.threatInfo.incidentStatus - target_field: sentinel_one.threat.incident.status - ignore_missing: true - - rename: - field: json.threatInfo.incidentStatusDescription - target_field: sentinel_one.threat.incident.status_description - ignore_missing: true - - rename: - field: json.threatInfo.initiatedBy - target_field: sentinel_one.threat.initiated.name - ignore_missing: true - - rename: - field: json.threatInfo.initiatedByDescription - target_field: sentinel_one.threat.initiated.description - ignore_missing: true - - rename: - field: json.threatInfo.initiatingUserId - target_field: sentinel_one.threat.initiating_user.id - ignore_missing: true - - rename: - field: json.threatInfo.initiatingUsername - target_field: sentinel_one.threat.initiating_user.name - ignore_missing: true - - append: - field: related.user - value: '{{{sentinel_one.threat.initiating_user.name}}}' - if: ctx.sentinel_one?.threat?.initiating_user?.name != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.threatInfo.isFileless - target_field: sentinel_one.threat.is_fileless - type: boolean - ignore_failure: true - - convert: - field: json.threatInfo.isValidCertificate - target_field: sentinel_one.threat.is_valid_certificate - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.maliciousProcessArguments - target_field: sentinel_one.threat.malicious_process_arguments - ignore_missing: true - - rename: - field: json.threatInfo.md5 - target_field: threat.indicator.file.hash.md5 - ignore_missing: true - - convert: - field: json.threatInfo.mitigatedPreemptively - target_field: sentinel_one.threat.mitigated_preemptively - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.mitigationStatus - target_field: sentinel_one.threat.mitigation.status - ignore_missing: true - - rename: - field: json.threatInfo.mitigationStatusDescription - target_field: sentinel_one.threat.mitigation.description - ignore_missing: true - - rename: - field: json.threatInfo.originatorProcess - target_field: sentinel_one.threat.originator_process - ignore_missing: true - - convert: - field: json.threatInfo.pendingActions - target_field: sentinel_one.threat.pending_actions - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.processUser - target_field: sentinel_one.threat.process_user - ignore_missing: true - - append: - field: related.user - value: '{{{sentinel_one.threat.process_user}}}' - if: ctx.sentinel_one?.threat?.process_user != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.threatInfo.publisherName - target_field: sentinel_one.threat.publisher.name - ignore_missing: true - - convert: - field: json.threatInfo.reachedEventsLimit - target_field: sentinel_one.threat.reached_events_limit - type: boolean - ignore_failure: true - - convert: - field: json.threatInfo.rebootRequired - target_field: sentinel_one.threat.reboot_required - type: boolean - ignore_failure: true - - rename: - field: json.threatInfo.sha1 - target_field: threat.indicator.file.hash.sha1 - ignore_missing: true - - append: - field: related.hash - value: '{{{threat.indicator.file.hash.sha1}}}' - if: ctx.threat?.indicator?.file?.hash?.sha1 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.threatInfo.sha256 - target_field: threat.indicator.file.hash.sha256 - ignore_missing: true - - append: - field: related.hash - value: '{{{threat.indicator.file.hash.sha256}}}' - if: ctx.threat?.indicator?.file?.hash?.sha256 != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.threatInfo.storyline - target_field: sentinel_one.threat.storyline - ignore_missing: true - - rename: - field: json.threatInfo.threatId - target_field: sentinel_one.threat.threat_id - ignore_missing: true - - rename: - field: json.threatInfo.threatName - target_field: sentinel_one.threat.name - ignore_missing: true - - rename: - field: json.whiteningOptions - target_field: sentinel_one.threat.whitening_option - ignore_missing: true - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true - ignore_missing: true - - script: - description: Drops null/empty values recursively. - lang: painless - source: - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); -on_failure: -- set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/sentinel_one/0.1.0/data_stream/threat/fields/agent.yml b/packages/sentinel_one/0.1.0/data_stream/threat/fields/agent.yml deleted file mode 100755 index 6e1bac042b..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/threat/fields/agent.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/sentinel_one/0.1.0/data_stream/threat/fields/base-fields.yml b/packages/sentinel_one/0.1.0/data_stream/threat/fields/base-fields.yml deleted file mode 100755 index 43a1d989b7..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/threat/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sentinel_one.threat -- name: event.module - type: constant_keyword - description: Event module - value: sentinel_one -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/sentinel_one/0.1.0/data_stream/threat/fields/ecs.yml b/packages/sentinel_one/0.1.0/data_stream/threat/fields/ecs.yml deleted file mode 100755 index 2d2f962a39..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,137 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: City name. - name: host.geo.city_name - type: keyword -- description: Name of the continent. - name: host.geo.continent_name - type: keyword -- description: Country ISO code. - name: host.geo.country_iso_code - type: keyword -- description: Country name. - name: host.geo.country_name - type: keyword -- description: Longitude and latitude. - name: host.geo.location - type: geo_point -- description: Region ISO code. - name: host.geo.region_iso_code - type: keyword -- description: Region name. - name: host.geo.region_name - type: keyword -- description: |- - Use the `os.type` field to categorize the operating system into one of the broad commercial families. - One of these following values should be used (lowercase): linux, macos, unix, windows. - If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - name: host.os.type - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: Observer version. - name: observer.version - type: keyword -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. - name: threat.framework - type: keyword -- description: |- - File extension, excluding the leading dot. - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.file.extension - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.file.path - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: threat.indicator.file.size - type: long -- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) - name: threat.tactic.id - type: keyword -- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) - name: threat.tactic.name - type: keyword -- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.id - type: keyword -- description: The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) - name: threat.technique.reference - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/sentinel_one/0.1.0/data_stream/threat/fields/fields.yml b/packages/sentinel_one/0.1.0/data_stream/threat/fields/fields.yml deleted file mode 100755 index 8466924293..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/threat/fields/fields.yml +++ /dev/null @@ -1,462 +0,0 @@ -- name: sentinel_one.threat - type: group - fields: - - name: agent - type: group - fields: - - name: account - type: group - fields: - - name: id - type: keyword - description: Account id. - - name: name - type: keyword - description: Account name. - - name: active_threats - type: long - description: Active threats. - - name: decommissioned_at - type: boolean - description: Decommissioned at. - - name: group - type: group - fields: - - name: id - type: keyword - description: Group id. - - name: name - type: keyword - description: Group name. - - name: infected - type: boolean - description: Agent infected. - - name: is_active - type: boolean - description: Is active. - - name: is_decommissioned - type: boolean - description: Is decommissioned. - - name: machine_type - type: keyword - description: Machine type. - - name: mitigation_mode - type: keyword - description: Agent mitigation mode policy. - - name: network_interface - type: group - fields: - - name: id - type: keyword - description: Device's network interfaces id. - - name: inet - type: keyword - description: Device's network interfaces IPv4 addresses. - - name: inet6 - type: keyword - description: Device's network interfaces IPv6 addresses. - - name: name - type: keyword - description: Device's network interfaces IPv4 Name. - - name: network_status - type: keyword - description: Network status. - - name: operational_state - type: keyword - description: Agent operational state. - - name: os - type: group - fields: - - name: version - type: keyword - description: OS revision. - - name: reboot_required - type: boolean - description: A reboot is required on the endpoint for at least one acton on the threat. - - name: scan - type: group - fields: - - name: aborted_at - type: keyword - description: Abort time of last scan (if applicable). - - name: finished_at - type: keyword - description: Finish time of last scan (if applicable). - - name: started_at - type: keyword - description: Start time of last scan. - - name: status - type: keyword - description: Scan status. - - name: site - type: group - fields: - - name: id - type: keyword - description: Site id. - - name: name - type: keyword - description: Site name. - - name: storage - type: group - fields: - - name: name - type: keyword - description: Storage Name. - - name: type - type: keyword - description: Storage Type. - - name: user_action_needed - type: keyword - description: 'A list of pending user actions. List items possible values: "none, reboot_needed, user_acton_needed, upgrade_needed, incompatible_os, unprotected, user_acton_needed_fda, user_acton_needed_rs_fda,user_acton_needed_network, rebootless_without_dynamic_detection, extended_exclusions_partially_accepted, user_action_needed_bluetooth_per".' - - name: uuid - type: keyword - description: UUID. - - name: analysis - type: group - fields: - - name: description - type: keyword - description: Analyst verdict description. - - name: verdict - type: keyword - description: Analyst verdict. - - name: automatically_resolved - type: boolean - description: Automatically resolved. - - name: browser_type - type: keyword - description: Browser type. - - name: certificate - type: group - fields: - - name: id - type: keyword - description: File Certificate ID. - - name: classification - type: keyword - description: Classification of the threat. - - name: classification_source - type: keyword - description: Source of the threat Classification. - - name: cloudfiles_hash_verdict - type: keyword - description: Cloud files hash verdict. - - name: collection - type: group - fields: - - name: id - type: keyword - description: Collection id. - - name: confidence_level - type: keyword - description: SentinelOne threat confidence level. - - name: container - type: group - fields: - - name: labels - type: keyword - description: Container labels. - - name: created_at - type: date - description: Timestamp of date creation in the Management Console. - - name: detection - type: group - fields: - - name: account - type: group - fields: - - name: id - type: keyword - description: Orig account id. - - name: name - type: keyword - description: Orig account name. - - name: agent - type: group - fields: - - name: domain - type: keyword - description: Network domain. - - name: group - type: group - fields: - - name: id - type: keyword - description: Orig group id. - - name: name - type: keyword - description: Orig group name. - - name: ipv4 - type: ip - description: Orig agent ipv4. - - name: ipv6 - type: ip - description: Orig agent ipv6. - - name: last_logged_in - type: group - fields: - - name: upn - type: keyword - description: UPN of last logged in user. - - name: mitigation_mode - type: keyword - description: Agent mitigation mode policy. - - name: os - type: group - fields: - - name: name - type: keyword - description: Orig agent OS name. - - name: version - type: keyword - description: Orig agent OS revision. - - name: registered_at - type: date - description: Time of first registration to management console. - - name: site - type: group - fields: - - name: id - type: keyword - description: Orig site id. - - name: name - type: keyword - description: Orig site name. - - name: uuid - type: keyword - description: UUID of the agent. - - name: version - type: keyword - description: Orig agent version. - - name: cloud_providers - type: flattened - description: Cloud providers for this agent. - - name: engines - type: group - fields: - - name: key - type: keyword - description: List of engines that detected the threat key. - - name: title - type: keyword - description: List of engines that detected the threat title. - - name: state - type: keyword - description: The Agent's detection state at time of detection. - - name: type - type: keyword - description: Detection type. - - name: engines - type: keyword - description: List of engines that detected the threat. - - name: external_ticket - type: group - fields: - - name: exist - type: boolean - description: External ticket exists. - - name: id - type: keyword - description: External ticket id. - - name: failed_actions - type: boolean - description: At least one action failed on the threat. - - name: file - type: group - fields: - - name: extension - type: group - fields: - - name: type - type: keyword - description: File extension type. - - name: identified_at - type: keyword - description: Identified at. - - name: verification_type - type: keyword - description: File verification type. - - name: id - type: keyword - description: Threat id. - - name: incident - type: group - fields: - - name: status - type: keyword - description: Incident status. - - name: status_description - type: keyword - description: Incident status description. - - name: indicators - type: group - fields: - - name: category - type: group - fields: - - name: id - type: long - description: Indicators Category Id. - - name: name - type: keyword - description: Indicators Category Name. - - name: description - type: keyword - description: Indicators Description. - - name: initiated - type: group - fields: - - name: description - type: keyword - description: Initiated by description. - - name: name - type: keyword - description: Source of threat. - - name: initiating_user - type: group - fields: - - name: id - type: keyword - description: Initiating user id. - - name: name - type: keyword - description: Initiating user username. - - name: is_fileless - type: boolean - description: Is fileless. - - name: is_valid_certificate - type: boolean - description: True if the certificate is valid. - - name: kubernetes - type: group - fields: - - name: cluster - type: keyword - description: Cluster. - - name: controller - type: group - fields: - - name: kind - type: keyword - description: Controller kind. - - name: labels - type: keyword - description: Controller labels. - - name: name - type: keyword - description: Controller name. - - name: namespace - type: group - fields: - - name: labels - type: keyword - description: Namespace labels. - - name: name - type: keyword - description: Namespace name. - - name: node - type: keyword - description: Node. - - name: pod - type: group - fields: - - name: labels - type: keyword - description: Pod labels. - - name: name - type: keyword - description: Pod name. - - name: malicious_process_arguments - type: keyword - description: Malicious process arguments. - - name: mitigated_preemptively - type: boolean - description: True is the threat was blocked before execution. - - name: mitigation - type: group - fields: - - name: description - type: keyword - description: Mitigation status description. - - name: status - type: keyword - description: Mitigation status. - - name: mitigation_status - type: group - fields: - - name: action - type: keyword - description: Action. - - name: action_counters - type: group - fields: - - name: failed - type: long - description: Actions counters Failed. - - name: not_found - type: long - description: Actions counters Not found. - - name: pending_reboot - type: long - description: Actions counters Pending reboot. - - name: success - type: long - description: Actions counters Success. - - name: total - type: long - description: Actions counters Total. - - name: agent_supports_report - type: keyword - description: The Agent generates a full mitigation report. - - name: group_not_found - type: keyword - description: Agent could not find the threat. - - name: last_update - type: keyword - description: Timestamp of last mitigation status update. - - name: latest_report - type: keyword - description: Report download URL. If None, there is no report. - - name: mitigation_ended_at - type: keyword - description: The time the Agent finished the mitigation. - - name: mitigation_started_at - type: keyword - description: The time the Agent started the mitigation. - - name: status - type: keyword - description: Status. - - name: name - type: keyword - description: Threat name. - - name: originator_process - type: keyword - description: Originator process. - - name: pending_actions - type: boolean - description: At least one action is pending on the threat. - - name: process_user - type: keyword - description: Process user. - - name: publisher - type: group - fields: - - name: name - type: keyword - description: Certificate publisher. - - name: reached_events_limit - type: boolean - description: Has number of OS events for this threat reached the limit, resulting in a partial attack storyline. - - name: reboot_required - type: boolean - description: A reboot is required on the endpoint for at least one threat. - - name: storyline - type: keyword - description: Storyline identifier from agent. - - name: threat_id - type: keyword - description: Threat id. - - name: whitening_option - type: keyword - description: Whitening options. diff --git a/packages/sentinel_one/0.1.0/data_stream/threat/manifest.yml b/packages/sentinel_one/0.1.0/data_stream/threat/manifest.yml deleted file mode 100755 index 5dcd6795cd..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/threat/manifest.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Collect Threat logs from SentinelOne -type: logs -streams: - - input: httpjson - title: Threat logs - description: Collect threat logs from SentinelOne. - template_path: httpjson.yml.hbs - vars: - - name: initial_interval - type: text - title: Initial Interval - description: How far back to pull the threats from SentinelOne. - multi: false - required: true - show_user: true - default: 24h - - name: interval - type: text - title: Interval - description: Duration between requests to the SentinelOne API. - default: 5m - multi: false - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - sentinel_one-threat - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/sentinel_one/0.1.0/data_stream/threat/sample_event.json b/packages/sentinel_one/0.1.0/data_stream/threat/sample_event.json deleted file mode 100755 index 1679d543d9..0000000000 --- a/packages/sentinel_one/0.1.0/data_stream/threat/sample_event.json +++ /dev/null @@ -1,264 +0,0 @@ -{ - "@timestamp": "2022-04-06T08:54:17.194Z", - "agent": { - "ephemeral_id": "eb3774ca-88e6-42f1-a7de-e4f5d910a8f4", - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.3" - }, - "data_stream": { - "dataset": "sentinel_one.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "snapshot": false, - "version": "8.1.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2022-05-09T12:56:37.374Z", - "dataset": "sentinel_one.threat", - "ingested": "2022-05-09T12:56:40Z", - "kind": "event", - "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"XX80::7X59:X6X9:9X72:XXXX\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"X2:0X:0X:X6:00:XX\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", - "type": [ - "info" - ] - }, - "host": { - "domain": "WORKGROUP", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "id": "1234567890123456789", - "ip": "81.2.69.143", - "mac": [ - "X2-0X-0X-X6-00-XX" - ], - "name": "test-LINUX", - "os": { - "name": "linux", - "type": "linux" - } - }, - "input": { - "type": "httpjson" - }, - "observer": { - "version": "21.x.x.1234" - }, - "related": { - "hash": [ - "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - ], - "hosts": [ - "test-LINUX" - ], - "ip": [ - "10.0.0.1", - "81.2.69.143", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "user": [ - "test user" - ] - }, - "sentinel_one": { - "threat": { - "agent": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "active_threats": 7, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "infected": true, - "is_active": true, - "is_decommissioned": false, - "machine_type": "server", - "mitigation_mode": "detect", - "network_interface": [ - { - "id": "1234567890123456789", - "inet": [ - "10.0.0.1" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet" - } - ], - "network_status": "connected", - "operational_state": "na", - "os": { - "version": "1234" - }, - "reboot_required": false, - "scan": { - "finished_at": "2022-04-06T09:18:21.090Z", - "started_at": "2022-04-06T08:26:52.838Z", - "status": "finished" - }, - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx" - }, - "analysis": { - "description": "Undefined", - "verdict": "undefined" - }, - "automatically_resolved": false, - "classification": "Trojan", - "classification_source": "Cloud", - "cloudfiles_hash_verdict": "black", - "collection": { - "id": "1234567890123456789" - }, - "confidence_level": "malicious", - "created_at": "2022-04-06T08:45:54.519Z", - "detection": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "agent": { - "domain": "WORKGROUP", - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "ipv4": "10.0.0.1", - "mitigation_mode": "protect", - "os": { - "name": "linux", - "version": "1234" - }, - "registered_at": "2022-04-06T08:26:45.515Z", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", - "version": "21.x.x" - }, - "engines": [ - { - "key": "sentinelone_cloud", - "title": "SentinelOne Cloud" - } - ], - "type": "static" - }, - "engines": [ - "SentinelOne Cloud" - ], - "external_ticket": { - "exist": false - }, - "failed_actions": false, - "file": { - "extension": { - "type": "Executable" - }, - "identified_at": "2022-04-06T08:45:53.968Z", - "verification_type": "NotSigned" - }, - "id": "1234567890123456789", - "incident": { - "status": "unresolved", - "status_description": "Unresolved" - }, - "initiated": { - "description": "Agent Policy", - "name": "agent_policy" - }, - "is_fileless": false, - "is_valid_certificate": false, - "mitigated_preemptively": false, - "mitigation": { - "description": "Not mitigated", - "status": "not_mitigated" - }, - "mitigation_status": [ - { - "action": "unquarantine", - "action_counters": { - "failed": 0, - "not_found": 0, - "pending_reboot": 0, - "success": 1, - "total": 1 - }, - "agent_supports_report": true, - "group_not_found": false, - "last_update": "2022-04-06T08:54:17.198Z", - "latest_report": "/threats/mitigation-report", - "mitigation_ended_at": "2022-04-06T08:54:17.101Z", - "mitigation_started_at": "2022-04-06T08:54:17.101Z", - "status": "success" - }, - { - "action": "kill", - "agent_supports_report": true, - "group_not_found": false, - "last_update": "2022-04-06T08:45:55.303Z", - "mitigation_ended_at": "2022-04-06T08:45:55.297Z", - "mitigation_started_at": "2022-04-06T08:45:55.297Z", - "status": "success" - } - ], - "name": "default.exe", - "originator_process": "default.exe", - "pending_actions": false, - "process_user": "test user", - "reached_events_limit": false, - "reboot_required": false, - "storyline": "D0XXXXXXXXXXAF4D", - "threat_id": "1234567890123456789", - "whitening_option": [ - "hash" - ] - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-threat" - ], - "threat": { - "indicator": { - "file": { - "extension": "EXE", - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - }, - "path": "default.exe", - "size": 1234 - } - } - } -} \ No newline at end of file diff --git a/packages/sentinel_one/0.1.0/docs/README.md b/packages/sentinel_one/0.1.0/docs/README.md deleted file mode 100755 index 1e4ff524d5..0000000000 --- a/packages/sentinel_one/0.1.0/docs/README.md +++ /dev/null @@ -1,1658 +0,0 @@ -# SentinelOne - -The [SentinelOne](https://www.sentinelone.com/) integration collects and parses data from SentinelOne REST APIs. - -## Compatibility - -This module has been tested against `SentinelOne Management Console API version 2.1`. - -## To collect data from SentinelOne APIs, user must have API Token. To create API token follow below steps: - - 1. Log in to the **SentinelOne Management Console** as an **Admin**. - ![SentinelOne dashboards](../img/sentinel-one-dashboard.png) - 2. Navigate to **Logged User Account** from top right panel in navigation bar. - 3. Click **My User**. - 4. In the API token section, click **Generate**. - ![SentinelOne generate API token ](../img/sentinel-one-api-token-generate.png) - -## Note - -The API token generated by user is time-limited. To rotate a new token login with the dedicated admin account. - -## Logs - -### activity - -This is the `activity` dataset. - -An example event for `activity` looks as following: - -```json -{ - "@timestamp": "2022-04-05T16:01:56.995Z", - "agent": { - "ephemeral_id": "f2ec0399-ee92-4b20-8a43-508d761cfc8b", - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.3" - }, - "data_stream": { - "dataset": "sentinel_one.activity", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "snapshot": false, - "version": "8.1.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2022-05-09T12:53:01.467Z", - "dataset": "sentinel_one.activity", - "ingested": "2022-05-09T12:53:02Z", - "kind": "event", - "original": "{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activityType\":1234,\"agentId\":null,\"agentUpdatedVersion\":null,\"comments\":null,\"createdAt\":\"2022-04-05T16:01:56.995120Z\",\"data\":{\"accountId\":1234567890123456800,\"accountName\":\"Default\",\"fullScopeDetails\":\"Account Default\",\"fullScopeDetailsPath\":\"test/path\",\"groupName\":null,\"scopeLevel\":\"Account\",\"scopeName\":\"Default\",\"siteName\":null,\"username\":\"test user\"},\"description\":null,\"groupId\":null,\"groupName\":null,\"hash\":null,\"id\":\"1234567890123456789\",\"osFamily\":null,\"primaryDescription\":\"created Default account.\",\"secondaryDescription\":null,\"siteId\":null,\"siteName\":null,\"threatId\":null,\"updatedAt\":\"2022-04-05T16:01:56.992136Z\",\"userId\":\"1234567890123456789\"}", - "type": [ - "info" - ] - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "test user" - ] - }, - "sentinel_one": { - "activity": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "data": { - "account": { - "id": "1234567890123456800", - "name": "Default" - }, - "fullscope": { - "details": "Account Default", - "details_path": "test/path" - }, - "scope": { - "level": "Account", - "name": "Default" - } - }, - "description": { - "primary": "created Default account." - }, - "id": "1234567890123456789", - "type": 1234, - "updated_at": "2022-04-05T16:01:56.992Z" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-activity" - ], - "user": { - "full_name": "test user", - "id": "1234567890123456789" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.version | Observer version. | keyword | -| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| sentinel_one.activity.account.id | Related account ID (if applicable). | keyword | -| sentinel_one.activity.account.name | Related account name (if applicable). | keyword | -| sentinel_one.activity.agent.id | Related agent (if applicable). | keyword | -| sentinel_one.activity.comments | Comments. | keyword | -| sentinel_one.activity.data.account.id | Related account ID (if applicable). | keyword | -| sentinel_one.activity.data.account.name | Related account name (if applicable). | keyword | -| sentinel_one.activity.data.attr | Attribute. | keyword | -| sentinel_one.activity.data.changed_keys | Changed keys. | keyword | -| sentinel_one.activity.data.confidence.level | Confidence level. | keyword | -| sentinel_one.activity.data.created_at | Created time. | date | -| sentinel_one.activity.data.description | Description. | keyword | -| sentinel_one.activity.data.downloaded.url | Downloaded URL. | keyword | -| sentinel_one.activity.data.flattened | Extra activity specific data. | flattened | -| sentinel_one.activity.data.fullscope.details | fullscope details. | keyword | -| sentinel_one.activity.data.fullscope.details_path | fullscope details path. | keyword | -| sentinel_one.activity.data.global.status | Global status. | keyword | -| sentinel_one.activity.data.group | Related group (if applicable). | keyword | -| sentinel_one.activity.data.group_name | Related group name (if applicable). | keyword | -| sentinel_one.activity.data.malicious.process.arguments | Malicious process arguments. | keyword | -| sentinel_one.activity.data.new.confidence_level | New confidence level. | keyword | -| sentinel_one.activity.data.new.status | Status. | keyword | -| sentinel_one.activity.data.new.value | Value. | boolean | -| sentinel_one.activity.data.old.confidence_level | Old confidence level. | keyword | -| sentinel_one.activity.data.optionals_groups | Optionals groups. | keyword | -| sentinel_one.activity.data.original.status | Original status. | keyword | -| sentinel_one.activity.data.policy | Policy. | flattened | -| sentinel_one.activity.data.policy_name | Policy name. | keyword | -| sentinel_one.activity.data.reason | Reason. | keyword | -| sentinel_one.activity.data.role | Role. | keyword | -| sentinel_one.activity.data.role_name | Role name. | keyword | -| sentinel_one.activity.data.scope.level | Scope Level. | keyword | -| sentinel_one.activity.data.scope.name | Scope name. | keyword | -| sentinel_one.activity.data.scope_level.name | Scope level name. | keyword | -| sentinel_one.activity.data.site.name | Related site name (if applicable). | keyword | -| sentinel_one.activity.data.source | Source. | keyword | -| sentinel_one.activity.data.status | Status. | keyword | -| sentinel_one.activity.data.system | System. | boolean | -| sentinel_one.activity.data.threat.classification.name | Threat classification name. | keyword | -| sentinel_one.activity.data.threat.classification.source | Threat classification source. | keyword | -| sentinel_one.activity.data.user.name | User name. | keyword | -| sentinel_one.activity.data.user.scope | User scope. | keyword | -| sentinel_one.activity.data.uuid | UUID. | keyword | -| sentinel_one.activity.description.primary | Primary description. | keyword | -| sentinel_one.activity.description.secondary | Secondary description. | keyword | -| sentinel_one.activity.id | Activity ID. | keyword | -| sentinel_one.activity.site.id | Related site ID (if applicable). | keyword | -| sentinel_one.activity.site.name | Related site name (if applicable). | keyword | -| sentinel_one.activity.threat.id | Related threat ID (if applicable). | keyword | -| sentinel_one.activity.type | Activity type. | long | -| sentinel_one.activity.updated_at | Activity last updated time (UTC). | date | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.group.id | Unique identifier for the group on the system/platform. | keyword | -| user.group.name | Name of the group. | keyword | -| user.id | Unique identifier of the user. | keyword | - - -### agent - -This is the `agent` dataset. - -An example event for `agent` looks as following: - -```json -{ - "@timestamp": "2022-04-07T08:31:47.481Z", - "agent": { - "ephemeral_id": "4ae89055-8911-4591-a3f2-0213bdb1a131", - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.3" - }, - "data_stream": { - "dataset": "sentinel_one.agent", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "snapshot": false, - "version": "8.1.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "host" - ], - "created": "2022-05-09T12:53:53.924Z", - "dataset": "sentinel_one.agent", - "ingested": "2022-05-09T12:53:57Z", - "kind": "event", - "original": "{\"accountId\":\"12345123451234512345\",\"accountName\":\"Account Name\",\"activeDirectory\":{\"computerDistinguishedName\":null,\"computerMemberOf\":[],\"lastUserDistinguishedName\":null,\"lastUserMemberOf\":[]},\"activeThreats\":7,\"agentVersion\":\"12.x.x.x\",\"allowRemoteShell\":true,\"appsVulnerabilityStatus\":\"not_applicable\",\"cloudProviders\":{},\"computerName\":\"user-test\",\"consoleMigrationStatus\":\"N/A\",\"coreCount\":2,\"cpuCount\":2,\"cpuId\":\"CPU Name\",\"createdAt\":\"2022-03-18T09:12:00.519500Z\",\"detectionState\":null,\"domain\":\"WORKGROUP\",\"encryptedApplications\":false,\"externalId\":\"\",\"externalIp\":\"81.2.69.143\",\"firewallEnabled\":true,\"firstFullModeTime\":null,\"groupId\":\"1234567890123456789\",\"groupIp\":\"81.2.69.x\",\"groupName\":\"Default Group\",\"id\":\"13491234512345\",\"inRemoteShellSession\":false,\"infected\":true,\"installerType\":\".msi\",\"isActive\":true,\"isDecommissioned\":false,\"isPendingUninstall\":false,\"isUninstalled\":false,\"isUpToDate\":true,\"lastActiveDate\":\"2022-03-17T09:51:28.506000Z\",\"lastIpToMgmt\":\"81.2.69.145\",\"lastLoggedInUserName\":\"\",\"licenseKey\":\"\",\"locationEnabled\":true,\"locationType\":\"not_applicable\",\"locations\":null,\"machineType\":\"server\",\"mitigationMode\":\"detect\",\"mitigationModeSuspicious\":\"detect\",\"modelName\":\"Compute Engine\",\"networkInterfaces\":[{\"gatewayIp\":\"81.2.69.145\",\"gatewayMacAddress\":\"00-00-5E-00-53-00\",\"id\":\"1234567890123456789\",\"inet\":[\"81.2.69.144\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"00-00-5E-00-53-00\"}],\"networkQuarantineEnabled\":false,\"networkStatus\":\"connected\",\"operationalState\":\"na\",\"operationalStateExpiration\":null,\"osArch\":\"64 bit\",\"osName\":\"Linux Server\",\"osRevision\":\"1234\",\"osStartTime\":\"2022-04-06T08:27:14Z\",\"osType\":\"linux\",\"osUsername\":null,\"rangerStatus\":\"Enabled\",\"rangerVersion\":\"21.x.x.x\",\"registeredAt\":\"2022-04-06T08:26:45.515278Z\",\"remoteProfilingState\":\"disabled\",\"remoteProfilingStateExpiration\":null,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"tags\":{\"sentinelone\":[{\"assignedAt\":\"2018-02-27T04:49:26.257525Z\",\"assignedBy\":\"test-user\",\"assignedById\":\"123456789012345678\",\"id\":\"123456789012345678\",\"key\":\"key123\",\"value\":\"value123\"}]},\"threatRebootRequired\":false,\"totalMemory\":1234,\"updatedAt\":\"2022-04-07T08:31:47.481227Z\",\"userActionsNeeded\":[\"reboot_needed\"],\"uuid\":\"XXX35XXX8Xfb4aX0X1X8X12X343X8X30\"}", - "type": [ - "info" - ] - }, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "host": { - "domain": "WORKGROUP", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "id": "13491234512345", - "ip": "81.2.69.143", - "mac": [ - "00-00-5E-00-53-00" - ], - "name": "user-test", - "os": { - "name": "Linux Server", - "type": "linux", - "version": "1234" - } - }, - "input": { - "type": "httpjson" - }, - "observer": { - "version": "12.x.x.x" - }, - "related": { - "hosts": [ - "user-test", - "WORKGROUP" - ], - "ip": [ - "81.2.69.143", - "81.2.69.145", - "81.2.69.144", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, - "sentinel_one": { - "agent": { - "account": { - "id": "12345123451234512345", - "name": "Account Name" - }, - "active_threats_count": 7, - "allow_remote_shell": true, - "apps_vulnerability_status": "not_applicable", - "console_migration_status": "N/A", - "core": { - "count": 2 - }, - "cpu": { - "count": 2, - "id": "CPU Name" - }, - "created_at": "2022-03-18T09:12:00.519Z", - "encrypted_application": false, - "firewall_enabled": true, - "group": { - "ip": "81.2.69.x" - }, - "in_remote_shell_session": false, - "infected": true, - "installer_type": ".msi", - "is_active": true, - "is_decommissioned": false, - "is_pending_uninstall": false, - "is_uninstalled": false, - "is_up_to_date": true, - "last_active_date": "2022-03-17T09:51:28.506Z", - "last_ip_to_mgmt": "81.2.69.145", - "location": { - "enabled": true, - "type": "not_applicable" - }, - "machine": { - "type": "server" - }, - "mitigation_mode": "detect", - "mitigation_mode_suspicious": "detect", - "model_name": "Compute Engine", - "network_interfaces": [ - { - "gateway": { - "ip": "81.2.69.145", - "mac": "00-00-5E-00-53-00" - }, - "id": "1234567890123456789", - "inet": [ - "81.2.69.144" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet" - } - ], - "network_quarantine_enabled": false, - "network_status": "connected", - "operational_state": "na", - "os": { - "arch": "64 bit", - "start_time": "2022-04-06T08:27:14.000Z" - }, - "ranger": { - "status": "Enabled", - "version": "21.x.x.x" - }, - "registered_at": "2022-04-06T08:26:45.515Z", - "remote_profiling_state": "disabled", - "scan": { - "finished_at": "2022-04-06T09:18:21.090Z", - "started_at": "2022-04-06T08:26:52.838Z", - "status": "finished" - }, - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "tags": [ - { - "assigned_at": "2018-02-27T04:49:26.257Z", - "assigned_by": "test-user", - "assigned_by_id": "123456789012345678", - "id": "123456789012345678", - "key": "key123", - "value": "value123" - } - ], - "threat_reboot_required": false, - "total_memory": 1234, - "user_action_needed": [ - "reboot_needed" - ], - "uuid": "XXX35XXX8Xfb4aX0X1X8X12X343X8X30" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-agent" - ] -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| observer.version | Observer version. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| sentinel_one.agent.account.id | A reference to the containing account. | keyword | -| sentinel_one.agent.account.name | Name of the containing account. | keyword | -| sentinel_one.agent.active_directory.computer.member_of | Computer member of. | keyword | -| sentinel_one.agent.active_directory.computer.name | Computer distinguished name. | keyword | -| sentinel_one.agent.active_directory.last_user.distinguished_name | Last user distinguished name. | keyword | -| sentinel_one.agent.active_directory.last_user.member_of | Last user member of. | keyword | -| sentinel_one.agent.active_directory.mail | Mail. | keyword | -| sentinel_one.agent.active_directory.user.principal_name | User principal name. | keyword | -| sentinel_one.agent.active_threats_count | Current number of active threats. | long | -| sentinel_one.agent.allow_remote_shell | Agent is capable and policy enabled for remote shell. | boolean | -| sentinel_one.agent.apps_vulnerability_status | Apps vulnerability status. | keyword | -| sentinel_one.agent.cloud_provider | Cloud providers for this agent. | flattened | -| sentinel_one.agent.console_migration_status | What step the agent is at in the process of migrating to another console, if any. | keyword | -| sentinel_one.agent.core.count | CPU cores. | long | -| sentinel_one.agent.cpu.count | Number of CPUs. | long | -| sentinel_one.agent.cpu.id | CPU model. | keyword | -| sentinel_one.agent.created_at | Created at. | date | -| sentinel_one.agent.detection_state | Detection State. | keyword | -| sentinel_one.agent.encrypted_application | Disk encryption status. | boolean | -| sentinel_one.agent.external.id | External ID set by customer. | keyword | -| sentinel_one.agent.firewall_enabled | Firewall enabled. | boolean | -| sentinel_one.agent.first_full_mode_time | Date of the first time the Agent moved to full or slim detection modes. | date | -| sentinel_one.agent.group.ip | Group subnet address. | keyword | -| sentinel_one.agent.group.updated_at | Group updated at. | date | -| sentinel_one.agent.in_remote_shell_session | Is the Agent in a remote shell session. | boolean | -| sentinel_one.agent.infected | Indicates if the Agent has active threats. | boolean | -| sentinel_one.agent.installer_type | Installer package type (file extension). | keyword | -| sentinel_one.agent.is_active | Indicates if the agent was recently active. | boolean | -| sentinel_one.agent.is_decommissioned | Is Agent decommissioned. | boolean | -| sentinel_one.agent.is_pending_uninstall | Agent with a pending uninstall request. | boolean | -| sentinel_one.agent.is_uninstalled | Indicates if Agent was removed from the device. | boolean | -| sentinel_one.agent.is_up_to_date | Indicates if the agent version is up to date. | boolean | -| sentinel_one.agent.last_active_date | Last active date. | date | -| sentinel_one.agent.last_ip_to_mgmt | The last IP used to connect to the Management console. | ip | -| sentinel_one.agent.last_logged_in_user_name | Last logged in user name. | keyword | -| sentinel_one.agent.license.key | License key. | keyword | -| sentinel_one.agent.location.enabled | Location enabled. | boolean | -| sentinel_one.agent.location.type | Reported location type. | keyword | -| sentinel_one.agent.locations.id | Location ID. | keyword | -| sentinel_one.agent.locations.name | Location name. | keyword | -| sentinel_one.agent.locations.scope | Location scope. | keyword | -| sentinel_one.agent.machine.type | Machine type. | keyword | -| sentinel_one.agent.mitigation_mode | Agent mitigation mode policy. | keyword | -| sentinel_one.agent.mitigation_mode_suspicious | Mitigation mode policy for suspicious activity. | keyword | -| sentinel_one.agent.model_name | Device model. | keyword | -| sentinel_one.agent.network_interfaces.gateway.ip | The default gateway ip. | ip | -| sentinel_one.agent.network_interfaces.gateway.mac | The default gateway mac address. | keyword | -| sentinel_one.agent.network_interfaces.id | Id. | keyword | -| sentinel_one.agent.network_interfaces.inet | IPv4 addresses. | ip | -| sentinel_one.agent.network_interfaces.inet6 | IPv6 addresses. | ip | -| sentinel_one.agent.network_interfaces.name | Name. | keyword | -| sentinel_one.agent.network_quarantine_enabled | Network quarantine enabled. | boolean | -| sentinel_one.agent.network_status | Agent's network connectivity status. | keyword | -| sentinel_one.agent.operational_state | Agent operational state. | keyword | -| sentinel_one.agent.operational_state_expiration | Agent operational state expiration. | keyword | -| sentinel_one.agent.os.arch | OS architecture. | keyword | -| sentinel_one.agent.os.start_time | Last boot time. | date | -| sentinel_one.agent.policy.updated_at | Policy updated at. | date | -| sentinel_one.agent.ranger.status | Is Agent disabled as a Ranger. | keyword | -| sentinel_one.agent.ranger.version | The version of Ranger. | keyword | -| sentinel_one.agent.registered_at | Time of first registration to management console (similar to createdAt). | date | -| sentinel_one.agent.remote_profiling_state | Agent remote profiling state. | keyword | -| sentinel_one.agent.remote_profiling_state_expiration | Agent remote profiling state expiration in seconds. | keyword | -| sentinel_one.agent.scan.aborted_at | Abort time of last scan (if applicable). | date | -| sentinel_one.agent.scan.finished_at | Finish time of last scan (if applicable). | date | -| sentinel_one.agent.scan.started_at | Start time of last scan. | date | -| sentinel_one.agent.scan.status | Last scan status. | keyword | -| sentinel_one.agent.site.id | A reference to the containing site. | keyword | -| sentinel_one.agent.site.name | Name of the containing site. | keyword | -| sentinel_one.agent.storage.name | Storage name. | keyword | -| sentinel_one.agent.storage.type | Storage type. | keyword | -| sentinel_one.agent.tags.assigned_at | When tag assigned to the agent. | date | -| sentinel_one.agent.tags.assigned_by | full user name who assigned the tag to the agent. | keyword | -| sentinel_one.agent.tags.assigned_by_id | User ID who assigned the tag to the agent. | keyword | -| sentinel_one.agent.tags.id | Tag ID. | keyword | -| sentinel_one.agent.tags.key | Tag key. | keyword | -| sentinel_one.agent.tags.value | Tag value. | keyword | -| sentinel_one.agent.threat_reboot_required | Flag representing if the Agent has at least one threat with at least one mitigation action that is pending reboot to succeed. | boolean | -| sentinel_one.agent.total_memory | Memory size (MB). | long | -| sentinel_one.agent.user_action_needed | A list of pending user actions. | keyword | -| sentinel_one.agent.uuid | Agent's universally unique identifier. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### alert - -This is the `alert` dataset. - -An example event for `alert` looks as following: - -```json -{ - "@timestamp": "2018-02-27T04:49:26.257Z", - "agent": { - "ephemeral_id": "85d4ef1b-9fd3-4695-8ba0-0bb951030615", - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.3" - }, - "container": { - "id": "string", - "image": { - "name": "string" - }, - "name": "string" - }, - "data_stream": { - "dataset": "sentinel_one.alert", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "0.0.0.0", - "port": 1234 - }, - "dll": { - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - }, - "path": "string" - }, - "dns": { - "question": { - "name": "string" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "snapshot": false, - "version": "8.1.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2022-05-09T12:54:49.331Z", - "dataset": "sentinel_one.alert", - "id": "123456789123456789", - "ingested": "2022-05-09T12:54:52Z", - "kind": "event", - "original": "{\"agentDetectionInfo\":{\"machineType\":\"string\",\"name\":\"string\",\"osFamily\":\"string\",\"osName\":\"string\",\"osRevision\":\"string\",\"siteId\":\"123456789123456789\",\"uuid\":\"string\",\"version\":\"3.x.x.x\"},\"alertInfo\":{\"alertId\":\"123456789123456789\",\"analystVerdict\":\"string\",\"createdAt\":\"2018-02-27T04:49:26.257525Z\",\"dnsRequest\":\"string\",\"dnsResponse\":\"string\",\"dstIp\":\"0.0.0.0\",\"dstPort\":\"1234\",\"dvEventId\":\"string\",\"eventType\":\"string\",\"hitType\":\"Events\",\"incidentStatus\":\"string\",\"indicatorCategory\":\"string\",\"indicatorDescription\":\"string\",\"indicatorName\":\"string\",\"loginAccountDomain\":\"string\",\"loginAccountSid\":\"string\",\"loginIsAdministratorEquivalent\":\"string\",\"loginIsSuccessful\":\"string\",\"loginType\":\"string\",\"loginsUserName\":\"string\",\"modulePath\":\"string\",\"moduleSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"netEventDirection\":\"string\",\"registryKeyPath\":\"string\",\"registryOldValue\":\"string\",\"registryOldValueType\":\"string\",\"registryPath\":\"string\",\"registryValue\":\"string\",\"reportedAt\":\"2018-02-27T04:49:26.257525Z\",\"source\":\"string\",\"srcIp\":\"0.0.0.0\",\"srcMachineIp\":\"0.0.0.0\",\"srcPort\":\"string\",\"tiIndicatorComparisonMethod\":\"string\",\"tiIndicatorSource\":\"string\",\"tiIndicatorType\":\"string\",\"tiIndicatorValue\":\"string\",\"updatedAt\":\"2018-02-27T04:49:26.257525Z\"},\"containerInfo\":{\"id\":\"string\",\"image\":\"string\",\"labels\":\"string\",\"name\":\"string\"},\"kubernetesInfo\":{\"cluster\":\"string\",\"controllerKind\":\"string\",\"controllerLabels\":\"string\",\"controllerName\":\"string\",\"namespace\":\"string\",\"namespaceLabels\":\"string\",\"node\":\"string\",\"pod\":\"string\",\"podLabels\":\"string\"},\"ruleInfo\":{\"description\":\"string\",\"id\":\"string\",\"name\":\"string\",\"scopeLevel\":\"string\",\"severity\":\"Low\",\"treatAsThreat\":\"UNDEFINED\"},\"sourceParentProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"sourceProcessInfo\":{\"commandline\":\"string\",\"fileHashMd5\":\"5d41402abc4b2a76b9719d911017c592\",\"fileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"fileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"filePath\":\"string\",\"fileSignerIdentity\":\"string\",\"integrityLevel\":\"unknown\",\"name\":\"string\",\"pid\":\"12345\",\"pidStarttime\":\"2018-02-27T04:49:26.257525Z\",\"storyline\":\"string\",\"subsystem\":\"unknown\",\"uniqueId\":\"string\",\"user\":\"string\"},\"targetProcessInfo\":{\"tgtFileCreatedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileHashSha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"tgtFileHashSha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\",\"tgtFileId\":\"string\",\"tgtFileIsSigned\":\"string\",\"tgtFileModifiedAt\":\"2018-02-27T04:49:26.257525Z\",\"tgtFileOldPath\":\"string\",\"tgtFilePath\":\"string\",\"tgtProcCmdLine\":\"string\",\"tgtProcImagePath\":\"string\",\"tgtProcIntegrityLevel\":\"unknown\",\"tgtProcName\":\"string\",\"tgtProcPid\":\"12345\",\"tgtProcSignedStatus\":\"string\",\"tgtProcStorylineId\":\"string\",\"tgtProcUid\":\"string\",\"tgtProcessStartTime\":\"2018-02-27T04:49:26.257525Z\"}}", - "type": [ - "info" - ] - }, - "file": { - "created": "2018-02-27T04:49:26.257Z", - "mtime": "2018-02-27T04:49:26.257Z" - }, - "host": { - "ip": "0.0.0.0", - "name": "string", - "os": { - "family": "string", - "name": "string", - "version": "string" - }, - "type": "string" - }, - "input": { - "type": "httpjson" - }, - "network": { - "direction": "string" - }, - "observer": { - "serial_number": "string", - "version": "3.x.x.x" - }, - "orchestrator": { - "cluster": { - "name": "string" - }, - "namespace": "string" - }, - "process": { - "code_signature": { - "signing_id": "string" - }, - "command_line": "string", - "entity_id": "string", - "executable": "string", - "hash": { - "md5": "5d41402abc4b2a76b9719d911017c592", - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "name": "string", - "parent": { - "code_signature": { - "signing_id": "string" - }, - "command_line": "string", - "entity_id": "string", - "executable": "string", - "hash": { - "md5": "5d41402abc4b2a76b9719d911017c592", - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "name": "string", - "pid": 12345, - "start": "2018-02-27T04:49:26.257Z", - "user": { - "name": "string" - } - }, - "pid": 12345, - "start": "2018-02-27T04:49:26.257Z", - "user": { - "name": "string" - } - }, - "registry": { - "key": "string", - "path": "string", - "value": "string" - }, - "related": { - "hash": [ - "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "5d41402abc4b2a76b9719d911017c592", - "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - ], - "hosts": [ - "string" - ], - "ip": [ - "0.0.0.0" - ], - "user": [ - "string" - ] - }, - "rule": { - "description": "string", - "id": "string", - "name": "string" - }, - "sentinel_one": { - "alert": { - "agent": { - "site_id": "123456789123456789" - }, - "analyst_verdict": "string", - "container": { - "info": { - "labels": "string" - } - }, - "dv_event": { - "id": "string" - }, - "info": { - "dns": { - "response": "string" - }, - "event_type": "string", - "hit": { - "type": "Events" - }, - "indicator": { - "category": "string", - "description": "string", - "name": "string" - }, - "login": { - "account": { - "sid": "string" - }, - "is_administrator": "string", - "is_successful": "string", - "type": "string" - }, - "registry": { - "old_value": "string", - "old_value_type": "string" - }, - "reported_at": "2018-02-27T04:49:26.257Z", - "source": "string", - "status": "string", - "ti_indicator": { - "comparison_method": "string", - "source": "string", - "type": "string", - "value": "string" - }, - "updated_at": "2018-02-27T04:49:26.257Z" - }, - "kubernetes": { - "controller": { - "kind": "string", - "labels": "string", - "name": "string" - }, - "namespace": { - "labels": "string" - }, - "node": "string", - "pod": { - "labels": "string", - "name": "string" - } - }, - "process": { - "integrity_level": "unknown", - "parent": { - "integrity_level": "unknown", - "storyline": "string", - "subsystem": "unknown" - }, - "storyline": "string", - "subsystem": "unknown" - }, - "rule": { - "scope_level": "string", - "severity": "Low", - "treat_as_threat": "UNDEFINED" - }, - "target": { - "process": { - "file": { - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d", - "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824" - }, - "id": "string", - "is_signed": "string", - "old_path": "string", - "path": "string" - }, - "proc": { - "cmdline": "string", - "image_path": "string", - "integrity_level": "unknown", - "name": "string", - "pid": 12345, - "signed_status": "string", - "storyline_id": "string", - "uid": "string" - }, - "start_time": "2018-02-27T04:49:26.257Z" - } - } - } - }, - "source": { - "ip": "0.0.0.0" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-alert" - ], - "user": { - "domain": "string", - "name": "string" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dll.hash.sha1 | SHA1 hash. | keyword | -| dll.path | Full file path of the library. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.created | File creation time. Note that not all filesystems store the creation time. | date | -| file.mtime | Last time the file content was modified. | date | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.version | Observer version. | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.namespace | Namespace in which the action is taking place. | keyword | -| os.name | Operating system name, without the version. | keyword | -| os.name.text | Multi-field of `os.name`. | match_only_text | -| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | -| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha1 | SHA1 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | -| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | -| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | -| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | -| process.parent.executable | Absolute path to the process executable. | keyword | -| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | -| process.parent.hash.md5 | MD5 hash. | keyword | -| process.parent.hash.sha1 | SHA1 hash. | keyword | -| process.parent.hash.sha256 | SHA256 hash. | keyword | -| process.parent.name | Process name. Sometimes called program name or similar. | keyword | -| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | -| process.parent.pid | Process id. | long | -| process.parent.start | The time the process started. | date | -| process.parent.user.name | Short name or login of the user. | keyword | -| process.parent.user.name.text | Multi-field of `process.parent.user.name`. | match_only_text | -| process.pid | Process id. | long | -| process.start | The time the process started. | date | -| process.user.name | Short name or login of the user. | keyword | -| process.user.name.text | Multi-field of `process.user.name`. | match_only_text | -| registry.key | Hive-relative path of keys. | keyword | -| registry.path | Full path, including hive, key and value | keyword | -| registry.value | Name of the value written. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.description | The description of the rule generating the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| sentinel_one.alert.agent.site_id | Site id. | keyword | -| sentinel_one.alert.analyst_verdict | Analyst verdict. | keyword | -| sentinel_one.alert.container.info.labels | Container info labels. | keyword | -| sentinel_one.alert.dv_event.id | DV event id. | keyword | -| sentinel_one.alert.info.dns.response | IP address, DNS, type, etc. in response. | keyword | -| sentinel_one.alert.info.event_type | Event type. | keyword | -| sentinel_one.alert.info.hit.type | Type of hit reported from agent. | keyword | -| sentinel_one.alert.info.indicator.category | Indicator categories for this process. | keyword | -| sentinel_one.alert.info.indicator.description | Indicator_description. | keyword | -| sentinel_one.alert.info.indicator.name | Indicator names for this process. | keyword | -| sentinel_one.alert.info.login.account.sid | SID of the account that attempted to login. | keyword | -| sentinel_one.alert.info.login.is_administrator | Is the login attempt administrator equivalent. | keyword | -| sentinel_one.alert.info.login.is_successful | Was the login attempt successful. | keyword | -| sentinel_one.alert.info.login.type | Type of login which was performed. | keyword | -| sentinel_one.alert.info.registry.old_value | Registry previous value (in case of modification). | keyword | -| sentinel_one.alert.info.registry.old_value_type | Registry previous value type (in case of modification). | keyword | -| sentinel_one.alert.info.reported_at | Timestamp of alert creation in STAR. | date | -| sentinel_one.alert.info.source | Source reported from agent. | keyword | -| sentinel_one.alert.info.status | Incident status. | keyword | -| sentinel_one.alert.info.ti_indicator.comparison_method | The comparison method used by SentinelOne to trigger the event. | keyword | -| sentinel_one.alert.info.ti_indicator.source | The value of the identified Threat Intelligence indicator. | keyword | -| sentinel_one.alert.info.ti_indicator.type | The type of the identified Threat Intelligence indicator. | keyword | -| sentinel_one.alert.info.ti_indicator.value | The value of the identified Threat Intelligence indicator. | keyword | -| sentinel_one.alert.info.updated_at | Date of alert updated in Star MMS. | date | -| sentinel_one.alert.kubernetes.controller.kind | Controller kind. | keyword | -| sentinel_one.alert.kubernetes.controller.labels | Controller labels. | keyword | -| sentinel_one.alert.kubernetes.controller.name | Controller name. | keyword | -| sentinel_one.alert.kubernetes.namespace.labels | Namespace labels. | keyword | -| sentinel_one.alert.kubernetes.node | Node. | keyword | -| sentinel_one.alert.kubernetes.pod.labels | Pod Labels. | keyword | -| sentinel_one.alert.kubernetes.pod.name | Pod name. | keyword | -| sentinel_one.alert.process.integrity_level | Integrity level. | keyword | -| sentinel_one.alert.process.parent.integrity_level | Integrity level. | keyword | -| sentinel_one.alert.process.parent.storyline | StoryLine. | keyword | -| sentinel_one.alert.process.parent.subsystem | Subsystem. | keyword | -| sentinel_one.alert.process.storyline | StoryLine. | keyword | -| sentinel_one.alert.process.subsystem | Subsystem. | keyword | -| sentinel_one.alert.rule.scope_level | Scope level. | keyword | -| sentinel_one.alert.rule.severity | Rule severity. | keyword | -| sentinel_one.alert.rule.treat_as_threat | Rule treat as threat type. | keyword | -| sentinel_one.alert.target.process.file.hash.sha1 | SHA1 Signature of File. | keyword | -| sentinel_one.alert.target.process.file.hash.sha256 | SHA256 Signature of File. | keyword | -| sentinel_one.alert.target.process.file.id | Unique ID of file. | keyword | -| sentinel_one.alert.target.process.file.is_signed | Is fle signed. | keyword | -| sentinel_one.alert.target.process.file.old_path | Old path before 'Rename'. | keyword | -| sentinel_one.alert.target.process.file.path | Path and filename. | keyword | -| sentinel_one.alert.target.process.proc.cmdline | Target Process Command Line. | keyword | -| sentinel_one.alert.target.process.proc.image_path | Target Process Image path | keyword | -| sentinel_one.alert.target.process.proc.integrity_level | Integrity level of target process. | keyword | -| sentinel_one.alert.target.process.proc.name | Target Process Name. | keyword | -| sentinel_one.alert.target.process.proc.pid | Target Process ID (PID). | long | -| sentinel_one.alert.target.process.proc.signed_status | Target Process Signed Status. | keyword | -| sentinel_one.alert.target.process.proc.storyline_id | Target Process StoryLine ID. | keyword | -| sentinel_one.alert.target.process.proc.uid | Target Process Unique ID. | keyword | -| sentinel_one.alert.target.process.start_time | Target Process Start Time. | date | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - - -### group - -This is the `group` dataset. - -An example event for `group` looks as following: - -```json -{ - "@timestamp": "2022-04-05T16:01:57.564Z", - "agent": { - "ephemeral_id": "c386c123-e979-4c16-b5e4-0bbc8f94062e", - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.3" - }, - "data_stream": { - "dataset": "sentinel_one.group", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "snapshot": false, - "version": "8.1.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2022-05-09T12:55:41.235Z", - "dataset": "sentinel_one.group", - "ingested": "2022-05-09T12:55:44Z", - "kind": "event", - "original": "{\"createdAt\":\"2022-04-05T16:01:56.928383Z\",\"creator\":\"Test User\",\"creatorId\":\"1234567890123456789\",\"filterId\":null,\"filterName\":null,\"id\":\"1234567890123456789\",\"inherits\":true,\"isDefault\":true,\"name\":\"Default Group\",\"rank\":null,\"registrationToken\":\"eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=\",\"siteId\":\"1234567890123456789\",\"totalAgents\":1,\"type\":\"static\",\"updatedAt\":\"2022-04-05T16:01:57.564266Z\"}", - "type": [ - "info" - ] - }, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "input": { - "type": "httpjson" - }, - "related": { - "user": [ - "Test User" - ] - }, - "sentinel_one": { - "group": { - "agent": { - "count": 1 - }, - "created_at": "2022-04-05T16:01:56.928Z", - "creator": { - "id": "1234567890123456789" - }, - "inherits": true, - "is_default": true, - "registration_token": "eyxxxxxxxxxxxxxxxxxxxxkixZxx1xxxxx8xxx2xODA0ZxxxxTIwNjhxxxxxxxxxxxxxxiMWYxx1Ixxnxxxx0=", - "site": { - "id": "1234567890123456789" - }, - "type": "static" - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-group" - ], - "user": { - "full_name": "Test User" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| sentinel_one.group.agent.count | | long | -| sentinel_one.group.created_at | | date | -| sentinel_one.group.creator.id | | keyword | -| sentinel_one.group.filter.id | | keyword | -| sentinel_one.group.filter.name | | keyword | -| sentinel_one.group.inherits | | boolean | -| sentinel_one.group.is_default | | boolean | -| sentinel_one.group.rank | | long | -| sentinel_one.group.registration_token | | keyword | -| sentinel_one.group.site.id | | keyword | -| sentinel_one.group.type | | keyword | -| tags | List of keywords used to tag each event. | keyword | -| user.full_name | User's full name, if available. | keyword | -| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | -| user.id | Unique identifier of the user. | keyword | - - -### threat - -This is the `threat` dataset. - -An example event for `threat` looks as following: - -```json -{ - "@timestamp": "2022-04-06T08:54:17.194Z", - "agent": { - "ephemeral_id": "eb3774ca-88e6-42f1-a7de-e4f5d910a8f4", - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.3" - }, - "data_stream": { - "dataset": "sentinel_one.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "0c9eacaa-bd97-4184-b05f-d5d51775e08d", - "snapshot": false, - "version": "8.1.3" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "malware" - ], - "created": "2022-05-09T12:56:37.374Z", - "dataset": "sentinel_one.threat", - "ingested": "2022-05-09T12:56:40Z", - "kind": "event", - "original": "{\"agentDetectionInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"agentDetectionState\":null,\"agentDomain\":\"WORKGROUP\",\"agentIpV4\":\"10.0.0.1\",\"agentIpV6\":\"XX80::7X59:X6X9:9X72:XXXX\",\"agentLastLoggedInUpn\":null,\"agentLastLoggedInUserMail\":null,\"agentLastLoggedInUserName\":\"\",\"agentMitigationMode\":\"protect\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentRegisteredAt\":\"2022-04-06T08:26:45.515278Z\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x\",\"cloudProviders\":{},\"externalIp\":\"81.2.69.143\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\"},\"agentRealtimeInfo\":{\"accountId\":\"1234567890123456789\",\"accountName\":\"Default\",\"activeThreats\":7,\"agentComputerName\":\"test-LINUX\",\"agentDecommissionedAt\":null,\"agentDomain\":\"WORKGROUP\",\"agentId\":\"1234567890123456789\",\"agentInfected\":true,\"agentIsActive\":true,\"agentIsDecommissioned\":false,\"agentMachineType\":\"server\",\"agentMitigationMode\":\"detect\",\"agentNetworkStatus\":\"connected\",\"agentOsName\":\"linux\",\"agentOsRevision\":\"1234\",\"agentOsType\":\"linux\",\"agentUuid\":\"fwfbxxxxxxxxxxqcfjfnxxxxxxxxx\",\"agentVersion\":\"21.x.x.1234\",\"groupId\":\"1234567890123456789\",\"groupName\":\"Default Group\",\"networkInterfaces\":[{\"id\":\"1234567890123456789\",\"inet\":[\"10.0.0.1\"],\"inet6\":[\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\"],\"name\":\"Ethernet\",\"physical\":\"X2:0X:0X:X6:00:XX\"}],\"operationalState\":\"na\",\"rebootRequired\":false,\"scanAbortedAt\":null,\"scanFinishedAt\":\"2022-04-06T09:18:21.090855Z\",\"scanStartedAt\":\"2022-04-06T08:26:52.838047Z\",\"scanStatus\":\"finished\",\"siteId\":\"1234567890123456789\",\"siteName\":\"Default site\",\"storageName\":null,\"storageType\":null,\"userActionsNeeded\":[]},\"containerInfo\":{\"id\":null,\"image\":null,\"labels\":null,\"name\":null},\"id\":\"1234567890123456789\",\"indicators\":[],\"kubernetesInfo\":{\"cluster\":null,\"controllerKind\":null,\"controllerLabels\":null,\"controllerName\":null,\"namespace\":null,\"namespaceLabels\":null,\"node\":null,\"pod\":null,\"podLabels\":null},\"mitigationStatus\":[{\"action\":\"unquarantine\",\"actionsCounters\":{\"failed\":0,\"notFound\":0,\"pendingReboot\":0,\"success\":1,\"total\":1},\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:54:17.198002Z\",\"latestReport\":\"/threats/mitigation-report\",\"mitigationEndedAt\":\"2022-04-06T08:54:17.101000Z\",\"mitigationStartedAt\":\"2022-04-06T08:54:17.101000Z\",\"status\":\"success\"},{\"action\":\"kill\",\"actionsCounters\":null,\"agentSupportsReport\":true,\"groupNotFound\":false,\"lastUpdate\":\"2022-04-06T08:45:55.303355Z\",\"latestReport\":null,\"mitigationEndedAt\":\"2022-04-06T08:45:55.297364Z\",\"mitigationStartedAt\":\"2022-04-06T08:45:55.297363Z\",\"status\":\"success\"}],\"threatInfo\":{\"analystVerdict\":\"undefined\",\"analystVerdictDescription\":\"Undefined\",\"automaticallyResolved\":false,\"browserType\":null,\"certificateId\":\"\",\"classification\":\"Trojan\",\"classificationSource\":\"Cloud\",\"cloudFilesHashVerdict\":\"black\",\"collectionId\":\"1234567890123456789\",\"confidenceLevel\":\"malicious\",\"createdAt\":\"2022-04-06T08:45:54.519988Z\",\"detectionEngines\":[{\"key\":\"sentinelone_cloud\",\"title\":\"SentinelOne Cloud\"}],\"detectionType\":\"static\",\"engines\":[\"SentinelOne Cloud\"],\"externalTicketExists\":false,\"externalTicketId\":null,\"failedActions\":false,\"fileExtension\":\"EXE\",\"fileExtensionType\":\"Executable\",\"filePath\":\"default.exe\",\"fileSize\":1234,\"fileVerificationType\":\"NotSigned\",\"identifiedAt\":\"2022-04-06T08:45:53.968000Z\",\"incidentStatus\":\"unresolved\",\"incidentStatusDescription\":\"Unresolved\",\"initiatedBy\":\"agent_policy\",\"initiatedByDescription\":\"Agent Policy\",\"initiatingUserId\":null,\"initiatingUsername\":null,\"isFileless\":false,\"isValidCertificate\":false,\"maliciousProcessArguments\":null,\"md5\":null,\"mitigatedPreemptively\":false,\"mitigationStatus\":\"not_mitigated\",\"mitigationStatusDescription\":\"Not mitigated\",\"originatorProcess\":\"default.exe\",\"pendingActions\":false,\"processUser\":\"test user\",\"publisherName\":\"\",\"reachedEventsLimit\":false,\"rebootRequired\":false,\"sha1\":\"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\",\"sha256\":null,\"storyline\":\"D0XXXXXXXXXXAF4D\",\"threatId\":\"1234567890123456789\",\"threatName\":\"default.exe\",\"updatedAt\":\"2022-04-06T08:54:17.194122Z\"},\"whiteningOptions\":[\"hash\"]}", - "type": [ - "info" - ] - }, - "host": { - "domain": "WORKGROUP", - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "id": "1234567890123456789", - "ip": "81.2.69.143", - "mac": [ - "X2-0X-0X-X6-00-XX" - ], - "name": "test-LINUX", - "os": { - "name": "linux", - "type": "linux" - } - }, - "input": { - "type": "httpjson" - }, - "observer": { - "version": "21.x.x.1234" - }, - "related": { - "hash": [ - "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - ], - "hosts": [ - "test-LINUX" - ], - "ip": [ - "10.0.0.1", - "81.2.69.143", - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "user": [ - "test user" - ] - }, - "sentinel_one": { - "threat": { - "agent": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "active_threats": 7, - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "infected": true, - "is_active": true, - "is_decommissioned": false, - "machine_type": "server", - "mitigation_mode": "detect", - "network_interface": [ - { - "id": "1234567890123456789", - "inet": [ - "10.0.0.1" - ], - "inet6": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ], - "name": "Ethernet" - } - ], - "network_status": "connected", - "operational_state": "na", - "os": { - "version": "1234" - }, - "reboot_required": false, - "scan": { - "finished_at": "2022-04-06T09:18:21.090Z", - "started_at": "2022-04-06T08:26:52.838Z", - "status": "finished" - }, - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx" - }, - "analysis": { - "description": "Undefined", - "verdict": "undefined" - }, - "automatically_resolved": false, - "classification": "Trojan", - "classification_source": "Cloud", - "cloudfiles_hash_verdict": "black", - "collection": { - "id": "1234567890123456789" - }, - "confidence_level": "malicious", - "created_at": "2022-04-06T08:45:54.519Z", - "detection": { - "account": { - "id": "1234567890123456789", - "name": "Default" - }, - "agent": { - "domain": "WORKGROUP", - "group": { - "id": "1234567890123456789", - "name": "Default Group" - }, - "ipv4": "10.0.0.1", - "mitigation_mode": "protect", - "os": { - "name": "linux", - "version": "1234" - }, - "registered_at": "2022-04-06T08:26:45.515Z", - "site": { - "id": "1234567890123456789", - "name": "Default site" - }, - "uuid": "fwfbxxxxxxxxxxqcfjfnxxxxxxxxx", - "version": "21.x.x" - }, - "engines": [ - { - "key": "sentinelone_cloud", - "title": "SentinelOne Cloud" - } - ], - "type": "static" - }, - "engines": [ - "SentinelOne Cloud" - ], - "external_ticket": { - "exist": false - }, - "failed_actions": false, - "file": { - "extension": { - "type": "Executable" - }, - "identified_at": "2022-04-06T08:45:53.968Z", - "verification_type": "NotSigned" - }, - "id": "1234567890123456789", - "incident": { - "status": "unresolved", - "status_description": "Unresolved" - }, - "initiated": { - "description": "Agent Policy", - "name": "agent_policy" - }, - "is_fileless": false, - "is_valid_certificate": false, - "mitigated_preemptively": false, - "mitigation": { - "description": "Not mitigated", - "status": "not_mitigated" - }, - "mitigation_status": [ - { - "action": "unquarantine", - "action_counters": { - "failed": 0, - "not_found": 0, - "pending_reboot": 0, - "success": 1, - "total": 1 - }, - "agent_supports_report": true, - "group_not_found": false, - "last_update": "2022-04-06T08:54:17.198Z", - "latest_report": "/threats/mitigation-report", - "mitigation_ended_at": "2022-04-06T08:54:17.101Z", - "mitigation_started_at": "2022-04-06T08:54:17.101Z", - "status": "success" - }, - { - "action": "kill", - "agent_supports_report": true, - "group_not_found": false, - "last_update": "2022-04-06T08:45:55.303Z", - "mitigation_ended_at": "2022-04-06T08:45:55.297Z", - "mitigation_started_at": "2022-04-06T08:45:55.297Z", - "status": "success" - } - ], - "name": "default.exe", - "originator_process": "default.exe", - "pending_actions": false, - "process_user": "test user", - "reached_events_limit": false, - "reboot_required": false, - "storyline": "D0XXXXXXXXXXAF4D", - "threat_id": "1234567890123456789", - "whitening_option": [ - "hash" - ] - } - }, - "tags": [ - "preserve_original_event", - "forwarded", - "sentinel_one-threat" - ], - "threat": { - "indicator": { - "file": { - "extension": "EXE", - "hash": { - "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" - }, - "path": "default.exe", - "size": 1234 - } - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.geo.city_name | City name. | keyword | -| host.geo.continent_name | Name of the continent. | keyword | -| host.geo.country_iso_code | Country ISO code. | keyword | -| host.geo.country_name | Country name. | keyword | -| host.geo.location | Longitude and latitude. | geo_point | -| host.geo.region_iso_code | Region ISO code. | keyword | -| host.geo.region_name | Region name. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| observer.version | Observer version. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| sentinel_one.threat.agent.account.id | Account id. | keyword | -| sentinel_one.threat.agent.account.name | Account name. | keyword | -| sentinel_one.threat.agent.active_threats | Active threats. | long | -| sentinel_one.threat.agent.decommissioned_at | Decommissioned at. | boolean | -| sentinel_one.threat.agent.group.id | Group id. | keyword | -| sentinel_one.threat.agent.group.name | Group name. | keyword | -| sentinel_one.threat.agent.infected | Agent infected. | boolean | -| sentinel_one.threat.agent.is_active | Is active. | boolean | -| sentinel_one.threat.agent.is_decommissioned | Is decommissioned. | boolean | -| sentinel_one.threat.agent.machine_type | Machine type. | keyword | -| sentinel_one.threat.agent.mitigation_mode | Agent mitigation mode policy. | keyword | -| sentinel_one.threat.agent.network_interface.id | Device's network interfaces id. | keyword | -| sentinel_one.threat.agent.network_interface.inet | Device's network interfaces IPv4 addresses. | keyword | -| sentinel_one.threat.agent.network_interface.inet6 | Device's network interfaces IPv6 addresses. | keyword | -| sentinel_one.threat.agent.network_interface.name | Device's network interfaces IPv4 Name. | keyword | -| sentinel_one.threat.agent.network_status | Network status. | keyword | -| sentinel_one.threat.agent.operational_state | Agent operational state. | keyword | -| sentinel_one.threat.agent.os.version | OS revision. | keyword | -| sentinel_one.threat.agent.reboot_required | A reboot is required on the endpoint for at least one acton on the threat. | boolean | -| sentinel_one.threat.agent.scan.aborted_at | Abort time of last scan (if applicable). | keyword | -| sentinel_one.threat.agent.scan.finished_at | Finish time of last scan (if applicable). | keyword | -| sentinel_one.threat.agent.scan.started_at | Start time of last scan. | keyword | -| sentinel_one.threat.agent.scan.status | Scan status. | keyword | -| sentinel_one.threat.agent.site.id | Site id. | keyword | -| sentinel_one.threat.agent.site.name | Site name. | keyword | -| sentinel_one.threat.agent.storage.name | Storage Name. | keyword | -| sentinel_one.threat.agent.storage.type | Storage Type. | keyword | -| sentinel_one.threat.agent.user_action_needed | A list of pending user actions. List items possible values: "none, reboot_needed, user_acton_needed, upgrade_needed, incompatible_os, unprotected, user_acton_needed_fda, user_acton_needed_rs_fda,user_acton_needed_network, rebootless_without_dynamic_detection, extended_exclusions_partially_accepted, user_action_needed_bluetooth_per". | keyword | -| sentinel_one.threat.agent.uuid | UUID. | keyword | -| sentinel_one.threat.analysis.description | Analyst verdict description. | keyword | -| sentinel_one.threat.analysis.verdict | Analyst verdict. | keyword | -| sentinel_one.threat.automatically_resolved | Automatically resolved. | boolean | -| sentinel_one.threat.browser_type | Browser type. | keyword | -| sentinel_one.threat.certificate.id | File Certificate ID. | keyword | -| sentinel_one.threat.classification | Classification of the threat. | keyword | -| sentinel_one.threat.classification_source | Source of the threat Classification. | keyword | -| sentinel_one.threat.cloudfiles_hash_verdict | Cloud files hash verdict. | keyword | -| sentinel_one.threat.collection.id | Collection id. | keyword | -| sentinel_one.threat.confidence_level | SentinelOne threat confidence level. | keyword | -| sentinel_one.threat.container.labels | Container labels. | keyword | -| sentinel_one.threat.created_at | Timestamp of date creation in the Management Console. | date | -| sentinel_one.threat.detection.account.id | Orig account id. | keyword | -| sentinel_one.threat.detection.account.name | Orig account name. | keyword | -| sentinel_one.threat.detection.agent.domain | Network domain. | keyword | -| sentinel_one.threat.detection.agent.group.id | Orig group id. | keyword | -| sentinel_one.threat.detection.agent.group.name | Orig group name. | keyword | -| sentinel_one.threat.detection.agent.ipv4 | Orig agent ipv4. | ip | -| sentinel_one.threat.detection.agent.ipv6 | Orig agent ipv6. | ip | -| sentinel_one.threat.detection.agent.last_logged_in.upn | UPN of last logged in user. | keyword | -| sentinel_one.threat.detection.agent.mitigation_mode | Agent mitigation mode policy. | keyword | -| sentinel_one.threat.detection.agent.os.name | Orig agent OS name. | keyword | -| sentinel_one.threat.detection.agent.os.version | Orig agent OS revision. | keyword | -| sentinel_one.threat.detection.agent.registered_at | Time of first registration to management console. | date | -| sentinel_one.threat.detection.agent.site.id | Orig site id. | keyword | -| sentinel_one.threat.detection.agent.site.name | Orig site name. | keyword | -| sentinel_one.threat.detection.agent.uuid | UUID of the agent. | keyword | -| sentinel_one.threat.detection.agent.version | Orig agent version. | keyword | -| sentinel_one.threat.detection.cloud_providers | Cloud providers for this agent. | flattened | -| sentinel_one.threat.detection.engines.key | List of engines that detected the threat key. | keyword | -| sentinel_one.threat.detection.engines.title | List of engines that detected the threat title. | keyword | -| sentinel_one.threat.detection.state | The Agent's detection state at time of detection. | keyword | -| sentinel_one.threat.detection.type | Detection type. | keyword | -| sentinel_one.threat.engines | List of engines that detected the threat. | keyword | -| sentinel_one.threat.external_ticket.exist | External ticket exists. | boolean | -| sentinel_one.threat.external_ticket.id | External ticket id. | keyword | -| sentinel_one.threat.failed_actions | At least one action failed on the threat. | boolean | -| sentinel_one.threat.file.extension.type | File extension type. | keyword | -| sentinel_one.threat.file.identified_at | Identified at. | keyword | -| sentinel_one.threat.file.verification_type | File verification type. | keyword | -| sentinel_one.threat.id | Threat id. | keyword | -| sentinel_one.threat.incident.status | Incident status. | keyword | -| sentinel_one.threat.incident.status_description | Incident status description. | keyword | -| sentinel_one.threat.indicators.category.id | Indicators Category Id. | long | -| sentinel_one.threat.indicators.category.name | Indicators Category Name. | keyword | -| sentinel_one.threat.indicators.description | Indicators Description. | keyword | -| sentinel_one.threat.initiated.description | Initiated by description. | keyword | -| sentinel_one.threat.initiated.name | Source of threat. | keyword | -| sentinel_one.threat.initiating_user.id | Initiating user id. | keyword | -| sentinel_one.threat.initiating_user.name | Initiating user username. | keyword | -| sentinel_one.threat.is_fileless | Is fileless. | boolean | -| sentinel_one.threat.is_valid_certificate | True if the certificate is valid. | boolean | -| sentinel_one.threat.kubernetes.cluster | Cluster. | keyword | -| sentinel_one.threat.kubernetes.controller.kind | Controller kind. | keyword | -| sentinel_one.threat.kubernetes.controller.labels | Controller labels. | keyword | -| sentinel_one.threat.kubernetes.controller.name | Controller name. | keyword | -| sentinel_one.threat.kubernetes.namespace.labels | Namespace labels. | keyword | -| sentinel_one.threat.kubernetes.namespace.name | Namespace name. | keyword | -| sentinel_one.threat.kubernetes.node | Node. | keyword | -| sentinel_one.threat.kubernetes.pod.labels | Pod labels. | keyword | -| sentinel_one.threat.kubernetes.pod.name | Pod name. | keyword | -| sentinel_one.threat.malicious_process_arguments | Malicious process arguments. | keyword | -| sentinel_one.threat.mitigated_preemptively | True is the threat was blocked before execution. | boolean | -| sentinel_one.threat.mitigation.description | Mitigation status description. | keyword | -| sentinel_one.threat.mitigation.status | Mitigation status. | keyword | -| sentinel_one.threat.mitigation_status.action | Action. | keyword | -| sentinel_one.threat.mitigation_status.action_counters.failed | Actions counters Failed. | long | -| sentinel_one.threat.mitigation_status.action_counters.not_found | Actions counters Not found. | long | -| sentinel_one.threat.mitigation_status.action_counters.pending_reboot | Actions counters Pending reboot. | long | -| sentinel_one.threat.mitigation_status.action_counters.success | Actions counters Success. | long | -| sentinel_one.threat.mitigation_status.action_counters.total | Actions counters Total. | long | -| sentinel_one.threat.mitigation_status.agent_supports_report | The Agent generates a full mitigation report. | keyword | -| sentinel_one.threat.mitigation_status.group_not_found | Agent could not find the threat. | keyword | -| sentinel_one.threat.mitigation_status.last_update | Timestamp of last mitigation status update. | keyword | -| sentinel_one.threat.mitigation_status.latest_report | Report download URL. If None, there is no report. | keyword | -| sentinel_one.threat.mitigation_status.mitigation_ended_at | The time the Agent finished the mitigation. | keyword | -| sentinel_one.threat.mitigation_status.mitigation_started_at | The time the Agent started the mitigation. | keyword | -| sentinel_one.threat.mitigation_status.status | Status. | keyword | -| sentinel_one.threat.name | Threat name. | keyword | -| sentinel_one.threat.originator_process | Originator process. | keyword | -| sentinel_one.threat.pending_actions | At least one action is pending on the threat. | boolean | -| sentinel_one.threat.process_user | Process user. | keyword | -| sentinel_one.threat.publisher.name | Certificate publisher. | keyword | -| sentinel_one.threat.reached_events_limit | Has number of OS events for this threat reached the limit, resulting in a partial attack storyline. | boolean | -| sentinel_one.threat.reboot_required | A reboot is required on the endpoint for at least one threat. | boolean | -| sentinel_one.threat.storyline | Storyline identifier from agent. | keyword | -| sentinel_one.threat.threat_id | Threat id. | keyword | -| sentinel_one.threat.whitening_option | Whitening options. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | -| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| threat.indicator.file.path.text | Multi-field of `threat.indicator.file.path`. | match_only_text | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | -| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | -| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/sentinel_one/0.1.0/img/sentinel-one-api-token-generate.png b/packages/sentinel_one/0.1.0/img/sentinel-one-api-token-generate.png deleted file mode 100755 index 6f7dbebc0e..0000000000 Binary files a/packages/sentinel_one/0.1.0/img/sentinel-one-api-token-generate.png and /dev/null differ diff --git a/packages/sentinel_one/0.1.0/img/sentinel-one-dashboard.png b/packages/sentinel_one/0.1.0/img/sentinel-one-dashboard.png deleted file mode 100755 index 633d30ea35..0000000000 Binary files a/packages/sentinel_one/0.1.0/img/sentinel-one-dashboard.png and /dev/null differ diff --git a/packages/sentinel_one/0.1.0/img/sentinel-one-logo.svg b/packages/sentinel_one/0.1.0/img/sentinel-one-logo.svg deleted file mode 100755 index a482b77616..0000000000 --- a/packages/sentinel_one/0.1.0/img/sentinel-one-logo.svg +++ /dev/null @@ -1,2 +0,0 @@ - -SentinelOne logo diff --git a/packages/sentinel_one/0.1.0/img/sentinel-one-screenshot.png b/packages/sentinel_one/0.1.0/img/sentinel-one-screenshot.png deleted file mode 100755 index 397e49f8a8..0000000000 Binary files a/packages/sentinel_one/0.1.0/img/sentinel-one-screenshot.png and /dev/null differ diff --git a/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json deleted file mode 100755 index f48ef23ccb..0000000000 --- a/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538.json +++ /dev/null @@ -1,282 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-58329672-9ca4-4454-9d78-c619ef956a6a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"58329672-9ca4-4454-9d78-c619ef956a6a\":{\"columnOrder\":[\"d8990d07-439a-4335-9646-8fbcab6e268d\"],\"columns\":{\"d8990d07-439a-4335-9646-8fbcab6e268d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"d8990d07-439a-4335-9646-8fbcab6e268d\",\"layerId\":\"58329672-9ca4-4454-9d78-c619ef956a6a\",\"layerType\":\"data\"}},\"title\":\"Total Number of Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"ac59079e-c791-449b-aeeb-d47504921dff\",\"w\":12,\"x\":0,\"y\":0},\"panelIndex\":\"ac59079e-c791-449b-aeeb-d47504921dff\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-01d7bdc3-638b-4d23-9ae6-d24678743470\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"01d7bdc3-638b-4d23-9ae6-d24678743470\":{\"columnOrder\":[\"831e34ee-b0d6-44b1-81b7-2bfee2a628ab\"],\"columns\":{\"831e34ee-b0d6-44b1-81b7-2bfee2a628ab\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":false,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"831e34ee-b0d6-44b1-81b7-2bfee2a628ab\",\"layerId\":\"01d7bdc3-638b-4d23-9ae6-d24678743470\",\"layerType\":\"data\"}},\"title\":\"Total Resolved Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":6,\"i\":\"1684da14-7484-42a6-91d6-b9659883e20d\",\"w\":12,\"x\":12,\"y\":0},\"panelIndex\":\"1684da14-7484-42a6-91d6-b9659883e20d\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8a4ab761-ffa9-4e3d-bd66-9cf0b7ee9849\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8a4ab761-ffa9-4e3d-bd66-9cf0b7ee9849\":{\"columnOrder\":[\"f3d83b7a-fc35-4c85-83f8-b41e12baddf6\"],\"columns\":{\"f3d83b7a-fc35-4c85-83f8-b41e12baddf6\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":false,\"params\":{\"query\":\"unresolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"unresolved\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"f3d83b7a-fc35-4c85-83f8-b41e12baddf6\",\"layerId\":\"8a4ab761-ffa9-4e3d-bd66-9cf0b7ee9849\",\"layerType\":\"data\"}},\"title\":\"Unresolved Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":6,\"i\":\"030f8164-5e7d-4fb6-a779-d0537748a819\",\"w\":12,\"x\":24,\"y\":0},\"panelIndex\":\"030f8164-5e7d-4fb6-a779-d0537748a819\",\"title\":\"Total Unresolved Threats [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6f8f021f-aef7-458f-a0bb-445bd78741db\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6f8f021f-aef7-458f-a0bb-445bd78741db\":{\"columnOrder\":[\"1ede434b-a316-4e79-85b6-ffbfc41f379a\"],\"columns\":{\"1ede434b-a316-4e79-85b6-ffbfc41f379a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":false,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sentinel_one.threat.mitigation.status\",\"negate\":false,\"params\":{\"query\":\"active\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.mitigation.status\":\"active\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"1ede434b-a316-4e79-85b6-ffbfc41f379a\",\"layerId\":\"6f8f021f-aef7-458f-a0bb-445bd78741db\",\"layerType\":\"data\"}},\"title\":\"Active Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":6,\"i\":\"075409b1-9d74-4399-8348-3101a2d22392\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"075409b1-9d74-4399-8348-3101a2d22392\",\"title\":\"Active Threats [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-31be526e-c389-4f6d-93e8-27f1b7dcd0d0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"31be526e-c389-4f6d-93e8-27f1b7dcd0d0\":{\"columnOrder\":[\"8ae53844-358d-4472-9d64-d7c2708fc29c\"],\"columns\":{\"8ae53844-358d-4472-9d64-d7c2708fc29c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":true,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sentinel_one.threat.mitigation.status\",\"negate\":false,\"params\":{\"query\":\"blocked\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.mitigation.status\":\"blocked\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"8ae53844-358d-4472-9d64-d7c2708fc29c\",\"layerId\":\"31be526e-c389-4f6d-93e8-27f1b7dcd0d0\",\"layerType\":\"data\"}},\"title\":\"Blocked Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"3ff8c08e-3a29-488c-b481-9b51accaae95\",\"w\":16,\"x\":0,\"y\":6},\"panelIndex\":\"3ff8c08e-3a29-488c-b481-9b51accaae95\",\"title\":\"Total Blocked Threats [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1c27890e-f153-4984-8c2f-6004a3779f71\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1c27890e-f153-4984-8c2f-6004a3779f71\":{\"columnOrder\":[\"eb8375d7-8836-43bb-840a-88c8c2f11b43\"],\"columns\":{\"eb8375d7-8836-43bb-840a-88c8c2f11b43\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.mitigation.status\",\"negate\":false,\"params\":{\"query\":\"mitigated\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.mitigation.status\":\"mitigated\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-1\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":true,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"eb8375d7-8836-43bb-840a-88c8c2f11b43\",\"layerId\":\"1c27890e-f153-4984-8c2f-6004a3779f71\",\"layerType\":\"data\"}},\"title\":\"Mitigated Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d2411b38-52ad-47c2-b364-f1f42b7cd26a\",\"w\":16,\"x\":16,\"y\":6},\"panelIndex\":\"d2411b38-52ad-47c2-b364-f1f42b7cd26a\",\"title\":\"Total Mitigated Threats [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98a05273-ef46-4b59-8caa-86b7de9c9724\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98a05273-ef46-4b59-8caa-86b7de9c9724\":{\"columnOrder\":[\"9295a43b-ccd0-4d23-abf8-73586af8dac7\"],\"columns\":{\"9295a43b-ccd0-4d23-abf8-73586af8dac7\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":true,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"sentinel_one.threat.mitigation.status : \\\"suspicious\\\" and data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"accessor\":\"9295a43b-ccd0-4d23-abf8-73586af8dac7\",\"layerId\":\"98a05273-ef46-4b59-8caa-86b7de9c9724\",\"layerType\":\"data\"}},\"title\":\"Detected - Suspicious Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"14069c35-b940-4540-82f8-1ef2bb73dfe1\",\"w\":16,\"x\":32,\"y\":6},\"panelIndex\":\"14069c35-b940-4540-82f8-1ef2bb73dfe1\",\"title\":\"Total Detected - Suspicious Threats [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9d8d04b8-42e9-488a-9c18-39f38153e46a\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9d8d04b8-42e9-488a-9c18-39f38153e46a\":{\"columnOrder\":[\"3629412b-4ee6-4169-92d4-d5d8ebb7ab62\",\"324989fb-f85e-4bbc-b7f9-b85472d54928\"],\"columns\":{\"324989fb-f85e-4bbc-b7f9-b85472d54928\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"3629412b-4ee6-4169-92d4-d5d8ebb7ab62\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Prevalent Threats\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"324989fb-f85e-4bbc-b7f9-b85472d54928\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.incident.status\",\"negate\":true,\"params\":{\"query\":\"resolved\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"sentinel_one.threat.incident.status\":\"resolved\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"324989fb-f85e-4bbc-b7f9-b85472d54928\"],\"layerId\":\"9d8d04b8-42e9-488a-9c18-39f38153e46a\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"3629412b-4ee6-4169-92d4-d5d8ebb7ab62\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Most Prevalent Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"213a2279-8bb5-491b-b0f0-d5a7a2473670\",\"w\":24,\"x\":24,\"y\":14},\"panelIndex\":\"213a2279-8bb5-491b-b0f0-d5a7a2473670\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ec6bf891-aedf-4b92-af42-54c04e749174\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ec6bf891-aedf-4b92-af42-54c04e749174\":{\"columnOrder\":[\"7dc311c6-df3f-40ca-88e5-3925010191be\",\"9934d429-8319-435c-8c72-57a56541dfcb\"],\"columns\":{\"7dc311c6-df3f-40ca-88e5-3925010191be\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Engine Detections\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"9934d429-8319-435c-8c72-57a56541dfcb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.detection.engines.title\"},\"9934d429-8319-435c-8c72-57a56541dfcb\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"7dc311c6-df3f-40ca-88e5-3925010191be\"],\"layerId\":\"ec6bf891-aedf-4b92-af42-54c04e749174\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"9934d429-8319-435c-8c72-57a56541dfcb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Detections by Engine [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"14523f88-ccbb-45bc-9758-7263315630cb\",\"w\":24,\"x\":0,\"y\":14},\"panelIndex\":\"14523f88-ccbb-45bc-9758-7263315630cb\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f83c655e-003c-4cc5-a2e3-789acb23b691\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f83c655e-003c-4cc5-a2e3-789acb23b691\":{\"columnOrder\":[\"d427f2bd-912c-476e-85a7-3110216b3b8d\",\"7fead18f-d40b-4539-ace7-5328e84140d2\"],\"columns\":{\"7fead18f-d40b-4539-ace7-5328e84140d2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"d427f2bd-912c-476e-85a7-3110216b3b8d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.threat.agent.is_active : true \"},\"label\":\"Active Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.threat.agent.is_active : false \"},\"label\":\"Inactive Agents\"}]},\"scale\":\"ordinal\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.agent.is_active\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.threat.agent.is_active\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"d427f2bd-912c-476e-85a7-3110216b3b8d\"],\"layerId\":\"f83c655e-003c-4cc5-a2e3-789acb23b691\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"7fead18f-d40b-4539-ace7-5328e84140d2\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Threats by Agent Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"dc9ba6b7-0c35-4333-99ad-653d57c20fd7\",\"w\":24,\"x\":0,\"y\":29},\"panelIndex\":\"dc9ba6b7-0c35-4333-99ad-653d57c20fd7\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6f4336e8-7451-476e-89a5-fe65d93be571\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6f4336e8-7451-476e-89a5-fe65d93be571\":{\"columnOrder\":[\"59424e47-b686-440e-b754-51a079ad1417\",\"7c71fee2-7e8b-48d2-8344-767b3e76f207\"],\"columns\":{\"59424e47-b686-440e-b754-51a079ad1417\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7c71fee2-7e8b-48d2-8344-767b3e76f207\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.mitigation_status.action\"},\"7c71fee2-7e8b-48d2-8344-767b3e76f207\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"59424e47-b686-440e-b754-51a079ad1417\"],\"layerId\":\"6f4336e8-7451-476e-89a5-fe65d93be571\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"7c71fee2-7e8b-48d2-8344-767b3e76f207\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Threats by Mitigation Status Action [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0ae44b6f-3e90-4fce-96a0-a0bdf069ab0e\",\"w\":24,\"x\":24,\"y\":29},\"panelIndex\":\"0ae44b6f-3e90-4fce-96a0-a0bdf069ab0e\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd\":{\"columnOrder\":[\"039a2941-5111-4bf1-a02a-af4a8fe09609\",\"86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43\"],\"columns\":{\"039a2941-5111-4bf1-a02a-af4a8fe09609\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.mitigation_status.status\"},\"86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"039a2941-5111-4bf1-a02a-af4a8fe09609\"],\"layerId\":\"c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"86f6d3c9-4b8b-4d98-afae-df8ba9fd0e43\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Threats by Mitigation Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"accf3797-c215-44a4-829d-c9ff30758f7b\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"accf3797-c215-44a4-829d-c9ff30758f7b\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a64559b1-90c9-4859-9d5f-2585172bcda4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a64559b1-90c9-4859-9d5f-2585172bcda4\":{\"columnOrder\":[\"e8b50532-e3ed-47d7-a0d4-7aaced47afa3\",\"ad08fd36-cbe4-4baa-ac1d-9454a3fd297b\"],\"columns\":{\"ad08fd36-cbe4-4baa-ac1d-9454a3fd297b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"e8b50532-e3ed-47d7-a0d4-7aaced47afa3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation Mode\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ad08fd36-cbe4-4baa-ac1d-9454a3fd297b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.agent.mitigation_mode\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ad08fd36-cbe4-4baa-ac1d-9454a3fd297b\"],\"layerId\":\"a64559b1-90c9-4859-9d5f-2585172bcda4\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"e8b50532-e3ed-47d7-a0d4-7aaced47afa3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Threats by Agent Mitigation Mode [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"301b13f1-59c8-40e0-80f8-ecc1892b938d\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"301b13f1-59c8-40e0-80f8-ecc1892b938d\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-da28cab9-5d08-4b0b-bbd6-2cf9952051b2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"da28cab9-5d08-4b0b-bbd6-2cf9952051b2\":{\"columnOrder\":[\"eb417ca9-4ef4-4280-8fd0-a8f7ca8261eb\",\"ae868bf2-36dc-418c-a6fc-43718e58cd78\"],\"columns\":{\"ae868bf2-36dc-418c-a6fc-43718e58cd78\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"eb417ca9-4ef4-4280-8fd0-a8f7ca8261eb\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Confidence Level\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ae868bf2-36dc-418c-a6fc-43718e58cd78\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.confidence_level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"ae868bf2-36dc-418c-a6fc-43718e58cd78\"],\"layerId\":\"da28cab9-5d08-4b0b-bbd6-2cf9952051b2\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"eb417ca9-4ef4-4280-8fd0-a8f7ca8261eb\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Threats by Confidence Level [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b8f90700-ca73-40c7-9257-8612aa86cc9f\",\"w\":24,\"x\":0,\"y\":59},\"panelIndex\":\"b8f90700-ca73-40c7-9257-8612aa86cc9f\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-87c51fc8-6c57-4d1c-a3f5-8b420f1d392c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"87c51fc8-6c57-4d1c-a3f5-8b420f1d392c\":{\"columnOrder\":[\"4aa33c2e-9de0-4eb8-96d2-2e2c4da4c70f\",\"7c555542-d2ad-4e9f-9779-305d5be0422a\"],\"columns\":{\"4aa33c2e-9de0-4eb8-96d2-2e2c4da4c70f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7c555542-d2ad-4e9f-9779-305d5be0422a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.file.extension.type\"},\"7c555542-d2ad-4e9f-9779-305d5be0422a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"7c555542-d2ad-4e9f-9779-305d5be0422a\"],\"layerId\":\"87c51fc8-6c57-4d1c-a3f5-8b420f1d392c\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"4aa33c2e-9de0-4eb8-96d2-2e2c4da4c70f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Threats by File Extension Type [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9bdf752f-f767-44a4-bf05-51e0a27b7bbf\",\"w\":24,\"x\":24,\"y\":59},\"panelIndex\":\"9bdf752f-f767-44a4-bf05-51e0a27b7bbf\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3f121a5b-0179-4329-a945-a3d23d83172f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3f121a5b-0179-4329-a945-a3d23d83172f\":{\"columnOrder\":[\"d0e857c2-8d8d-4177-9667-36bacc56c5a1\",\"cf378f6b-a6f6-4df2-933c-95224587ebf8\"],\"columns\":{\"cf378f6b-a6f6-4df2-933c-95224587ebf8\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"d0e857c2-8d8d-4177-9667-36bacc56c5a1\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"cf378f6b-a6f6-4df2-933c-95224587ebf8\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"d0e857c2-8d8d-4177-9667-36bacc56c5a1\",\"isTransposed\":false},{\"columnId\":\"cf378f6b-a6f6-4df2-933c-95224587ebf8\",\"isTransposed\":false}],\"layerId\":\"3f121a5b-0179-4329-a945-a3d23d83172f\",\"layerType\":\"data\"}},\"title\":\"Top 10 File Extension [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ed9a7061-e640-41f3-a838-3772f86e4be4\",\"w\":24,\"x\":0,\"y\":74},\"panelIndex\":\"ed9a7061-e640-41f3-a838-3772f86e4be4\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8662c82e-ca55-4ddc-81b6-2c4f9a3afbf8\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8662c82e-ca55-4ddc-81b6-2c4f9a3afbf8\":{\"columnOrder\":[\"33d893f0-097c-42d5-bf31-4460415368d4\",\"d71d067f-c96c-4701-8f64-700b42388d59\"],\"columns\":{\"33d893f0-097c-42d5-bf31-4460415368d4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Incident Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d71d067f-c96c-4701-8f64-700b42388d59\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.incident.status\"},\"d71d067f-c96c-4701-8f64-700b42388d59\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"d71d067f-c96c-4701-8f64-700b42388d59\"],\"layerId\":\"8662c82e-ca55-4ddc-81b6-2c4f9a3afbf8\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"33d893f0-097c-42d5-bf31-4460415368d4\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Threats by Incident Status [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e17f8b5f-d5de-4921-bb3a-9d3e7ef58ae4\",\"w\":24,\"x\":24,\"y\":74},\"panelIndex\":\"e17f8b5f-d5de-4921-bb3a-9d3e7ef58ae4\",\"title\":\"Distribution of Threats by Incident Status [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"sentinel_one.threat.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Technique Name\",\"field\":\"threat.technique.id\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Top 10 Threat Techniques [Logs SentinelOne]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d788430-6b2b-4e7c-9468-36b0aebf8468\",\"w\":24,\"x\":0,\"y\":89},\"panelIndex\":\"6d788430-6b2b-4e7c-9468-36b0aebf8468\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-71ff1569-960a-408c-8e00-df6b68186912\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"71ff1569-960a-408c-8e00-df6b68186912\":{\"columnOrder\":[\"9a221d90-b37c-4947-899a-a8806d7d25f1\",\"d24c6b72-358d-4f01-ade3-cf9c228946e0\"],\"columns\":{\"9a221d90-b37c-4947-899a-a8806d7d25f1\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.threat.agent.infected : true \"},\"label\":\"Infected Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.threat.agent.infected : false \"},\"label\":\"Non-Infected Agents\"}]},\"scale\":\"ordinal\"},\"d24c6b72-358d-4f01-ade3-cf9c228946e0\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.threat.agent.infected\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.threat.agent.infected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9a221d90-b37c-4947-899a-a8806d7d25f1\"],\"layerId\":\"71ff1569-960a-408c-8e00-df6b68186912\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d24c6b72-358d-4f01-ade3-cf9c228946e0\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Threats by Infected Agents [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"1888de07-0e2f-4fc4-80e9-f3102e8b97b3\",\"w\":24,\"x\":24,\"y\":89},\"panelIndex\":\"1888de07-0e2f-4fc4-80e9-f3102e8b97b3\",\"title\":\"Distribution of Threats by Infected Agents [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fe7a9cc-3417-4166-bdfc-5cdb85599981\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fe7a9cc-3417-4166-bdfc-5cdb85599981\":{\"columnOrder\":[\"d0c8d1eb-750e-4d24-b6c3-245ca5bf9daa\",\"99d2033b-2144-4e21-ad23-a170fcac9408\"],\"columns\":{\"99d2033b-2144-4e21-ad23-a170fcac9408\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.threat.id\"},\"d0c8d1eb-750e-4d24-b6c3-245ca5bf9daa\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Detection Engine\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"99d2033b-2144-4e21-ad23-a170fcac9408\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.threat.detection.engines.title\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"d0c8d1eb-750e-4d24-b6c3-245ca5bf9daa\",\"isTransposed\":false},{\"columnId\":\"99d2033b-2144-4e21-ad23-a170fcac9408\",\"isTransposed\":false}],\"layerId\":\"9fe7a9cc-3417-4166-bdfc-5cdb85599981\",\"layerType\":\"data\"}},\"title\":\"Distribution of Threats by Detection Engine [Logs SentinelOne] \",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6080a8f0-54d7-4fae-884f-f34dbed69ea8\",\"w\":24,\"x\":0,\"y\":104},\"panelIndex\":\"6080a8f0-54d7-4fae-884f-f34dbed69ea8\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"sentinel_one.threat.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Classification\",\"field\":\"sentinel_one.threat.classification\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.threat\\\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Top Threats by Classification [Logs SentinelOne]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"55d0b7da-986b-4e98-b476-f3768233dc8f\",\"w\":24,\"x\":24,\"y\":104},\"panelIndex\":\"55d0b7da-986b-4e98-b476-f3768233dc8f\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs SentinelOne] Threats", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-0dd17490-bbb8-11ec-82b7-8fcb232e9538", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "ac59079e-c791-449b-aeeb-d47504921dff:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ac59079e-c791-449b-aeeb-d47504921dff:indexpattern-datasource-layer-58329672-9ca4-4454-9d78-c619ef956a6a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1684da14-7484-42a6-91d6-b9659883e20d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1684da14-7484-42a6-91d6-b9659883e20d:indexpattern-datasource-layer-01d7bdc3-638b-4d23-9ae6-d24678743470", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1684da14-7484-42a6-91d6-b9659883e20d:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "030f8164-5e7d-4fb6-a779-d0537748a819:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "030f8164-5e7d-4fb6-a779-d0537748a819:indexpattern-datasource-layer-8a4ab761-ffa9-4e3d-bd66-9cf0b7ee9849", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "030f8164-5e7d-4fb6-a779-d0537748a819:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "075409b1-9d74-4399-8348-3101a2d22392:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "075409b1-9d74-4399-8348-3101a2d22392:indexpattern-datasource-layer-6f8f021f-aef7-458f-a0bb-445bd78741db", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "075409b1-9d74-4399-8348-3101a2d22392:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "075409b1-9d74-4399-8348-3101a2d22392:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ff8c08e-3a29-488c-b481-9b51accaae95:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ff8c08e-3a29-488c-b481-9b51accaae95:indexpattern-datasource-layer-31be526e-c389-4f6d-93e8-27f1b7dcd0d0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ff8c08e-3a29-488c-b481-9b51accaae95:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3ff8c08e-3a29-488c-b481-9b51accaae95:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2411b38-52ad-47c2-b364-f1f42b7cd26a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2411b38-52ad-47c2-b364-f1f42b7cd26a:indexpattern-datasource-layer-1c27890e-f153-4984-8c2f-6004a3779f71", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2411b38-52ad-47c2-b364-f1f42b7cd26a:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d2411b38-52ad-47c2-b364-f1f42b7cd26a:filter-index-pattern-1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14069c35-b940-4540-82f8-1ef2bb73dfe1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14069c35-b940-4540-82f8-1ef2bb73dfe1:indexpattern-datasource-layer-98a05273-ef46-4b59-8caa-86b7de9c9724", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14069c35-b940-4540-82f8-1ef2bb73dfe1:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:indexpattern-datasource-layer-9d8d04b8-42e9-488a-9c18-39f38153e46a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "213a2279-8bb5-491b-b0f0-d5a7a2473670:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14523f88-ccbb-45bc-9758-7263315630cb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "14523f88-ccbb-45bc-9758-7263315630cb:indexpattern-datasource-layer-ec6bf891-aedf-4b92-af42-54c04e749174", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:indexpattern-datasource-layer-f83c655e-003c-4cc5-a2e3-789acb23b691", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "dc9ba6b7-0c35-4333-99ad-653d57c20fd7:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0ae44b6f-3e90-4fce-96a0-a0bdf069ab0e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0ae44b6f-3e90-4fce-96a0-a0bdf069ab0e:indexpattern-datasource-layer-6f4336e8-7451-476e-89a5-fe65d93be571", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "accf3797-c215-44a4-829d-c9ff30758f7b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "accf3797-c215-44a4-829d-c9ff30758f7b:indexpattern-datasource-layer-c5e5c6f0-5d4d-48f4-9ad4-727d5f1c0ebd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "301b13f1-59c8-40e0-80f8-ecc1892b938d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "301b13f1-59c8-40e0-80f8-ecc1892b938d:indexpattern-datasource-layer-a64559b1-90c9-4859-9d5f-2585172bcda4", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8f90700-ca73-40c7-9257-8612aa86cc9f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8f90700-ca73-40c7-9257-8612aa86cc9f:indexpattern-datasource-layer-da28cab9-5d08-4b0b-bbd6-2cf9952051b2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9bdf752f-f767-44a4-bf05-51e0a27b7bbf:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9bdf752f-f767-44a4-bf05-51e0a27b7bbf:indexpattern-datasource-layer-87c51fc8-6c57-4d1c-a3f5-8b420f1d392c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ed9a7061-e640-41f3-a838-3772f86e4be4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ed9a7061-e640-41f3-a838-3772f86e4be4:indexpattern-datasource-layer-3f121a5b-0179-4329-a945-a3d23d83172f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e17f8b5f-d5de-4921-bb3a-9d3e7ef58ae4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e17f8b5f-d5de-4921-bb3a-9d3e7ef58ae4:indexpattern-datasource-layer-8662c82e-ca55-4ddc-81b6-2c4f9a3afbf8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d788430-6b2b-4e7c-9468-36b0aebf8468:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1888de07-0e2f-4fc4-80e9-f3102e8b97b3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1888de07-0e2f-4fc4-80e9-f3102e8b97b3:indexpattern-datasource-layer-71ff1569-960a-408c-8e00-df6b68186912", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1888de07-0e2f-4fc4-80e9-f3102e8b97b3:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6080a8f0-54d7-4fae-884f-f34dbed69ea8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6080a8f0-54d7-4fae-884f-f34dbed69ea8:indexpattern-datasource-layer-9fe7a9cc-3417-4166-bdfc-5cdb85599981", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "55d0b7da-986b-4e98-b476-f3768233dc8f:kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538.json deleted file mode 100755 index 2bf2cdc78c..0000000000 --- a/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-551abd38-5fb7-4b65-8582-5aefeb823354\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"551abd38-5fb7-4b65-8582-5aefeb823354\":{\"columnOrder\":[\"e7acea9a-d9f8-4717-bcc7-5f20c894af20\"],\"columns\":{\"e7acea9a-d9f8-4717-bcc7-5f20c894af20\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"group.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"},\"visualization\":{\"accessor\":\"e7acea9a-d9f8-4717-bcc7-5f20c894af20\",\"layerId\":\"551abd38-5fb7-4b65-8582-5aefeb823354\",\"layerType\":\"data\"}},\"title\":\"Total Number of Groups [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"2e9c0218-0e41-4cc7-80fa-a135cd08357a\",\"w\":15,\"x\":0,\"y\":0},\"panelIndex\":\"2e9c0218-0e41-4cc7-80fa-a135cd08357a\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9003983d-2897-44e8-8d69-98131f4862c0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9003983d-2897-44e8-8d69-98131f4862c0\":{\"columnOrder\":[\"e90d8830-87e6-44bd-b01d-05cf41281d45\",\"eea9932f-21ee-4f28-b1a7-feb8b211c125\"],\"columns\":{\"e90d8830-87e6-44bd-b01d-05cf41281d45\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Group Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"eea9932f-21ee-4f28-b1a7-feb8b211c125\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.group.type\"},\"eea9932f-21ee-4f28-b1a7-feb8b211c125\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"group.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"e90d8830-87e6-44bd-b01d-05cf41281d45\"],\"layerId\":\"9003983d-2897-44e8-8d69-98131f4862c0\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"eea9932f-21ee-4f28-b1a7-feb8b211c125\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Groups by Type [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"44491cae-8e0b-45dc-abdd-ea5d57f1f419\",\"w\":16,\"x\":15,\"y\":0},\"panelIndex\":\"44491cae-8e0b-45dc-abdd-ea5d57f1f419\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-75ff32d0-b457-43b3-aaed-fa3bf295c083\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"75ff32d0-b457-43b3-aaed-fa3bf295c083\":{\"columnOrder\":[\"1e289288-8b66-476a-8143-1c1f7be49110\",\"902abe3f-a4f0-46d8-bc58-955a9b578b7e\"],\"columns\":{\"1e289288-8b66-476a-8143-1c1f7be49110\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Group Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"902abe3f-a4f0-46d8-bc58-955a9b578b7e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"group.name\"},\"902abe3f-a4f0-46d8-bc58-955a9b578b7e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Agent Count\",\"operationType\":\"max\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.group.agent.count\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"902abe3f-a4f0-46d8-bc58-955a9b578b7e\"],\"layerId\":\"75ff32d0-b457-43b3-aaed-fa3bf295c083\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"1e289288-8b66-476a-8143-1c1f7be49110\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Groups by Agent Count [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":13,\"i\":\"26084a13-4083-4c3e-9f81-677b4ca38ca7\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"26084a13-4083-4c3e-9f81-677b4ca38ca7\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1b0e558e-537e-40a9-bc0a-f8b42329c6b5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1b0e558e-537e-40a9-bc0a-f8b42329c6b5\":{\"columnOrder\":[\"b88243e5-5e92-47d3-b775-f0a9d71fadf6\",\"a6e675d7-f28f-4e37-9b0e-a0849fbaa6b8\"],\"columns\":{\"a6e675d7-f28f-4e37-9b0e-a0849fbaa6b8\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"group.id\"},\"b88243e5-5e92-47d3-b775-f0a9d71fadf6\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Rank\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a6e675d7-f28f-4e37-9b0e-a0849fbaa6b8\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.group.rank\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b88243e5-5e92-47d3-b775-f0a9d71fadf6\"],\"layerId\":\"1b0e558e-537e-40a9-bc0a-f8b42329c6b5\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a6e675d7-f28f-4e37-9b0e-a0849fbaa6b8\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Groups by Rank [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c4c1c721-dabf-4a99-bd53-934afe7bb4d7\",\"w\":23,\"x\":0,\"y\":13},\"panelIndex\":\"c4c1c721-dabf-4a99-bd53-934afe7bb4d7\",\"title\":\"Distribution of Groups by Rank [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cc8dc395-79e3-40c5-9857-d0385fcdc791\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cc8dc395-79e3-40c5-9857-d0385fcdc791\":{\"columnOrder\":[\"ddec8617-23ff-4060-8029-5973b691cacd\",\"84fdcb1d-a681-41b1-b015-201cc40554f9\"],\"columns\":{\"84fdcb1d-a681-41b1-b015-201cc40554f9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"group.id\"},\"ddec8617-23ff-4060-8029-5973b691cacd\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Creator Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"84fdcb1d-a681-41b1-b015-201cc40554f9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"user.full_name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.group\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"ddec8617-23ff-4060-8029-5973b691cacd\",\"isTransposed\":false},{\"columnId\":\"84fdcb1d-a681-41b1-b015-201cc40554f9\",\"isTransposed\":false}],\"layerId\":\"cc8dc395-79e3-40c5-9857-d0385fcdc791\",\"layerType\":\"data\"}},\"title\":\"Top 10 Creator Name [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4694770f-8a83-4877-992c-1a078c45e3c6\",\"w\":25,\"x\":23,\"y\":13},\"panelIndex\":\"4694770f-8a83-4877-992c-1a078c45e3c6\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs SentinelOne] Groups", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-5881f5f0-bb2c-11ec-82b7-8fcb232e9538", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "2e9c0218-0e41-4cc7-80fa-a135cd08357a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2e9c0218-0e41-4cc7-80fa-a135cd08357a:indexpattern-datasource-layer-551abd38-5fb7-4b65-8582-5aefeb823354", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "44491cae-8e0b-45dc-abdd-ea5d57f1f419:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "44491cae-8e0b-45dc-abdd-ea5d57f1f419:indexpattern-datasource-layer-9003983d-2897-44e8-8d69-98131f4862c0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "26084a13-4083-4c3e-9f81-677b4ca38ca7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "26084a13-4083-4c3e-9f81-677b4ca38ca7:indexpattern-datasource-layer-75ff32d0-b457-43b3-aaed-fa3bf295c083", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c4c1c721-dabf-4a99-bd53-934afe7bb4d7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c4c1c721-dabf-4a99-bd53-934afe7bb4d7:indexpattern-datasource-layer-1b0e558e-537e-40a9-bc0a-f8b42329c6b5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4694770f-8a83-4877-992c-1a078c45e3c6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4694770f-8a83-4877-992c-1a078c45e3c6:indexpattern-datasource-layer-cc8dc395-79e3-40c5-9857-d0385fcdc791", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json deleted file mode 100755 index 991792e563..0000000000 --- a/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538.json +++ /dev/null @@ -1,212 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-56dc7645-caa9-462c-abbd-496b8e73ba9c\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"56dc7645-caa9-462c-abbd-496b8e73ba9c\":{\"columnOrder\":[\"b504e88b-35dc-4481-b38b-617210c7054d\",\"123404f0-3fb4-40b8-88d0-2debd9a5ebfc\"],\"columns\":{\"123404f0-3fb4-40b8-88d0-2debd9a5ebfc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"b504e88b-35dc-4481-b38b-617210c7054d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_active : true \"},\"label\":\"Active Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_active : false \"},\"label\":\"Inactive Agents\"}]},\"scale\":\"ordinal\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.is_active\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.is_active\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b504e88b-35dc-4481-b38b-617210c7054d\"],\"layerId\":\"56dc7645-caa9-462c-abbd-496b8e73ba9c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"123404f0-3fb4-40b8-88d0-2debd9a5ebfc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Active Agents Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"88da7d9d-b377-4455-a528-719f58c796f7\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"88da7d9d-b377-4455-a528-719f58c796f7\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ddc8b7d7-81b9-4d85-a686-7e723fc02c52\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ddc8b7d7-81b9-4d85-a686-7e723fc02c52\":{\"columnOrder\":[\"76f65f2c-80e0-41fe-a2cf-d470ec579540\",\"42960489-8884-48d3-89d4-f7e6ac04e3c8\"],\"columns\":{\"42960489-8884-48d3-89d4-f7e6ac04e3c8\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"76f65f2c-80e0-41fe-a2cf-d470ec579540\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.firewall_enabled : true \"},\"label\":\"Enabled\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.firewall_enabled: false \"},\"label\":\"Disabled\"}]},\"scale\":\"ordinal\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.firewall_enabled\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.firewall_enabled\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"76f65f2c-80e0-41fe-a2cf-d470ec579540\"],\"layerId\":\"ddc8b7d7-81b9-4d85-a686-7e723fc02c52\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"42960489-8884-48d3-89d4-f7e6ac04e3c8\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Firewall Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3158c9a2-f48a-42e2-ae82-e01c07a0a77b\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"3158c9a2-f48a-42e2-ae82-e01c07a0a77b\",\"title\":\"Distribution of Agents with Firewall Status [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e4082dc4-e9cc-4589-aed3-bf66cdac7d34\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e4082dc4-e9cc-4589-aed3-bf66cdac7d34\":{\"columnOrder\":[\"262773c9-227c-4f57-8bfc-530148301609\",\"14960b41-614b-4650-90d9-5feec22c00ce\"],\"columns\":{\"14960b41-614b-4650-90d9-5feec22c00ce\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"262773c9-227c-4f57-8bfc-530148301609\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Scan Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"14960b41-614b-4650-90d9-5feec22c00ce\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.scan.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"262773c9-227c-4f57-8bfc-530148301609\"],\"layerId\":\"e4082dc4-e9cc-4589-aed3-bf66cdac7d34\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"14960b41-614b-4650-90d9-5feec22c00ce\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Scan Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a1308966-3dec-431c-82e3-29890ad87785\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"a1308966-3dec-431c-82e3-29890ad87785\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6a90d9b3-18c1-4b5d-9ba1-0a4bbf0022e3\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6a90d9b3-18c1-4b5d-9ba1-0a4bbf0022e3\":{\"columnOrder\":[\"e8c07bab-a3f7-4cc9-96aa-4affa24dbbb2\",\"c986097b-d867-4c7f-a519-04be42d34916\"],\"columns\":{\"c986097b-d867-4c7f-a519-04be42d34916\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count \",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"e8c07bab-a3f7-4cc9-96aa-4affa24dbbb2\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Mitigation Mode\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"c986097b-d867-4c7f-a519-04be42d34916\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.mitigation_mode\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"c986097b-d867-4c7f-a519-04be42d34916\"],\"layerId\":\"6a90d9b3-18c1-4b5d-9ba1-0a4bbf0022e3\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"e8c07bab-a3f7-4cc9-96aa-4affa24dbbb2\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Agents by Mitigation Mode [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b4b87cb0-eccc-4b59-a6bc-5aca60f1cdb8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"b4b87cb0-eccc-4b59-a6bc-5aca60f1cdb8\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-46e7eb74-692b-4c09-b8cd-f7817757c592\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"46e7eb74-692b-4c09-b8cd-f7817757c592\":{\"columnOrder\":[\"4394b62d-0267-4f42-9c8a-1e0f661181ca\",\"669fda39-2f89-42f4-8f3d-24ebed033e42\"],\"columns\":{\"4394b62d-0267-4f42-9c8a-1e0f661181ca\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Group IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"669fda39-2f89-42f4-8f3d-24ebed033e42\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.group.ip\"},\"669fda39-2f89-42f4-8f3d-24ebed033e42\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count \",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"4394b62d-0267-4f42-9c8a-1e0f661181ca\"],\"layerId\":\"46e7eb74-692b-4c09-b8cd-f7817757c592\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"669fda39-2f89-42f4-8f3d-24ebed033e42\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Group IP [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b220d94-4542-4e91-82a5-6fddc2d1f450\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"5b220d94-4542-4e91-82a5-6fddc2d1f450\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-76063bf9-bddc-448f-805e-e53308972d0a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"76063bf9-bddc-448f-805e-e53308972d0a\":{\"columnOrder\":[\"96dd816b-0e55-4e31-9e5b-11f64820a453\",\"2fb054c3-aaea-48a1-99c6-4de1dcd81881\"],\"columns\":{\"2fb054c3-aaea-48a1-99c6-4de1dcd81881\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"96dd816b-0e55-4e31-9e5b-11f64820a453\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Architecture\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2fb054c3-aaea-48a1-99c6-4de1dcd81881\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.os.arch\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"96dd816b-0e55-4e31-9e5b-11f64820a453\"],\"layerId\":\"76063bf9-bddc-448f-805e-e53308972d0a\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"2fb054c3-aaea-48a1-99c6-4de1dcd81881\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by OS Architecture [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4250d06c-8c4c-49ee-8199-3e153a355987\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"4250d06c-8c4c-49ee-8199-3e153a355987\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-67c6e93f-d08b-4c37-b01f-0d2b29874291\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"67c6e93f-d08b-4c37-b01f-0d2b29874291\":{\"columnOrder\":[\"6e3b93ec-b364-4d1a-8cd9-eb4250561a57\",\"44eec685-7c49-4119-baf7-2547c57d857a\"],\"columns\":{\"44eec685-7c49-4119-baf7-2547c57d857a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"6e3b93ec-b364-4d1a-8cd9-eb4250561a57\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Installer Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"44eec685-7c49-4119-baf7-2547c57d857a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.installer_type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"44eec685-7c49-4119-baf7-2547c57d857a\"],\"layerId\":\"67c6e93f-d08b-4c37-b01f-0d2b29874291\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"6e3b93ec-b364-4d1a-8cd9-eb4250561a57\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Agents by Installer Type [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f2bbdd58-6b06-4b74-9b65-21858c9059c0\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f2bbdd58-6b06-4b74-9b65-21858c9059c0\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dae671b1-cfe6-4d04-b4b6-8037b31a5fe4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dae671b1-cfe6-4d04-b4b6-8037b31a5fe4\":{\"columnOrder\":[\"a8c8f9a7-9950-4eb1-aef9-2e3c223c64de\",\"f951b023-b4c9-4f40-8e27-e3122b6db069\"],\"columns\":{\"a8c8f9a7-9950-4eb1-aef9-2e3c223c64de\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Machine Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f951b023-b4c9-4f40-8e27-e3122b6db069\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.machine.type\"},\"f951b023-b4c9-4f40-8e27-e3122b6db069\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"a8c8f9a7-9950-4eb1-aef9-2e3c223c64de\"],\"layerId\":\"dae671b1-cfe6-4d04-b4b6-8037b31a5fe4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f951b023-b4c9-4f40-8e27-e3122b6db069\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Machine Type [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"595ba171-1de6-4b07-9f75-99d7b87fb828\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"595ba171-1de6-4b07-9f75-99d7b87fb828\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06b2ffc3-7740-4e73-807a-ea80e0747b80\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06b2ffc3-7740-4e73-807a-ea80e0747b80\":{\"columnOrder\":[\"0c348764-2e97-4ac5-829c-cd320b30e4d4\",\"ae18bca1-5ee5-44cd-a845-4b6d5e2f9fbe\",\"28cd1c1b-ab0a-40fb-a603-a1ddc4f0157f\"],\"columns\":{\"0c348764-2e97-4ac5-829c-cd320b30e4d4\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"28cd1c1b-ab0a-40fb-a603-a1ddc4f0157f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"host.os.type\"},\"28cd1c1b-ab0a-40fb-a603-a1ddc4f0157f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"ae18bca1-5ee5-44cd-a845-4b6d5e2f9fbe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"28cd1c1b-ab0a-40fb-a603-a1ddc4f0157f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"host.os.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ae18bca1-5ee5-44cd-a845-4b6d5e2f9fbe\",\"0c348764-2e97-4ac5-829c-cd320b30e4d4\",\"ae18bca1-5ee5-44cd-a845-4b6d5e2f9fbe\"],\"layerId\":\"06b2ffc3-7740-4e73-807a-ea80e0747b80\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"28cd1c1b-ab0a-40fb-a603-a1ddc4f0157f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by OS Name, OS Type [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e1812890-1e55-4323-8016-fc7340d95b2f\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"e1812890-1e55-4323-8016-fc7340d95b2f\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-456e2023-abf7-40b7-bbc4-35020ef2edd5\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"456e2023-abf7-40b7-bbc4-35020ef2edd5\":{\"columnOrder\":[\"13bfcde7-20c3-40f4-a865-9c8db705dde6\",\"f8a1e135-5ef5-4e17-8660-369ab0230dd1\"],\"columns\":{\"13bfcde7-20c3-40f4-a865-9c8db705dde6\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.infected : true \"},\"label\":\"Infected Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.infected : false \"},\"label\":\"Non-Infected Agents\"}]},\"scale\":\"ordinal\"},\"f8a1e135-5ef5-4e17-8660-369ab0230dd1\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.infected\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.infected\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"13bfcde7-20c3-40f4-a865-9c8db705dde6\"],\"layerId\":\"456e2023-abf7-40b7-bbc4-35020ef2edd5\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f8a1e135-5ef5-4e17-8660-369ab0230dd1\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Infected Agents Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"445f92f7-7a5f-4236-a8ac-df3087a536fe\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"445f92f7-7a5f-4236-a8ac-df3087a536fe\",\"title\":\"Distribution of Agents by Infected Agents [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-94b7fb49-4faf-4114-baa6-2c621257fd25\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"94b7fb49-4faf-4114-baa6-2c621257fd25\":{\"columnOrder\":[\"14e97f3a-9df8-494f-9190-6ff104f0e040\",\"ab4aa055-75f5-45bc-8d34-883bc47f771a\"],\"columns\":{\"14e97f3a-9df8-494f-9190-6ff104f0e040\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Site Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ab4aa055-75f5-45bc-8d34-883bc47f771a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.site.name\"},\"ab4aa055-75f5-45bc-8d34-883bc47f771a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"14e97f3a-9df8-494f-9190-6ff104f0e040\",\"isTransposed\":false},{\"columnId\":\"ab4aa055-75f5-45bc-8d34-883bc47f771a\",\"isTransposed\":false}],\"layerId\":\"94b7fb49-4faf-4114-baa6-2c621257fd25\",\"layerType\":\"data\"}},\"title\":\"Top 10 Site Name [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fce4e5f5-f30f-473f-8bbf-9523a84a3f96\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"fce4e5f5-f30f-473f-8bbf-9523a84a3f96\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9767cd3d-c1a5-443e-9e79-64f2be92d73e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9767cd3d-c1a5-443e-9e79-64f2be92d73e\":{\"columnOrder\":[\"91f47b2b-9e63-4958-9aeb-5d46537caaaa\",\"f35cbfab-8158-4a67-b1ea-b4142fe750b4\"],\"columns\":{\"91f47b2b-9e63-4958-9aeb-5d46537caaaa\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_up_to_date : true \"},\"label\":\"Up To Date Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_up_to_date : false \"},\"label\":\"Out Dated Agents\"}]},\"scale\":\"ordinal\"},\"f35cbfab-8158-4a67-b1ea-b4142fe750b4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.is_up_to_date\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.is_up_to_date\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"91f47b2b-9e63-4958-9aeb-5d46537caaaa\"],\"layerId\":\"9767cd3d-c1a5-443e-9e79-64f2be92d73e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f35cbfab-8158-4a67-b1ea-b4142fe750b4\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Up To Date Agents Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8fa0d643-4d93-45a8-a9ea-57f6e1cff5a5\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"8fa0d643-4d93-45a8-a9ea-57f6e1cff5a5\",\"title\":\"Distribution of Agents by Up To Date Agents [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-469a2da2-7e40-4e47-b882-b553ebc14bf2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"469a2da2-7e40-4e47-b882-b553ebc14bf2\":{\"columnOrder\":[\"f9e8f30e-66a3-46c2-bf37-5a8a0be26ce3\",\"699767aa-b223-466d-b751-833a7921e49a\"],\"columns\":{\"699767aa-b223-466d-b751-833a7921e49a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Active Threats\",\"operationType\":\"median\",\"scale\":\"ratio\",\"sourceField\":\"sentinel_one.agent.active_threats_count\"},\"f9e8f30e-66a3-46c2-bf37-5a8a0be26ce3\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Computer Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"699767aa-b223-466d-b751-833a7921e49a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"699767aa-b223-466d-b751-833a7921e49a\"],\"layerId\":\"469a2da2-7e40-4e47-b882-b553ebc14bf2\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"f9e8f30e-66a3-46c2-bf37-5a8a0be26ce3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Computer Name by Active Threats [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a6230b4c-2b1a-4db7-96f5-a8b767794e6a\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"a6230b4c-2b1a-4db7-96f5-a8b767794e6a\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-65fd11fd-a0e7-4507-ad95-82593ace9d23\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"65fd11fd-a0e7-4507-ad95-82593ace9d23\":{\"columnOrder\":[\"dbe1fa00-5bae-49e9-9f6a-82a367d0f73d\",\"337ab9f4-ba31-4b10-97c2-37a90555ebbf\"],\"columns\":{\"337ab9f4-ba31-4b10-97c2-37a90555ebbf\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"dbe1fa00-5bae-49e9-9f6a-82a367d0f73d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_pending_uninstall : true \"},\"label\":\"Pending Uninstall\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_pending_uninstall: false \"},\"label\":\"Not Pending Uninstall\"}]},\"scale\":\"ordinal\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.is_pending_uninstall\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.is_pending_uninstall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dbe1fa00-5bae-49e9-9f6a-82a367d0f73d\"],\"layerId\":\"65fd11fd-a0e7-4507-ad95-82593ace9d23\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"337ab9f4-ba31-4b10-97c2-37a90555ebbf\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Pending Uninstall Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"28169c5e-d7e5-4b2d-a75c-78c6b477261f\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"28169c5e-d7e5-4b2d-a75c-78c6b477261f\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-15c36245-dfc6-41bc-aca4-abe1dd16e8e5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"15c36245-dfc6-41bc-aca4-abe1dd16e8e5\":{\"columnOrder\":[\"34e6ebff-5e97-4117-ae55-0ac219a091ae\",\"b479de26-3fab-44c4-9f5c-ff493b2a7279\"],\"columns\":{\"34e6ebff-5e97-4117-ae55-0ac219a091ae\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Application Vulnerability Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b479de26-3fab-44c4-9f5c-ff493b2a7279\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.agent.apps_vulnerability_status\"},\"b479de26-3fab-44c4-9f5c-ff493b2a7279\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"34e6ebff-5e97-4117-ae55-0ac219a091ae\"],\"layerId\":\"15c36245-dfc6-41bc-aca4-abe1dd16e8e5\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b479de26-3fab-44c4-9f5c-ff493b2a7279\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Agents by Application Vulnerability Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"87c066da-976f-4df5-8ecf-a8b50b984eed\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"87c066da-976f-4df5-8ecf-a8b50b984eed\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1bc53fbf-f363-4273-9153-0e88fe027780\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1bc53fbf-f363-4273-9153-0e88fe027780\":{\"columnOrder\":[\"acf8b38d-83f6-4585-87d3-789ccc365528\",\"7ddca434-c6b4-4f23-983f-fa65333fd84a\"],\"columns\":{\"7ddca434-c6b4-4f23-983f-fa65333fd84a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.id\"},\"acf8b38d-83f6-4585-87d3-789ccc365528\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Filters\",\"operationType\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_uninstalled : true \"},\"label\":\"Uninstalled Agents\"},{\"input\":{\"language\":\"kuery\",\"query\":\"sentinel_one.agent.is_uninstalled: false \"},\"label\":\"Installed Agents\"}]},\"scale\":\"ordinal\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"sentinel_one.agent.is_uninstalled\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"sentinel_one.agent.is_uninstalled\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.agent\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"acf8b38d-83f6-4585-87d3-789ccc365528\"],\"layerId\":\"1bc53fbf-f363-4273-9153-0e88fe027780\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"7ddca434-c6b4-4f23-983f-fa65333fd84a\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Percentage of Uninstalled Agents [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e62614cf-e513-40e5-aea7-6abbacf4e73b\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"e62614cf-e513-40e5-aea7-6abbacf4e73b\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs SentinelOne] Agents", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-67844880-bbb5-11ec-82b7-8fcb232e9538", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "88da7d9d-b377-4455-a528-719f58c796f7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "88da7d9d-b377-4455-a528-719f58c796f7:indexpattern-datasource-layer-56dc7645-caa9-462c-abbd-496b8e73ba9c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "88da7d9d-b377-4455-a528-719f58c796f7:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3158c9a2-f48a-42e2-ae82-e01c07a0a77b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3158c9a2-f48a-42e2-ae82-e01c07a0a77b:indexpattern-datasource-layer-ddc8b7d7-81b9-4d85-a686-7e723fc02c52", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3158c9a2-f48a-42e2-ae82-e01c07a0a77b:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a1308966-3dec-431c-82e3-29890ad87785:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a1308966-3dec-431c-82e3-29890ad87785:indexpattern-datasource-layer-e4082dc4-e9cc-4589-aed3-bf66cdac7d34", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b4b87cb0-eccc-4b59-a6bc-5aca60f1cdb8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b4b87cb0-eccc-4b59-a6bc-5aca60f1cdb8:indexpattern-datasource-layer-6a90d9b3-18c1-4b5d-9ba1-0a4bbf0022e3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5b220d94-4542-4e91-82a5-6fddc2d1f450:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5b220d94-4542-4e91-82a5-6fddc2d1f450:indexpattern-datasource-layer-46e7eb74-692b-4c09-b8cd-f7817757c592", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4250d06c-8c4c-49ee-8199-3e153a355987:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4250d06c-8c4c-49ee-8199-3e153a355987:indexpattern-datasource-layer-76063bf9-bddc-448f-805e-e53308972d0a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f2bbdd58-6b06-4b74-9b65-21858c9059c0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f2bbdd58-6b06-4b74-9b65-21858c9059c0:indexpattern-datasource-layer-67c6e93f-d08b-4c37-b01f-0d2b29874291", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "595ba171-1de6-4b07-9f75-99d7b87fb828:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "595ba171-1de6-4b07-9f75-99d7b87fb828:indexpattern-datasource-layer-dae671b1-cfe6-4d04-b4b6-8037b31a5fe4", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e1812890-1e55-4323-8016-fc7340d95b2f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e1812890-1e55-4323-8016-fc7340d95b2f:indexpattern-datasource-layer-06b2ffc3-7740-4e73-807a-ea80e0747b80", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "445f92f7-7a5f-4236-a8ac-df3087a536fe:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "445f92f7-7a5f-4236-a8ac-df3087a536fe:indexpattern-datasource-layer-456e2023-abf7-40b7-bbc4-35020ef2edd5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "445f92f7-7a5f-4236-a8ac-df3087a536fe:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fce4e5f5-f30f-473f-8bbf-9523a84a3f96:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fce4e5f5-f30f-473f-8bbf-9523a84a3f96:indexpattern-datasource-layer-94b7fb49-4faf-4114-baa6-2c621257fd25", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fa0d643-4d93-45a8-a9ea-57f6e1cff5a5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fa0d643-4d93-45a8-a9ea-57f6e1cff5a5:indexpattern-datasource-layer-9767cd3d-c1a5-443e-9e79-64f2be92d73e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fa0d643-4d93-45a8-a9ea-57f6e1cff5a5:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a6230b4c-2b1a-4db7-96f5-a8b767794e6a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a6230b4c-2b1a-4db7-96f5-a8b767794e6a:indexpattern-datasource-layer-469a2da2-7e40-4e47-b882-b553ebc14bf2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "28169c5e-d7e5-4b2d-a75c-78c6b477261f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "28169c5e-d7e5-4b2d-a75c-78c6b477261f:indexpattern-datasource-layer-65fd11fd-a0e7-4507-ad95-82593ace9d23", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "28169c5e-d7e5-4b2d-a75c-78c6b477261f:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "87c066da-976f-4df5-8ecf-a8b50b984eed:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "87c066da-976f-4df5-8ecf-a8b50b984eed:indexpattern-datasource-layer-15c36245-dfc6-41bc-aca4-abe1dd16e8e5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e62614cf-e513-40e5-aea7-6abbacf4e73b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e62614cf-e513-40e5-aea7-6abbacf4e73b:indexpattern-datasource-layer-1bc53fbf-f363-4273-9153-0e88fe027780", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e62614cf-e513-40e5-aea7-6abbacf4e73b:filter-index-pattern-0", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json deleted file mode 100755 index a1b85204b6..0000000000 --- a/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3aa4f16e-85bd-466a-b665-445b6d5de2cd\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3aa4f16e-85bd-466a-b665-445b6d5de2cd\":{\"columnOrder\":[\"b9e2330d-e198-4126-a3b0-77e64079e984\"],\"columns\":{\"b9e2330d-e198-4126-a3b0-77e64079e984\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"accessor\":\"b9e2330d-e198-4126-a3b0-77e64079e984\",\"layerId\":\"3aa4f16e-85bd-466a-b665-445b6d5de2cd\",\"layerType\":\"data\"}},\"title\":\"Total Number of Activities [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6b1d0060-0c72-441e-9901-855d5ee70a67\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"6b1d0060-0c72-441e-9901-855d5ee70a67\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1284ad1-7648-410f-b78f-78a997f797cd\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1284ad1-7648-410f-b78f-78a997f797cd\":{\"columnOrder\":[\"328306c1-4f54-43a4-b22b-1a0d5d692b56\",\"33e68f71-0393-4fc3-8560-b1ed069c6aff\"],\"columns\":{\"328306c1-4f54-43a4-b22b-1a0d5d692b56\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"User ID\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"33e68f71-0393-4fc3-8560-b1ed069c6aff\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"user.id\"},\"33e68f71-0393-4fc3-8560-b1ed069c6aff\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"328306c1-4f54-43a4-b22b-1a0d5d692b56\",\"isTransposed\":false},{\"columnId\":\"33e68f71-0393-4fc3-8560-b1ed069c6aff\",\"isTransposed\":false}],\"layerId\":\"c1284ad1-7648-410f-b78f-78a997f797cd\",\"layerType\":\"data\"}},\"title\":\"Top 10 User ID [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"fe58dc4e-28bd-4efc-9995-4431b0128e73\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"fe58dc4e-28bd-4efc-9995-4431b0128e73\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c68f6ca1-bcfd-462e-8462-6c41882faa91\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c68f6ca1-bcfd-462e-8462-6c41882faa91\":{\"columnOrder\":[\"20baeaa0-d2a6-4fd1-94b2-e1b9face320d\",\"ad264914-7ee8-4563-9165-5c2f2d0cbdde\"],\"columns\":{\"20baeaa0-d2a6-4fd1-94b2-e1b9face320d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Agent ID\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ad264914-7ee8-4563-9165-5c2f2d0cbdde\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.activity.agent.id\"},\"ad264914-7ee8-4563-9165-5c2f2d0cbdde\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"20baeaa0-d2a6-4fd1-94b2-e1b9face320d\"],\"layerId\":\"c68f6ca1-bcfd-462e-8462-6c41882faa91\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ad264914-7ee8-4563-9165-5c2f2d0cbdde\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Activities by Agent ID [Logs SentinelOne]]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"e9f9f5be-1784-4930-b656-b41e8baf100b\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"e9f9f5be-1784-4930-b656-b41e8baf100b\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-286fe5cf-c73d-4edf-9e11-04e266706ac0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"286fe5cf-c73d-4edf-9e11-04e266706ac0\":{\"columnOrder\":[\"0c47280a-f6fa-4360-ab66-d64449fb9926\",\"06382207-6085-4738-8cd7-5bc411702e69\"],\"columns\":{\"06382207-6085-4738-8cd7-5bc411702e69\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"0c47280a-f6fa-4360-ab66-d64449fb9926\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Account Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"06382207-6085-4738-8cd7-5bc411702e69\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.activity.account.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"0c47280a-f6fa-4360-ab66-d64449fb9926\",\"isTransposed\":false},{\"columnId\":\"06382207-6085-4738-8cd7-5bc411702e69\",\"isTransposed\":false}],\"layerId\":\"286fe5cf-c73d-4edf-9e11-04e266706ac0\",\"layerType\":\"data\"}},\"title\":\"Top 10 Account Name [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"822b1071-df2f-43bd-84a8-da1bcdd97528\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"822b1071-df2f-43bd-84a8-da1bcdd97528\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3398cd0c-0707-4e86-8138-7823fd3fe3ad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3398cd0c-0707-4e86-8138-7823fd3fe3ad\":{\"columnOrder\":[\"b87b3729-1100-4fe2-82a0-fcc4b5b65999\",\"b06e82de-dde9-4eae-a13d-4c4702f60694\"],\"columns\":{\"b06e82de-dde9-4eae-a13d-4c4702f60694\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b87b3729-1100-4fe2-82a0-fcc4b5b65999\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Family\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b06e82de-dde9-4eae-a13d-4c4702f60694\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"os.family\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b87b3729-1100-4fe2-82a0-fcc4b5b65999\"],\"layerId\":\"3398cd0c-0707-4e86-8138-7823fd3fe3ad\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b06e82de-dde9-4eae-a13d-4c4702f60694\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Activities by OS Family [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"96472e81-2362-46b7-9a78-ced057e7f22b\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"96472e81-2362-46b7-9a78-ced057e7f22b\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-27449a92-7952-4cb5-aec7-c18c8110f077\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"27449a92-7952-4cb5-aec7-c18c8110f077\":{\"columnOrder\":[\"cd851cfb-18ee-4ba6-bf2b-61041da779c1\",\"c7d31b39-34dd-4c74-a4a9-bb34d381ff43\",\"152f8820-ce3e-4d27-a8a6-a96858d54954\"],\"columns\":{\"152f8820-ce3e-4d27-a8a6-a96858d54954\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c7d31b39-34dd-4c74-a4a9-bb34d381ff43\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Computer Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"152f8820-ce3e-4d27-a8a6-a96858d54954\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"},\"cd851cfb-18ee-4ba6-bf2b-61041da779c1\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Primary Description\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"152f8820-ce3e-4d27-a8a6-a96858d54954\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.activity.description.primary\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"filter-index-pattern-0\",\"key\":\"host.name\",\"negate\":false,\"type\":\"exists\"},\"query\":{\"exists\":{\"field\":\"host.name\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"cd851cfb-18ee-4ba6-bf2b-61041da779c1\",\"isTransposed\":false},{\"columnId\":\"152f8820-ce3e-4d27-a8a6-a96858d54954\",\"isTransposed\":false},{\"columnId\":\"c7d31b39-34dd-4c74-a4a9-bb34d381ff43\",\"isTransposed\":false}],\"layerId\":\"27449a92-7952-4cb5-aec7-c18c8110f077\",\"layerType\":\"data\"}},\"title\":\"Top 10 Primary Description by Computer Name [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6776b675-6e78-4293-9419-abb2052779a9\",\"w\":24,\"x\":24,\"y\":27},\"panelIndex\":\"6776b675-6e78-4293-9419-abb2052779a9\",\"title\":\"Top 10 Primary Description by Computer Name [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-5abe3706-203c-48d8-afb0-96e3b47b163e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"5abe3706-203c-48d8-afb0-96e3b47b163e\":{\"columnOrder\":[\"bfb48360-d985-485c-8a3f-92e348223b55\",\"b56fdd4c-8aa5-4bee-822c-f46c1a7ff5af\"],\"columns\":{\"b56fdd4c-8aa5-4bee-822c-f46c1a7ff5af\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bfb48360-d985-485c-8a3f-92e348223b55\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Computer Name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b56fdd4c-8aa5-4bee-822c-f46c1a7ff5af\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.activity\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"bfb48360-d985-485c-8a3f-92e348223b55\",\"isTransposed\":false},{\"columnId\":\"b56fdd4c-8aa5-4bee-822c-f46c1a7ff5af\",\"isTransposed\":false}],\"layerId\":\"5abe3706-203c-48d8-afb0-96e3b47b163e\",\"layerType\":\"data\"}},\"title\":\"Top 10 Activities Count by Computer Name [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"60e34164-f433-4c23-bfa1-a84269e385dc\",\"w\":24,\"x\":0,\"y\":27},\"panelIndex\":\"60e34164-f433-4c23-bfa1-a84269e385dc\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs SentinelOne] Activities", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-899f2630-bb27-11ec-82b7-8fcb232e9538", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "logs-*", - "name": "6b1d0060-0c72-441e-9901-855d5ee70a67:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6b1d0060-0c72-441e-9901-855d5ee70a67:indexpattern-datasource-layer-3aa4f16e-85bd-466a-b665-445b6d5de2cd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe58dc4e-28bd-4efc-9995-4431b0128e73:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fe58dc4e-28bd-4efc-9995-4431b0128e73:indexpattern-datasource-layer-c1284ad1-7648-410f-b78f-78a997f797cd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9f9f5be-1784-4930-b656-b41e8baf100b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9f9f5be-1784-4930-b656-b41e8baf100b:indexpattern-datasource-layer-c68f6ca1-bcfd-462e-8462-6c41882faa91", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "822b1071-df2f-43bd-84a8-da1bcdd97528:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "822b1071-df2f-43bd-84a8-da1bcdd97528:indexpattern-datasource-layer-286fe5cf-c73d-4edf-9e11-04e266706ac0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "96472e81-2362-46b7-9a78-ced057e7f22b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "96472e81-2362-46b7-9a78-ced057e7f22b:indexpattern-datasource-layer-3398cd0c-0707-4e86-8138-7823fd3fe3ad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6776b675-6e78-4293-9419-abb2052779a9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6776b675-6e78-4293-9419-abb2052779a9:indexpattern-datasource-layer-27449a92-7952-4cb5-aec7-c18c8110f077", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6776b675-6e78-4293-9419-abb2052779a9:filter-index-pattern-0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "60e34164-f433-4c23-bfa1-a84269e385dc:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "60e34164-f433-4c23-bfa1-a84269e385dc:indexpattern-datasource-layer-5abe3706-203c-48d8-afb0-96e3b47b163e", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538.json b/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538.json deleted file mode 100755 index cb7b394cf3..0000000000 --- a/packages/sentinel_one/0.1.0/kibana/dashboard/sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"1a5f3a94-99e7-4ad0-adec-e58382e9b5de\",\"w\":48,\"x\":0,\"y\":57},\"panelIndex\":\"1a5f3a94-99e7-4ad0-adec-e58382e9b5de\",\"panelRefName\":\"panel_1a5f3a94-99e7-4ad0-adec-e58382e9b5de\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a70c9f24-f23c-453b-8c96-f1e710d919fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a70c9f24-f23c-453b-8c96-f1e710d919fc\":{\"columnOrder\":[\"3da4d948-d5f9-414d-af6e-ea897044f260\"],\"columns\":{\"3da4d948-d5f9-414d-af6e-ea897044f260\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"accessor\":\"3da4d948-d5f9-414d-af6e-ea897044f260\",\"layerId\":\"a70c9f24-f23c-453b-8c96-f1e710d919fc\",\"layerType\":\"data\"}},\"title\":\"Total Number of Alerts [Logs SentinelOne]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"b1454cbc-86ff-4612-9129-bc0b2b710079\",\"w\":11,\"x\":0,\"y\":0},\"panelIndex\":\"b1454cbc-86ff-4612-9129-bc0b2b710079\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b50e4935-fe9a-460a-ab6d-43dcb1da50cb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b50e4935-fe9a-460a-ab6d-43dcb1da50cb\":{\"columnOrder\":[\"270e4c10-e504-46fa-be0a-05759a516322\",\"de45442f-1e4f-4b15-acc9-abc576928301\"],\"columns\":{\"270e4c10-e504-46fa-be0a-05759a516322\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"OS Family\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de45442f-1e4f-4b15-acc9-abc576928301\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"host.os.family\"},\"de45442f-1e4f-4b15-acc9-abc576928301\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"270e4c10-e504-46fa-be0a-05759a516322\"],\"layerId\":\"b50e4935-fe9a-460a-ab6d-43dcb1da50cb\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de45442f-1e4f-4b15-acc9-abc576928301\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by OS Family [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"02d8b05a-a909-43e8-bab4-41c424e0e889\",\"w\":19,\"x\":11,\"y\":0},\"panelIndex\":\"02d8b05a-a909-43e8-bab4-41c424e0e889\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-da42b88e-21d2-434f-9bbc-a8386239736f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"da42b88e-21d2-434f-9bbc-a8386239736f\":{\"columnOrder\":[\"20818763-4451-42db-bcfd-f17df146a699\",\"dafcda2b-19bc-4796-beca-bfe8a90aa089\"],\"columns\":{\"20818763-4451-42db-bcfd-f17df146a699\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Agent Version\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dafcda2b-19bc-4796-beca-bfe8a90aa089\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"observer.version\"},\"dafcda2b-19bc-4796-beca-bfe8a90aa089\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"20818763-4451-42db-bcfd-f17df146a699\"],\"layerId\":\"da42b88e-21d2-434f-9bbc-a8386239736f\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"dafcda2b-19bc-4796-beca-bfe8a90aa089\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by Agent Version [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":12,\"i\":\"869821d9-6b7b-4b0a-be75-476ec72548c9\",\"w\":18,\"x\":30,\"y\":0},\"panelIndex\":\"869821d9-6b7b-4b0a-be75-476ec72548c9\",\"title\":\"Distribution of Alerts by Agent Version [Logs SentinelOne]\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bf67982d-968e-4dfc-9e1e-378fe14caa5a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bf67982d-968e-4dfc-9e1e-378fe14caa5a\":{\"columnOrder\":[\"6bcb2e67-6f42-48ee-ae55-06508280e8b9\",\"82538ec1-3110-4936-84f3-4894a3fbd634\"],\"columns\":{\"6bcb2e67-6f42-48ee-ae55-06508280e8b9\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Treat As Threat\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"82538ec1-3110-4936-84f3-4894a3fbd634\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.alert.rule.treat_as_threat\"},\"82538ec1-3110-4936-84f3-4894a3fbd634\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"6bcb2e67-6f42-48ee-ae55-06508280e8b9\"],\"layerId\":\"bf67982d-968e-4dfc-9e1e-378fe14caa5a\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"82538ec1-3110-4936-84f3-4894a3fbd634\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by Treat As Threat [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"781400e7-5d84-4316-a890-0f92323bbfa4\",\"w\":24,\"x\":0,\"y\":12},\"panelIndex\":\"781400e7-5d84-4316-a890-0f92323bbfa4\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12bb8402-74e9-4f83-96db-18e874c28661\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12bb8402-74e9-4f83-96db-18e874c28661\":{\"columnOrder\":[\"99d34625-e9dc-41a0-9bec-3076d907137c\",\"580be51c-ada9-456e-b4c6-af616ade4a31\"],\"columns\":{\"580be51c-ada9-456e-b4c6-af616ade4a31\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"99d34625-e9dc-41a0-9bec-3076d907137c\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Scope Level\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"580be51c-ada9-456e-b4c6-af616ade4a31\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.alert.rule.scope_level\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"99d34625-e9dc-41a0-9bec-3076d907137c\"],\"layerId\":\"12bb8402-74e9-4f83-96db-18e874c28661\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"580be51c-ada9-456e-b4c6-af616ade4a31\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by Scope Level [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c328a3b4-108a-4a1f-a545-5e6a3acc40b0\",\"w\":24,\"x\":24,\"y\":12},\"panelIndex\":\"c328a3b4-108a-4a1f-a545-5e6a3acc40b0\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6b6b61df-1417-49a3-81a1-7dda411c4e71\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6b6b61df-1417-49a3-81a1-7dda411c4e71\":{\"columnOrder\":[\"27530883-162f-4958-bee8-ef06abc84059\",\"ecb1b9f1-2129-4d39-887d-3c2869f94908\"],\"columns\":{\"27530883-162f-4958-bee8-ef06abc84059\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Rule Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ecb1b9f1-2129-4d39-887d-3c2869f94908\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"ecb1b9f1-2129-4d39-887d-3c2869f94908\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"27530883-162f-4958-bee8-ef06abc84059\",\"isTransposed\":false},{\"columnId\":\"ecb1b9f1-2129-4d39-887d-3c2869f94908\",\"isTransposed\":false}],\"layerId\":\"6b6b61df-1417-49a3-81a1-7dda411c4e71\",\"layerType\":\"data\"}},\"title\":\"Top 10 Rule Names [Logs SentinelOne]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"24c1e7fd-242a-49b1-bff0-521218255ed7\",\"w\":24,\"x\":0,\"y\":27},\"panelIndex\":\"24c1e7fd-242a-49b1-bff0-521218255ed7\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-6575381f-da1f-4e3e-aa6e-ee5d513b66e2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"6575381f-da1f-4e3e-aa6e-ee5d513b66e2\":{\"columnOrder\":[\"0331dc07-e879-47b7-9279-687b413d436f\",\"66f1847e-6cfe-4b2a-95a7-795f68736736\"],\"columns\":{\"0331dc07-e879-47b7-9279-687b413d436f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Rule Severity\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"66f1847e-6cfe-4b2a-95a7-795f68736736\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.alert.rule.severity\"},\"66f1847e-6cfe-4b2a-95a7-795f68736736\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"66f1847e-6cfe-4b2a-95a7-795f68736736\"],\"layerId\":\"6575381f-da1f-4e3e-aa6e-ee5d513b66e2\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"xAccessor\":\"0331dc07-e879-47b7-9279-687b413d436f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"Distribution of Alerts by Rule Severity [Logs SentinelOne]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"986ac399-7ca0-420e-a224-f55f9dc48f5c\",\"w\":24,\"x\":24,\"y\":27},\"panelIndex\":\"986ac399-7ca0-420e-a224-f55f9dc48f5c\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-92ea1b1a-7e5f-4d77-9af5-5c75151c6382\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"92ea1b1a-7e5f-4d77-9af5-5c75151c6382\":{\"columnOrder\":[\"ddcf4498-b8ec-4e73-8a42-6b9e04e549c0\",\"f2f2bd2b-27e3-4868-bae1-ff003f94d936\"],\"columns\":{\"ddcf4498-b8ec-4e73-8a42-6b9e04e549c0\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Event Type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f2f2bd2b-27e3-4868-bae1-ff003f94d936\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.type\"},\"f2f2bd2b-27e3-4868-bae1-ff003f94d936\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ddcf4498-b8ec-4e73-8a42-6b9e04e549c0\"],\"layerId\":\"92ea1b1a-7e5f-4d77-9af5-5c75151c6382\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"f2f2bd2b-27e3-4868-bae1-ff003f94d936\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by Event Type [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"946d6cac-4418-40cf-b301-614d64130caa\",\"w\":24,\"x\":0,\"y\":42},\"panelIndex\":\"946d6cac-4418-40cf-b301-614d64130caa\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-76215aa5-943c-4f3f-a5b5-dfa7095216e5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"76215aa5-943c-4f3f-a5b5-dfa7095216e5\":{\"columnOrder\":[\"58c3a718-0540-4a34-bdb7-d3ac85d94986\",\"27c9c040-2ef7-4384-88fa-156d43d3ffe9\"],\"columns\":{\"27c9c040-2ef7-4384-88fa-156d43d3ffe9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"58c3a718-0540-4a34-bdb7-d3ac85d94986\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Incident Status\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"27c9c040-2ef7-4384-88fa-156d43d3ffe9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"sentinel_one.alert.info.status\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"58c3a718-0540-4a34-bdb7-d3ac85d94986\"],\"layerId\":\"76215aa5-943c-4f3f-a5b5-dfa7095216e5\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"27c9c040-2ef7-4384-88fa-156d43d3ffe9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Distribution of Alerts by Incident Status [Logs SentinelOne]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d9f10ef5-e421-4193-8a29-de995a862192\",\"w\":24,\"x\":24,\"y\":42},\"panelIndex\":\"d9f10ef5-e421-4193-8a29-de995a862192\",\"type\":\"lens\",\"version\":\"7.17.0\"}]", - "timeRestore": false, - "title": "[Logs SentinelOne] Alerts", - "version": 1 - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-bcf1f680-bba3-11ec-82b7-8fcb232e9538", - "migrationVersion": { - "dashboard": "7.17.0" - }, - "references": [ - { - "id": "sentinel_one-89773b00-c1fa-11ec-a23a-27e16fe32bb9", - "name": "1a5f3a94-99e7-4ad0-adec-e58382e9b5de:panel_1a5f3a94-99e7-4ad0-adec-e58382e9b5de", - "type": "search" - }, - { - "id": "logs-*", - "name": "b1454cbc-86ff-4612-9129-bc0b2b710079:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b1454cbc-86ff-4612-9129-bc0b2b710079:indexpattern-datasource-layer-a70c9f24-f23c-453b-8c96-f1e710d919fc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02d8b05a-a909-43e8-bab4-41c424e0e889:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02d8b05a-a909-43e8-bab4-41c424e0e889:indexpattern-datasource-layer-b50e4935-fe9a-460a-ab6d-43dcb1da50cb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "869821d9-6b7b-4b0a-be75-476ec72548c9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "869821d9-6b7b-4b0a-be75-476ec72548c9:indexpattern-datasource-layer-da42b88e-21d2-434f-9bbc-a8386239736f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "781400e7-5d84-4316-a890-0f92323bbfa4:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "781400e7-5d84-4316-a890-0f92323bbfa4:indexpattern-datasource-layer-bf67982d-968e-4dfc-9e1e-378fe14caa5a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c328a3b4-108a-4a1f-a545-5e6a3acc40b0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c328a3b4-108a-4a1f-a545-5e6a3acc40b0:indexpattern-datasource-layer-12bb8402-74e9-4f83-96db-18e874c28661", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "24c1e7fd-242a-49b1-bff0-521218255ed7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "24c1e7fd-242a-49b1-bff0-521218255ed7:indexpattern-datasource-layer-6b6b61df-1417-49a3-81a1-7dda411c4e71", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "986ac399-7ca0-420e-a224-f55f9dc48f5c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "986ac399-7ca0-420e-a224-f55f9dc48f5c:indexpattern-datasource-layer-6575381f-da1f-4e3e-aa6e-ee5d513b66e2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "946d6cac-4418-40cf-b301-614d64130caa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "946d6cac-4418-40cf-b301-614d64130caa:indexpattern-datasource-layer-92ea1b1a-7e5f-4d77-9af5-5c75151c6382", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d9f10ef5-e421-4193-8a29-de995a862192:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d9f10ef5-e421-4193-8a29-de995a862192:indexpattern-datasource-layer-76215aa5-943c-4f3f-a5b5-dfa7095216e5", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sentinel_one/0.1.0/kibana/search/sentinel_one-89773b00-c1fa-11ec-a23a-27e16fe32bb9.json b/packages/sentinel_one/0.1.0/kibana/search/sentinel_one-89773b00-c1fa-11ec-a23a-27e16fe32bb9.json deleted file mode 100755 index 534700dab7..0000000000 --- a/packages/sentinel_one/0.1.0/kibana/search/sentinel_one-89773b00-c1fa-11ec-a23a-27e16fe32bb9.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "rule.id", - "rule.name", - "rule.description", - "host.name", - "observer.version", - "host.type", - "observer.serial_number" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"sentinel_one.alert\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Recent Alerts [Logs SentinelOne]" - }, - "coreMigrationVersion": "7.17.0", - "id": "sentinel_one-89773b00-c1fa-11ec-a23a-27e16fe32bb9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/sentinel_one/0.1.0/manifest.yml b/packages/sentinel_one/0.1.0/manifest.yml deleted file mode 100755 index b09ef4e707..0000000000 --- a/packages/sentinel_one/0.1.0/manifest.yml +++ /dev/null @@ -1,78 +0,0 @@ -format_version: 1.0.0 -name: sentinel_one -title: SentinelOne -version: 0.1.0 -license: basic -description: Collect logs from SentinelOne with Elastic Agent. -type: integration -categories: - - security -conditions: - kibana.version: ^7.17.0 || ^8.0.0 -screenshots: - - src: /img/sentinel-one-screenshot.png - title: SentinelOne Threat Dashboard Screenshot - size: 600x600 - type: image/png -icons: - - src: /img/sentinel-one-logo.svg - title: SentinelOne Logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: sentinel_one - title: SentinelOne - description: Collect logs from SentinelOne. - inputs: - - type: httpjson - title: Collect SentinelOne logs via API - description: Collecting SentinelOne logs via API. - vars: - - name: url - type: text - title: URL - description: SentinelOne console URL. - required: true - - name: api_token - type: password - title: API Token - description: API Token with API Access Level type. - required: true - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -owner: - github: elastic/security-external-integrations diff --git a/packages/sonicwall_firewall/0.1.0/changelog.yml b/packages/sonicwall_firewall/0.1.0/changelog.yml deleted file mode 100755 index 81d6381daf..0000000000 --- a/packages/sonicwall_firewall/0.1.0/changelog.yml +++ /dev/null @@ -1,6 +0,0 @@ -# newer versions go on top -- version: "0.1.0" - changes: - - description: Initial beta version of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/3365 diff --git a/packages/sonicwall_firewall/0.1.0/data_stream/log/agent/stream/logfile.yml.hbs b/packages/sonicwall_firewall/0.1.0/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index d40e62f2b9..0000000000 --- a/packages/sonicwall_firewall/0.1.0/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -fields_under_root: true -fields: - _conf: - tz_offset: {{tz_offset}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/sonicwall_firewall/0.1.0/data_stream/log/agent/stream/udp.yml.hbs b/packages/sonicwall_firewall/0.1.0/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 93707136be..0000000000 --- a/packages/sonicwall_firewall/0.1.0/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -fields_under_root: true -fields: - _conf: - tz_offset: {{tz_offset}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/sonicwall_firewall/0.1.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/sonicwall_firewall/0.1.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 6b6b9fd49d..0000000000 --- a/packages/sonicwall_firewall/0.1.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1307 +0,0 @@ ---- -description: Pipeline for processing SonicWall firewall logs -processors: - - set: - field: ecs.version - value: "8.2.0" - - - set: - field: observer.vendor - value: SonicWall - - - set: - field: observer.product - value: SonicOS - - - set: - field: observer.type - value: firewall - - - set: - field: event.timezone - value: "{{{_conf.tz_offset}}}" - if: ctx?._conf?.tz_offset != null && ctx?._conf?.tz_offset != 'local' - - - rename: - field: message - target_field: event.original - ignore_missing: true - - - grok: - field: event.original - description: Extracts key-value pairs from original message - patterns: - - '%{KEY_VALUES:_temp_.serialized_kv}' - pattern_definitions: - KEY_VALUES: 'id=.*' - on_failure: - - fail: - message: 'unable to extract key-values from log message: {{{ _ingest.on_failure_message }}}' - - - kv: - field: _temp_.serialized_kv - description: Splits key-value pairs extracted from original message - field_split: ' +(?=[a-zA-Z0-9_-]+=)' - value_split: '=' - prefix: 'sonicwall.firewall.' - ignore_failure: false - trim_value: "\"'" - on_failure: - - fail: - message: 'unable to process key-values from log message: {{{ _ingest.on_failure_message }}}' - - - script: - lang: painless - description: Maps SonicWall fields to ECS - if: 'ctx.sonicwall?.firewall != null' - params: - arg: - - to: url.path - dpi: - - to: sonicwall.firewall.dpi - map: - '0': 'false' - '1': 'true' - dstMac: - - to: destination.mac - dstname: - - to: url.domain - dstZone: - - to: observer.egress.zone - fw: - - to: observer.hostname - fw_action: - - to: event.action - map: - forward: packet-forwarded - drop: packet-dropped - mgmt: packet-management - gcat: - - to: sonicwall.firewall.gcat - - to: sonicwall.firewall.event_group_category - map: - '1': Value - '2': System - '3': Log - '4': Security Services - '5': Users - '6': Firewall Settings - '7': Network - '8': VPN - '9': High Availability - '10': 3G/4G, Modem, and Module Firewall - '11': Wireless - '12': VoIP - '13': SSL VPN - '14': Anti-Spam - '15': WAN Acceleration - '16': SD-WAN - '17': Multi-Tenancy - id: - - to: observer.name - m: - - to: event.code - msg: - - to: message - n: - - to: event.sequence - natDst: - - to: _temp_.destination_nat_ip - natDstV6: - - to: _temp_.destination_nat_ip - natSrc: - - to: _temp_.source_nat_ip - natSrcV6: - - to: _temp_.source_nat_ip - op: - - to: http.request.method - map: - '1': 'GET' - '2': 'POST' - '3': 'HEAD' - pri: - - to: event.severity - - to: log.level - map: - '0': emergency - '1': alert - '2': critical - '3': error - '4': warning - '5': notice - '6': info - '7': debug - proto: - - to: network.transport - rcvd: - - to: destination.bytes - rpkt: - - to: destination.packets - rule: - - to: rule.id - sent: - - to: source.bytes - spkt: - - to: source.packets - srcMac: - - to: source.mac - srcZone: - - to: observer.ingress.zone - sn: - - to: observer.serial_number - time: - - to: '@timestamp' - user: - - to: user.name - usr: - - to: user.name - source: | - List sets = ctx._temp_.computeIfAbsent("sets", k -> new ArrayList()); - List removes = ctx._temp_.computeIfAbsent("removes", k -> new ArrayList()); - for (def src_field : ctx.sonicwall.firewall.entrySet()) { - def key = src_field.getKey(); - if (params[key] != null) { - boolean mapped = false; - for (def action : params[key]) { - def value = action.map == null? src_field.getValue() : action.map[src_field.getValue()]; - if (value != null) { - sets.add([ - "target": action.to, - "value": value - ]); - } - } - removes.add(key); - } - } - -# -# Source and destination information -# -# The src and dst fields have the following format: -# [:[:[:]]] -# -# For IPv6 addresses the srcV6/dstV6 fields are used. -# These contain the ip address, and optionally the src/dst -# fields are used to include extra information, leaving -# the part empty (value starts with `:`). - - script: - lang: painless - description: Extracts additional information from src and dst - params: - src: - - source.address - - source.port - - observer.ingress.interface.name - - source.domain - dst: - - destination.address - - destination.port - - observer.egress.interface.name - - destination.domain - source: | - List sets = ctx._temp_.computeIfAbsent("sets", k -> new ArrayList()); - List removes = ctx._temp_.computeIfAbsent("removes", k -> new ArrayList()); - for (def field : params.entrySet()) { - String value = ctx.sonicwall.firewall[field.getKey()]; - if (value == null) continue; - String[] parts = value.splitOnToken(":"); - List mapping = field.getValue(); - for ( int i = (int)Math.min(parts.length, mapping.size()) - 1 - ; i>=0 - ; i--) { - sets.add([ - "target": mapping[i], - "value": parts[i] - ]); - } - removes.add(field.getKey()); - } - -# -# Duration fields dur / cdur -# - - script: - lang: painless - description: Calculates event.duration - params: - destination: event.duration - sources: - - field: dur - append: '000000000' - - field: cdur - append: '000000' - source: | - List sets = ctx._temp_.computeIfAbsent("sets", k -> new ArrayList()); - List removes = ctx._temp_.computeIfAbsent("removes", k -> new ArrayList()); - Map base = ctx.sonicwall?.firewall; - if (base == null) return; - for (def entry : params.sources) { - if (base.containsKey(entry.field)) { - sets.add([ - "target": params.destination, - "value": base[entry.field] + entry.append - ]); - } - removes.add(entry.field); - } - - - foreach: - field: _temp_.removes - processor: - remove: - field: 'sonicwall.firewall.{{{ _ingest._value }}}' - ignore_missing: true - - - foreach: - field: _temp_.sets - processor: - set: - field: '{{{ _ingest._value.target }}}' - value: '{{{ _ingest._value.value }}}' - - - set: - field: source.address - copy_from: sonicwall.firewall.srcV6 - override: true - ignore_failure: true - - - set: - field: destination.address - copy_from: sonicwall.firewall.dstV6 - override: true - ignore_failure: true - - - date: - field: '@timestamp' - formats: - - 'yyyy-MM-dd HH:mm:ss VV' - - 'yyyy-MM-dd HH:mm:ss' - - ISO8601 - timezone: '{{{_conf.tz_offset}}}' - if: 'ctx._conf?.tz_offset != null && ctx._conf.tz_offset != "local"' - on_failure: - - append: - field: error.message - value: 'failed to parse time field ({{{ @timestamp }}}): {{{ _ingest.on_failure_message }}}' - - date: - field: '@timestamp' - formats: - - 'yyyy-MM-dd HH:mm:ss VV' - - 'yyyy-MM-dd HH:mm:ss' - - ISO8601 - if: 'ctx._conf?.tz_offset == null || ctx._conf.tz_offset == "local"' - on_failure: - - append: - field: error.message - value: 'failed to parse time field ({{{ @timestamp }}}): {{{ _ingest.on_failure_message }}}' - -# -# Validate IP addresses -# - - convert: - field: observer.hostname - target_field: observer.ip - type: ip - ignore_missing: true - ignore_failure: true - - - remove: - field: observer.hostname - if: 'ctx.observer?.ip != null' - - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true - - - remove: - field: source.address - if: 'ctx.source?.ip != null' - - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - ignore_failure: true - - - remove: - field: destination.address - if: 'ctx.destination?.ip != null' - -# -# Geoip enrichment -# - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - -# -# Convert MAC addresses -# - - uppercase: - field: source.mac - ignore_missing: true - - - gsub: - field: source.mac - pattern: ':' - replacement: '-' - ignore_missing: true - - - uppercase: - field: destination.mac - ignore_missing: true - - - gsub: - field: destination.mac - pattern: ':' - replacement: '-' - ignore_missing: true - -# -# Process proto field -# - - grok: - field: network.transport - description: Extracts transport and protocol information from proto field - patterns: - # transport/portnum (discard port) - - '^%{NOSLASH_WORD:network.transport}/%{NUMBER}$' - # transport/proto - - '^%{NOSLASH_WORD:network.transport}/%{NOSLASH_WORD:network.protocol}$' - # fallback (no pattern match): Keep everything in .transport - pattern_definitions: - NOSLASH_WORD: '[^/]*' - ignore_failure: true - -# -# Extract optional (undocumented) port in nat fields. -# - - grok: - field: _temp_.source_nat_ip - description: Extracts optional port number from src nat field - ignore_missing: true - patterns: - - '^%{IPV4:source.nat.ip}:%{POSINT:source.nat.port}$' - - '^\[%{IPV6:source.nat.ip}\]:%{POSINT:source.nat.port}$' - on_failure: - - convert: - field: _temp_.source_nat_ip - type: ip - - - grok: - field: _temp_.destination_nat_ip - description: Extracts optional port number from dst nat field - ignore_missing: true - patterns: - - '^%{IPV4:destination.nat.ip}:%{POSINT:destination.nat.port}$' - - '^\[%{IPV6:destination.nat.ip}\]:%{POSINT:destination.nat.port}$' - on_failure: - - convert: - field: _temp_.destination_nat_ip - type: ip - -# -# Validate integer fields -# - - convert: - field: source.bytes - type: long - ignore_missing: true - on_failure: - - remove: - field: source.bytes - - - convert: - field: source.port - type: integer - ignore_missing: true - on_failure: - - remove: - field: source.port - - - convert: - field: source.nat.port - type: integer - ignore_missing: true - on_failure: - - remove: - field: source.nat.port - - - convert: - field: source.packets - type: long - ignore_missing: true - on_failure: - - remove: - field: source.packets - - - convert: - field: destination.bytes - type: long - ignore_missing: true - on_failure: - - remove: - field: destination.bytes - - - convert: - field: destination.port - type: integer - ignore_missing: true - on_failure: - - remove: - field: destination.port - - - convert: - field: destination.nat.port - type: integer - ignore_missing: true - on_failure: - - remove: - field: destination.nat.port - - - convert: - field: destination.packets - type: long - ignore_missing: true - on_failure: - - remove: - field: destination.packets - - - convert: - field: event.duration - type: long - ignore_missing: true - on_failure: - - remove: - field: event.duration - - - script: - lang: painless - description: Aggregates bytes/packets counters - params: - keys: - - bytes - - packets - from: - - source - - destination - to: network - source: | - for (def src : params.from) { - for (def key : params.keys) { - def v = null; - if (ctx[src] != null && (v = ctx[src][key]) != null && v instanceof Long) { - if (ctx[params.to] == null || !(ctx[params.to] instanceof Map)) { - ctx[params.to] = new HashMap(); - } - if (ctx[params.to][key] == null || !(ctx[params.to][key] instanceof Long)) { - ctx[params.to][key] = v; - } else { - ctx[params.to][key] += v; - } - } - } - } - -# -# Extends message field with note -# - - set: - field: message - description: Extends message field with note - value: '{{{ message }}} ({{{ sonicwall.firewall.note }}})' - override: true - if: 'ctx.message != null && ctx.sonicwall?.firewall?.note != null' - - set: - field: message - value: '{{{ sonicwall.firewall.note }}}' - ignore_empty_value: true - override: false - -# -# ECS event categorization by message type -# - - script: - lang: painless - description: Fills ECS categorization fields depending on message Event ID - params: - event_types: - internal-log-success: - kind: event - category: - - host - type: - - info - outcome: success - internal-log-failure: - kind: event - category: - - host - type: - - info - outcome: failure - login-success: - kind: event - category: - - authentication - type: - - start - - info - outcome: success - login-failure: - kind: event - category: - - authentication - type: - - start - - info - outcome: failure - logout: - kind: event - category: - - authentication - type: - - end - - info - outcome: success - user-account-locked: - kind: event - category: - - iam - type: - - info - - user - outcome: success - user-account-unlocked: - kind: event - category: - - iam - type: - - info - - user - outcome: success - user-account-enabled: - kind: event - category: - - iam - type: - - info - - user - outcome: success - user-account-disabled: - kind: event - category: - - iam - type: - - info - - user - outcome: success - user-account-created: - kind: event - category: - - iam - type: - - info - - user - - deletion - outcome: success - user-account-changed: - kind: event - category: - - iam - type: - - info - - user - - change - outcome: success - user-account-change-failure: - kind: event - category: - - iam - type: - - info - - user - - change - outcome: failure - admin-account-changed: - kind: event - category: - - iam - type: - - info - - user - - change - - admin - outcome: success - user-account-deleted: - kind: event - category: - - iam - type: - - info - - user - - deletion - outcome: success - session-start: - kind: event - category: - - session - type: - - start - outcome: success - session-end: - kind: event - category: - - session - type: - - end - outcome: success - attack-detected: - kind: alert - category: - - intrusion_detection - type: - - info - outcome: success - attack-blocked: - kind: alert - category: - - intrusion_detection - type: - - denied - outcome: success - connection-start: - kind: event - category: [ network ] - type: - - connection - - start - outcome: success - connection-end: - kind: event - category: [ network ] - type: - - connection - - end - outcome: success - connection-denied: - kind: event - category: [ network ] - type: - - connection - - denied - outcome: success - packet-dropped: - kind: event - category: [ network ] - type: - - denied - outcome: success - connection-info: - kind: event - category: [ network ] - type: - - connection - - info - outcome: success - malware-info: - kind: alert - category: - - malware - type: - - info - outcome: success - config-change: - kind: event - category: - - configuration - type: - - change - outcome: success - config-change-failure: - kind: event - category: - - configuration - type: - - change - outcome: failure - config-info: - kind: event - category: - - configuration - type: - - info - outcome: success - config-delete: - kind: event - category: - - configuration - type: - - deletion - outcome: success - config-add: - kind: event - category: - - configuration - type: - - creation - outcome: success - - message_codes: - # CSV table of SonicOS messages obtained by scraping the pdf docs - # https://gist.github.com/adriansr/d7ad20e15fca1ef2df6a4cdeb53b2989 - - # Firewall - "646": packet-dropped # 646,Firewall,Access Rules,System Error,WARNING,5238,Source IP Connection Limit,Packet dropped; connection limit for this source IP address has been reached - "647": packet-dropped # 647,Firewall,Access Rules,System Error,WARNING,5239,Destination IP Connection Limit,Packet dropped; connection limit for this destination IP address has been reached - "734": connection-info # 734,Firewall,Access Rules,---,WARNING,---,Source Connection Status,Source IP address connection status: %s - "735": packet-dropped # 735,Firewall,Access Rules,---,WARNING,---,Destination Connection Status,Destination IP address connection status: %s - "45": connection-info # 45,Network,ARP,Debug,DEBUG,7002,ARP Failure,ARP Timeout - "815": connection-info # 815,Network,ARP,---,WARNING,7022,Too Many Gratuitous ARPs Detected,Too many gratuitous ARPs detected - "428": packet-dropped # 428,Firewall Settings,Advanced,Debug,WARNING,6424,Drop Source Route Packet,Source routed IP packet dropped - "1473": packet-dropped # 1473,Firewall Settings,Advanced,Debug,INFO,---,Drop Source IP Subnet Broadcast,Source IP is a subnet broadcast address - "1573": packet-dropped # 1573,Firewall Settings,Advanced,Debug,INFO,---,Drop All IPv6 Traffic,IPv6 packet dropped due to IPv6 traffic processing is disabled on this firewall - "1576": packet-dropped # 1576,Firewall Settings,Advanced,Debug,INFO,---,Drop Record Route Packet,Record routed IP packet dropped - - # Network Access - "41": packet-dropped # 41,Network,Network Access,Debug,NOTICE,7214,Unknown Protocol Dropped,Unknown protocol dropped - "46": packet-dropped # 46,Network,Network Access,Debug,DEBUG,7217,Broadcast Packets Dropped,Broadcast packet dropped - "98": connection-start # 98,Network,Network Access,Connection,INFO,7402,Connection Opened,Connection Opened - "347": packet-dropped # 347,Network,Network Access,TCP | UDP | ICMP,WARNING,7225,Drop Clear Packet,Port configured to receive IPsec protocol ONLY; drop packet received in the clear - "537": connection-end # 537,Network,Network Access,Connection Traffic,INFO,7403,Connection Closed,Connection Closed - "590": packet-dropped # 590,Network,Network Access,LAN UDP | LAN TCP,NOTICE,7232,LAN IP Deny,IP type %s packet dropped - "714": packet-dropped # 714,Network,Network Access,Debug,NOTICE,7236,EIGRP Packet Drop,EIGRP packet dropped - "1304": packet-dropped # 1304,Network,Network Access,Debug,ALERT,---,Packet Dropped Due to NDPP Rules,Packet is dropped due to NDPP rules. - - # Checksum Enforcement - "883": packet-dropped # 883,Firewall Settings,Checksum Enforcement,TCP|UDP,NOTICE,7243,IP Checksum Error,IP Header checksum error; packet dropped - "884": packet-dropped # 884,Firewall Settings,Checksum Enforcement,TCP,NOTICE,7244,TCP Checksum Error,TCP checksum error; packet dropped - "885": packet-dropped # 885,Firewall Settings,Checksum Enforcement,UDP,NOTICE,7245,UDP Checksum Error,UDP checksum error; packet dropped - "886": packet-dropped # 886,Firewall Settings,Checksum Enforcement,UDP,NOTICE,7246,ICMP Checksum Error,ICMP checksum error; packet dropped - "1448": packet-dropped # 1448,Firewall Settings,Checksum Enforcement,UDP,NOTICE,---,UDPv6 Checksum Error,UDPv6 checksum error; packet dropped - "1449": packet-dropped # 1449,Firewall Settings,Checksum Enforcement,UDP,NOTICE,---,ICMPv6 Checksum Error,ICMPv6 checksum error; packet dropped - - # Geo-IP Filter - "1198": connection-denied # 1198,Security Services,Geo-IP Filter,---,ALERT,---,Geo IP Initiator Blocked,Initiator from country blocked: %s - "1199": connection-denied # 1199,Security Services,Geo-IP Filter,---,ALERT,---,Geo IP Responder Blocked,Responder from country blocked: %s - "1474": connection-denied # 1474,Security Services,Geo-IP Filter,---,ALERT,---,Custom Geo IP Initiator Blocked,"Initiator from country blocked: %s, Source: Custom List" - "1475": connection-denied # 1475,Security Services,Geo-IP Filter,---,ALERT,---,Custom Geo IP Responder Blocked,"Responder from country blocked: %s, Source: Custom List" - - # ICMP - "38": packet-dropped # 38,Network,ICMP,ICMP,NOTICE,7211,ICMP Packets Dropped,ICMP packet dropped due to Policy - "63": packet-dropped # 63,Network,ICMP,Debug,DEBUG,7003,ICMP Too Big,Received fragmented packet or fragmentation needed - "175": packet-dropped # 175,Network,ICMP,LAN ICMP | LAN TCP,NOTICE,7224,LAN ICMP Deny,ICMP packet from LAN dropped - "182": connection-info # 182,Network,ICMP,User Activity,INFO,7006,Path MTU Receive,Received a path MTU ICMP message from router/gateway - "188": connection-info # 188,Network,ICMP,User Activity,INFO,7007,Path MTU ICMP,Received a path MTU ICMP message from router/gateway - "523": packet-dropped # 523,Network,ICMP,ICMP,NOTICE,7227,No Match ICMP Drop,ICMP packet dropped no match - "597": connection-info # 597,Network,ICMP,Debug,INFO,7233,ICMP Allow,ICMP packet allowed - "598": connection-info # 598,Network,ICMP,Debug,INFO,7234,LAN ICMP Allow,ICMP packet from LAN allowed - "1254": packet-dropped # 1254,Network,ICMP,---,INFO,---,LAN ICMPv6 Deny,ICMPv6 packet from LAN dropped - "1255": connection-info # 1255,Network,ICMP,---,INFO,---,LAN ICMPv6 Allow,ICMPv6 packet from LAN allowed - "1256": connection-info # 1256,Network,ICMP,---,INFO,---,ICMPv6 Allow,ICMPv6 packet allowed - "1257": packet-dropped # 1257,Network,ICMP,---,INFO,---,ICMPv6 Packets Dropped,ICMPv6 packet dropped due to policy - "1431": connection-info # 1431,Network,ICMP,---,INFO,---,ICMPv6 Packets Received,ICMPv6 packet received - "1433": packet-dropped # 1433,Network,ICMP,---,NOTICE,---,NDP Packets Dropped,%s - "1458": connection-info # 1458,Network,ICMP,---,NOTICE,---,NDP Packets Received,%s - - # IP - "28": packet-dropped # 28,Network,IP,TCP | UDP | ICMP,NOTICE,7001,Fragmented Packet,Fragmented packet dropped - "522": packet-dropped # 522,Network,IP,Debug,INFO,554,Malformed IP Packet,Malformed or unhandled IP packet dropped - "910": packet-dropped # 910,Network,IP,Debug,NOTICE,7037,IP TTL Expire,Packet Dropped - IP TTL expired - "1301": packet-dropped # 1301,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Reserved IP,Source or Destination IPv6 address is reserved by RFC 4291. Packet is dropped - "1302": packet-dropped # 1302,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Unspecified Destination IP,Destination IPv6 address is unspecified. Packet is dropped - "1303": packet-dropped # 1303,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Unspecified Source IP,Source IPv6 address is unspecified but this packet is not Neighbor Solicitation message for DAD. Packet is dropped - "1429": packet-dropped # 1429,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Site Local IP,Source or Destination IPv6 address is site-local unicast address. Packet is dropped - "1430": packet-dropped # 1430,Network,IP,Debug,INFO,---,IPv6 Packet with Ext Header,IPv6 Packet with extension header received - - # IPcomp - "651": packet-dropped # 651,Network,IPcomp,Debug,DEBUG,12401,IPcomp Interrupt Error,IPcomp connection interrupt - "652": packet-dropped # 652,Network,IPcomp,TCP | UDP | ICMP,NOTICE,12402,IPcomp Packet Drop,IPcomp packet dropped - "653": packet-dropped # 653,Network,IPcomp,Debug,DEBUG,12403,"IPcomp Packet Drop, Waiting",IPcomp packet dropped; waiting for pending IPcomp connection - - # IPv6 Tunneling - "1253": packet-dropped # 1253,Network,IPv6 Tunneling,---,NOTICE,---,IPv6 Tunnel Dropped,IPv6 Tunnel packet dropped - - # Multicast - "683": packet-dropped # 683,Firewall Settings,Multicast,---,NOTICE,10608,Wrong IGMP Checksum,"IGMP packet dropped, wrong checksum received on interface %s" - "690": packet-dropped # 690,Firewall Settings,Multicast,---,NOTICE,10615,UDP Packet Drop,"Multicast UDP packet dropped, no state entry" - "694": packet-dropped # 694,Firewall Settings,Multicast,---,WARNING,10619,RTP Stateful Failed,"Multicast UDP packet dropped, RTP stateful failed" - "1233": packet-dropped # 1233,Firewall Settings,Multicast,Debug,NOTICE,---,Link-Local/Mult icast IPv6 Packet,Unhandled link-local or multicast IPv6 packet dropped - - # NAT - "339": packet-dropped # 339,Network,NAT,Debug,DEBUG,7008,NAT Overwrite,"NAT translated packet exceeds size limit, packet dropped" - "1197": connection-info # 1197,Network,NAT,---,NOTICE,---,Connection NAT Mapping,NAT Mapping - "1436": packet-dropped # 1436,Network,NAT,Debug,DEBUG,---,NAT Policy Dropped Packets,"Packet dropped by NAT Policy, reason: %s" - - # NAT Policy - "1313": config-add # 1313,Network,NAT Policy,---,INFO,---,NAT Policy Add,NAT policy added - "1314": config-change # 1314,Network,NAT Policy,---,INFO,---,NAT Policy Modify,NAT policy modified - "1315": config-delete # 1315,Network,NAT Policy,---,INFO,---,NAT Policy Delete,NAT policy deleted - - # TCP - "36": connection-end # 36,Network,TCP,TCP,NOTICE,7209,TCP Packets Dropped,TCP connection dropped - "48": packet-dropped # 48,Network,TCP,Debug,DEBUG,7218,Out of Order Packets Dropped,Out-of-order command packet dropped - "173": connection-denied # 173,Network,TCP,LAN TCP,NOTICE,7222,LAN TCP Deny,TCP connection from LAN denied - "181": packet-dropped # 181,Network,TCP,Debug,DEBUG,7005,TCP FIN Drop,TCP FIN packet dropped - "524": connection-denied # 524,Network,Network Access,TCP,NOTICE,7228,Web Request Drop,Web access Request dropped - "580": packet-dropped # 580,Network,TCP,Attack,ALERT,558,TCP SYN/FIN Packet Drop,TCP SYN/FIN packet dropped - "708": packet-dropped # 708,Network,TCP,Debug,DEBUG,7010,TCP Invalid SEQ Number,TCP packet received with invalid SEQ number; TCP packet dropped - "709": packet-dropped # 709,Network,TCP,Debug,DEBUG,7011,TCP Invalid ACK Number,TCP packet received with invalid ACK number; TCP packet dropped - "712": connection-denied # 712,Network,TCP,Debug,DEBUG,7014,TCP Connection Reject,TCP connection reject received; TCP connection dropped - "713": connection-denied # 713,Network,TCP,Debug,DEBUG,7015,TCP Connection Abort,TCP connection abort received; TCP connection dropped - "760": connection-denied # 760,Network,TCP,---,NOTICE,7240,TCP Handshake Violation Detected,TCP handshake violation detected; TCP connection dropped - "887": packet-dropped # 887,Network,TCP,Debug,DEBUG,7026,Invalid TCP Header Length,TCP packet received with invalid header length; TCP packet dropped - "888": packet-dropped # 888,Network,TCP,Debug,DEBUG,7027,TCP Connection Does Not Exist,TCP packet received on non-existent/closed connection; TCP packet dropped - "889": packet-dropped # 889,Network,TCP,Debug,DEBUG,7028,TCP Without Mandatory SYN Flag,TCP packet received without mandatory SYN flag; TCP packet dropped - "890": packet-dropped # 890,Network,TCP,Debug,DEBUG,7029,TCP Without Mandatory ACK Flag,TCP packet received without mandatory ACK flag; TCP packet dropped - "891": packet-dropped # 891,Network,TCP,Debug,DEBUG,7030,TCP Packet on Closing Connection,TCP packet received on a closing connection; TCP packet dropped - "892": packet-dropped # 892,Network,TCP,Debug,INFO,7031,SYN Flag on Existing Connection,TCP packet received with SYN flag on an existing connection; TCP packet dropped - "893": packet-dropped # 893,Network,TCP,Debug,DEBUG,7032,Invalid TCP SACK Option Length,TCP packet received with invalid SACK option length; TCP packet dropped - "894": packet-dropped # 894,Network,TCP,Debug,DEBUG,7033,Invalid TCP MSS Option Length,TCP packet received with invalid MSS option length; TCP packet dropped - "895": packet-dropped # 895,Network,TCP,Debug,DEBUG,7034,Invalid TCP Option Length,TCP packet received with invalid option length; TCP packet dropped - "896": packet-dropped # 896,Network,TCP,Debug,DEBUG,7035,Invalid TCP Source Port,TCP packet received with invalid source port; TCP packet dropped - "1029": packet-dropped # 1029,Network,TCP,Debug,DEBUG,7038,Non-Permitted Option TCP Packet,TCP packet received with non-permitted option; TCP packet dropped - "1030": packet-dropped # 1030,Network,TCP,Debug,DEBUG,7039,Invalid TCP Window Scale Option Length,TCP packet received with invalid Window Scale option length; TCP packet dropped - "1031": packet-dropped # 1031,Network,TCP,Debug,DEBUG,7040,Invalid TCP Window Scale Option Value,TCP packet received with invalid Window Scale option value; TCP packet dropped - "1384": packet-dropped # 1384,Network,TCP,Debug,DEBUG,---,Invalid TCP Timestamps Option Length,TCP packet received with invalid Timestamps option length; TCP packet dropped - "1385": packet-dropped # 1385,Network,TCP,Debug,DEBUG,---,TCP Sequence Number Wrapped,TCP packet received with wrapped sequence number; TCP packet dropped - "1628": packet-dropped # 1628,Network,TCP,Debug,DEBUG,---,TCP SYN Packet With Data,TCP SYN packet received with data; TCP packet dropped - "1629": packet-dropped # 1629,Network,TCP,Debug,DEBUG,---,TCP Urgent Flag or Pointer,TCP packet received with Urgent flag or pointer; TCP packet dropped - - # Content Filter - "14": connection-denied # 14,Security Services,Content Filter,Blocked Sites,ERROR,701,Website Blocked,Web site access denied - "16": connection-info # 16,Security Services,Content Filter,Blocked Sites,NOTICE,703,Website Accessed,Web site access allowed - "1599": config-add # 1599,Security Services,Content Filter,User Activity,INFO,---,CFS Policy Added,CFS policy added - "1600": config-change # 1600,Security Services,Content Filter,User Activity,INFO,---,CFS Policy Modified,CFS policy modified - "1601": config-change # 1601,Security Services,Content Filter,User Activity,INFO,---,CFS Policy Deleted,CFS policy deleted - - # RBL Filter - "797": connection-denied # 797,Security Services,RBL Filter,---,NOTICE,12001,Outbound Connection Drop,Outbound connection to RBL-listed SMTP server dropped - "798": connection-denied # 798,Security Services,RBL Filter,---,NOTICE,12002,Inbound Connection Drop,Inbound connection from RBL-listed SMTP server dropped - - # Attacks - "22": attack-blocked # 22,Security Services,Attacks,Attack,ALERT,501,Ping of Death Blocked,Ping of death dropped - "23": attack-blocked # 23,Security Services,Attacks,Attack,ALERT,502,IP Spoof Detected,IP spoof dropped - "27": attack-blocked # 27,Security Services,Attacks,Attack,ALERT,505,Land Attack,Land attack dropped - "81": attack-blocked # 81,Security Services,Attacks,Attack,ALERT,520,Smurf Attack,Smurf Amplification attack dropped - "82": attack-detected # 82,Security Services,Attacks,Attack,ALERT,521,Port Scan Possible,Possible port scan detected - "83": attack-detected # 83,Security Services,Attacks,Attack,ALERT,522,Port Scan Probable,Probable port scan detected - "177": attack-detected # 177,Security Services,Attacks,Attack,ALERT,528,TCP FIN Scan,Probable TCP FIN scan detected - "178": attack-detected # 178,Security Services,Attacks,Attack,ALERT,529,TCP Xmas Scan,Probable TCP XMAS scan detected - "179": attack-detected # 179,Security Services,Attacks,Attack,ALERT,530,TCP Null Scan,Probable TCP NULL scan detected - "267": attack-blocked # 267,Security Services,Attacks,Attack,ALERT,547,TCP Xmas Tree Attack,TCP Xmas Tree dropped - "606": attack-blocked # 606,Security Services,Attacks,Attack,ALERT,568,Spank Attack,Spank attack multicast packet dropped - "1316": attack-detected # 1316,Network,ARP,---,ALERT,---,ARP Attack Detected,Possible ARP attack from MAC address %s - "1373": attack-detected # 1373,Security Services,Attacks,Attack,ALERT,---,IPv6 fragment size is less than minimum (<1280),"IPv6 fragment dropped, invalid length (<1280 Bytes)" - "1374": attack-detected # 1374,Security Services,Attacks,Attack,ALERT,---,IP Reassembly : Incomplete IGMP fragment,"IGMP packet dropped, incomplete fragments" - "1375": attack-detected # 1375,Security Services,Attacks,Attack,ALERT,---,UDP fragmented datagram is too big (>65535),"UDP fragment dropped, exceeds maximum IP datagram size (>65535)" - "1376": attack-blocked # 1376,Security Services,Attacks,Attack,ALERT,---,Nestea/Teardro p Attack,Nestea/Teardrop attack dropped - "1387": attack-blocked # 1387,Security Services,Attacks,Attack,ALERT,---,TCP Null Flag Attack,TCP Null Flag dropped - "1471": attack-detected # 1471,Security Services,Attacks,Attack,ALERT,---,External IDS,External IDS: %s - "229": attack-blocked # 229,VPN,DHCP Relay,Attack,WARNING,533,DHCPR IP Spoof,"IP spoof detected on packet to Central Gateway, packet dropped" - "1098": attack-detected # 1098,Network,DNS,---,ALERT,6465,DNS Rebind Attack Detected,Possible DNS rebind attack detected - "1099": attack-blocked # 1099,Network,DNS,---,ALERT,6466,DNS Rebind Attack Blocked,DNS rebind attack blocked - "1593": attack-detected # 1593,Network,DNS Security,Maintenance,NOTICE,---,DNS Tunnel Attack,Find DNS tunnel attack - %s - "446": attack-blocked # 446,Firewall Settings,FTP,Attack,ERROR,551,FTP Passive Attack,FTP: PASV response spoof attack dropped - "527": attack-blocked # 527,Firewall Settings,FTP,Attack,ALERT,555,FTP Port Bounce Attack,FTP: PORT bounce attack dropped. - "528": attack-blocked # 528,Firewall Settings,FTP,Attack,ALERT,556,FTP Passive Bounce Attack,FTP: PASV response bounce attack dropped. - "538": attack-blocked # 538,Firewall Settings,FTP,Attack,ALERT,557,FTP Data Port,FTP: Data connection from non default port dropped - - # IDP - "789": attack-detected # 789,Security Services,IDP,Attack,ALERT,6435,IDP Detection Alert,IDP Detection Alert: %s - "790": attack-blocked # 790,Security Services,IDP,Attack,ALERT,6436,IDP Prevention Alert,IDP Prevention Alert: %s - - # IPS - "608": attack-detected # 608,Security Services,IPS,Attack,ALERT,569,IPS Detection Alert,IPS Detection Alert: %s - "609": attack-blocked # 609,Security Services,IPS,Attack,ALERT,570,IPS Prevention Alert,IPS Prevention Alert: %s - - - # Flood Protection - "25": attack-detected # 25,Firewall Settings,Flood Protection,Attack,WARNING,503,Possible SYN Flood,Possible SYN flood attack detected - "856": config-change # 856,Firewall Settings,Flood Protection,Attack,WARNING,6439,SYN Flood Watch Mode,SYN Flood Mode changed by user to: Watch and report possible SYN floods - "857": config-change # 857,Firewall Settings,Flood Protection,Attack,WARNING,6440,SYN Flood Trigger Mode,SYN Flood Mode changed by user to: Watch and proxy WAN connections when under attack - "858": config-change # 858,Firewall Settings,Flood Protection,Attack,WARNING,6441,SYN Flood Proxy Mode,SYN Flood Mode changed by user to: Always proxy WAN connections - "859": attack-detected # 859,Firewall Settings,Flood Protection,Attack,ALERT,6442,SYN Flood Proxy Trigger Mode,Possible SYN flood detected on WAN IF %s - switching to connection-proxy mode - "860": attack-detected # 860,Firewall Settings,Flood Protection,Attack,ALERT,6443,SYN Flood Detected,Possible SYN Flood on IF %s - "862": config-change # 862,Firewall Settings,Flood Protection,Attack,WARNING,6445,SYN Flood Blacklist On,SYN Flood blacklisting enabled by user - "863": config-change # 863,Firewall Settings,Flood Protection,Attack,WARNING,6446,SYN Flood Blacklist Off,SYN Flood blacklisting disabled by user - "864": attack-blocked # 864,Firewall Settings,Flood Protection,Attack,ALERT,6447,SYN-Flooding Machine Blacklisted,SYN-Flooding machine %s blacklisted - "897": attack-detected # 897,Firewall Settings,Flood Protection,Attack,INFO,7036,Invalid TCP SYN Flood Cookie,TCP packet received with invalid SYN Flood cookie; TCP packet dropped - "898": attack-blocked # 898,Firewall Settings,Flood Protection,Attack,ALERT,6453,RST-Flooding Machine Blacklisted,RST-Flooding machine %s blacklisted - "901": attack-blocked # 901,Firewall Settings,Flood Protection,Attack,ALERT,6456,FIN-Flooding Machine Blacklisted,FIN-Flooding machine %s blacklisted - "904": attack-detected # 904,Firewall Settings,Flood Protection,Attack,ALERT,6459,Possible RST Flood,Possible RST Flood on IF %s - "905": attack-detected # 905,Firewall Settings,Flood Protection,Attack,ALERT,6460,Possible FIN Flood,Possible FIN Flood on IF %s - "1180": attack-blocked # 1180,Firewall Settings,Flood Protection,---,ALERT,---,DOS Protection on WAN Begin,DOS protection on WAN begins %s - "1213": attack-detected # 1213,Firewall Settings,Flood Protection,Attack,ALERT,---,UDP Flood Detected,Possible UDP flood attack detected - "1214": attack-detected # 1214,Firewall Settings,Flood Protection,Attack,ALERT,---,ICMP Flood Detected,Possible ICMP flood attack detected - "1366": attack-blocked # 1366,Firewall Settings,Flood Protection,Attack,ALERT,---,TCP-Flooding Machine Blacklisted,TCP-Flooding machine %s blacklisted - "1369": attack-detected # 1369,Firewall Settings,Flood Protection,Attack,ALERT,---,Possible TCP Flood,Possible TCP Flood on IF %s - "1450": attack-detected # 1450,Firewall Settings,Flood Protection,Attack,ALERT,---,UDPv6 Flood Detected,Possible UDPv6 flood attack detected - "1451": attack-detected # 1451,Firewall Settings,Flood Protection,Attack,ALERT,---,ICMPv6 Flood Detected,Possible ICMPv6 flood attack detected - "1452": attack-detected # 1452,Firewall Settings,Flood Protection,Attack,ALERT,---,Half Open TCP Connection Threshold Exceeded,Too many half-open TCP connections - - # RF Monitoring - "879": attack-detected # 879,Wireless,RF Monitoring,---,WARNING,---,WLAN Radio Frequency Threat Detected,WLAN radio frequency threat detected - - # WLAN - "1363": attack-detected # 1363,Wireless,WLAN,802.11b Management,ALERT,---,WLAN 802.11 Flood,Wireless Flood Attack - - # WLAN IDS - "546": attack-detected # 546,Wireless,WLAN IDS,WLAN IDS,ALERT,901,Rogue AP or MitM AP Found,Found Rogue or MitM Access Point - "548": attack-detected # 548,Wireless,WLAN IDS,WLAN IDS,ALERT,903,WLAN Association Flood,Association Flood from WLAN station - - # Authentication Access - "24": logout # 24,Users,Authentication Access,User Activity,INFO,4201,User Disconnect Detected,User logged out - user disconnect detected - "29": login-success # 29,Users,Authentication Access,User Activity,INFO,4202,Successful Admin Login,Administrator login allowed - "30": login-failure # 30,Users,Authentication Access,Attack,ALERT,560,Wrong Admin Password,Administrator login denied due to bad credentials - "31": login-success # 31,Users,Authentication Access,User Activity,INFO,4204,Successful User Login,User login from an internal zone allowed - "32": login-failure # 32,Users,Authentication Access,User Activity,INFO,4205,Wrong User Password,User login denied due to bad credentials - "33": login-failure # 33,Users,Authentication Access,User Activity,INFO,4206,Unknown User Login Attempt,User login denied due to bad credentials - "34": login-failure # 34,Users,Authentication Access,User Activity,INFO,4207,Login Timeout,Pending login timed out - "35": login-failure # 35,Users,Authentication Access,Attack,ALERT,506,Admin Login Disabled,Administrator login denied from %s; logins disabled from this interface - "199": login-success # 199,Users,Authentication Access,User Activity,INFO,4209,Admin Login From CLI,CLI administrator login allowed - "200": login-failure # 200,Users,Authentication Access,User Activity,WARNING,4210,Admin Password Error From CLI,CLI administrator login denied due to bad credentials - "235": login-success # 235,Users,Authentication Access,User Activity,INFO,4211,Admin VPN Login,VPN zone administrator login allowed - "236": login-success # 236,Users,Authentication Access,User Activity,INFO,4212,Admin WAN Login,WAN zone administrator login allowed - "237": login-success # 237,Users,Authentication Access,User Activity,INFO,4213,User VPN Login,VPN zone remote user login allowed - "238": login-success # 238,Users,Authentication Access,User Activity,INFO,4214,User WAN Login,WAN zone remote user login allowed - "246": login-failure # 246,Users,Authentication Access,User Activity,INFO,8204,User Login From Wrong Location,User login denied - User has no privileges for login from that location - "261": logout # 261,Users,Authentication Access,User Activity,INFO,4215,Admin Logout,Administrator logged out - "262": logout # 262,Users,Authentication Access,User Activity,INFO,4216,Admin Logout - Timer Expire,Administrator logged out - inactivity timer expired - "263": logout # 263,Users,Authentication Access,User Activity,INFO,4217,User Logout,User logged out - %s - "264": logout # 264,Users,Authentication Access,User Activity,INFO,4218,User Logout - Max Session,User logged out - max session time exceeded - "265": logout # 265,Users,Authentication Access,User Activity,INFO,4219,User Logout - Timer Expire,User logged out - inactivity timer expired - "328": admin-account-changed # 328,Users,Authentication Access,Maintenance,INFO,4220,Admin Name Change,Administrator name changed - "329": login-failure # 329,Users,Authentication Access,Attack,ERROR,561,User Login Lockout,User login failure rate exceeded - logins from user IP address denied - "438": user-account-unlocked # 438,Users,Authentication Access,User Activity,INFO,4222,User Login Lockout Expired,Locked-out user logins allowed - lockout period expired - "439": user-account-unlocked # 439,Users,Authentication Access,User Activity,INFO,4223,User Login Lockout Clear,Locked-out user logins allowed by %s - "486": login-failure # 486,Users,Authentication Access,User Activity,INFO,4224,WLAN User Login Deny,User login denied - User has no privileges for guest service - "506": config-change # 506,Users,Authentication Access,Maintenance,INFO,4225,VPN Disabled,VPN disabled by administrator - "507": config-change # 507,Users,Authentication Access,Maintenance,INFO,4226,VPN Enabled,VPN enabled by administrator - "508": config-change # 508,Users,Authentication Access,Maintenance,INFO,4227,WLAN Disabled,WLAN disabled by administrator - "509": config-change # 509,Users,Authentication Access,Maintenance,INFO,4228,WLAN Enabled,WLAN enabled by administrator - "520": logout # 520,Users,Authentication Access,User Activity,INFO,4235,Admin Logout From CLI,CLI administrator logged out - "549": login-failure # 549,Users,Authentication Access,User Activity,WARNING,4236,WLAN Guest Limit,User login failed - Guest service limit reached - "550": session-end # 550,Users,Authentication Access,User Activity,INFO,4237,WLAN Session Timeout,User Session Quota Expired - "551": session-end # 551,Users,Authentication Access,User Activity,INFO,4238,WLAN Account Timeout,Guest Account Timeout - "557": login-failure # 557,Users,Authentication Access,User Activity,INFO,4239,WLAN Guest Already Login,Guest login denied. Guest '%s' is already logged in. Please try again later. - "558": user-account-created # 558,Users,Authentication Access,User Activity,INFO,4240,WLAN Guest Create,Guest account '%s' created - "559": user-account-deleted # 559,Users,Authentication Access,User Activity,INFO,4241,WLAN Guest Delete,Guest account '%s' deleted - "560": user-account-disabled # 560,Users,Authentication Access,User Activity,INFO,4242,WLAN Guest Disable,Guest account '%s' disabled - "561": user-account-enabled # 561,Users,Authentication Access,User Activity,INFO,4243,WLAN Guest Re-enable,Guest account '%s' re-enabled - "562": user-account-deleted # 562,Users,Authentication Access,User Activity,INFO,4244,WLAN Guest Prune,Guest account '%s' pruned - "564": session-end # 564,Users,Authentication Access,User Activity,INFO,4246,WLAN Idle Timeout,Guest Idle Timeout - "583": login-failure # 583,Users,Authentication Access,Attack,ERROR,559,User Login Disable,User login disabled from %s - "728": config-change # 728,Users,Authentication Access,Maintenance,INFO,4248,WLAN Disable By Schedule,WLAN disabled by schedule - "729": config-change # 729,Users,Authentication Access,Maintenance,INFO,4249,WLAN Enabled By Schedule,WLAN enabled by schedule - "759": login-failure # 759,Users,Authentication Access,User Activity,INFO,---,User Already Logged-In,User login denied - user already logged in - "986": login-failure # 986,Users,Authentication Access,User Activity,INFO,4256,Not Allowed by Policy Rule,User login denied - not allowed by Policy rule - "987": login-failure # 987,Users,Authentication Access,User Activity,INFO,4257,Not Found Locally,User login denied - not found locally - "994": session-start # 994,Users,Authentication Access,User Activity,INFO,4258,Configuration Mode Administration Session Started,Configuration mode administration session started - "995": session-end # 995,Users,Authentication Access,User Activity,INFO,4259,Configuration Mode Administration Session Ended,Configuration mode administration session ended - "996": session-start # 996,Users,Authentication Access,User Activity,INFO,4260,Read-only Mode GUI Administration Session Started,Read-only mode GUI administration session started - "997": session-start # 997,Users,Authentication Access,User Activity,INFO,4261,Non-Config Mode GUI Administration Session Started,Non-config mode GUI administration session started - "998": session-end # 998,Users,Authentication Access,User Activity,INFO,4262,GUI Administration Session End,GUI administration session ended - "1008": logout # 1008,Users,Authentication Access,User Activity,INFO,---,Logout Detected by SSO,User logged out - logout detected by SSO - "1035": login-failure # 1035,Users,Authentication Access,User Activity,INFO,---,Password Expire,User login denied - password expired - "1048": login-failure # 1048,Users,Authentication Access,---,INFO,---,Password doesn't meet constraints,User login denied - password doesn't meet constraints - "1080": login-success # 1080,Users,Authentication Access,---,INFO,---,Successful SSL VPN User Login,SSL VPN zone remote user login allowed - "1117": login-failure # 1117,Users,Authentication Access,User Activity,WARNING,---,SSO Probe Failed,User login denied - SSO probe failed - "1118": login-failure # 1118,Users,Authentication Access,User Activity,INFO,---,SMTP Server Not Configured,User login denied - Mail Address(From/to) or SMTP Server is not configured - "1119": login-failure # 1119,Users,Authentication Access,User Activity,INFO,---,RADIUS User Cannot Use One Time Password,RADIUS user cannot use One Time Password - no mail address set for equivalent local user - "1120": login-failure # 1120,Users,Authentication Access,User Activity,WARNING,---,TSA Timeout,User login denied - Terminal Services agent Timeout - "1121": login-failure # 1121,Users,Authentication Access,User Activity,WARNING,---,TSA Name Resolution Failed,User login denied - Terminal Services agent name resolution failed - "1122": login-failure # 1122,Users,Authentication Access,User Activity,WARNING,---,No Name Received from TSA,User login denied - No name received from Terminal Services agent - "1123": login-failure # 1123,Users,Authentication Access,User Activity,WARNING,---,TSA Communicatio n Problem,User login denied - Terminal Services agent communication problem - "1124": logout # 1124,Users,Authentication Access,User Activity,INFO,---,TSA User logout,User logged out - logout reported by Terminal Services agent - "1157": user-account-disabled # 1157,Users,Authentication Access,User Activity,INFO,---,User Account Expired,User account '%s' expired and disabled - "1158": user-account-deleted # 1158,Users,Authentication Access,User Activity,INFO,---,User Account Pruned,User account '%s' expired and pruned - "1243": login-failure # 1243,Users,Authentication Access,User Activity,INFO,---,Sending OTP Failed,User login Failed - An error has occurred while sending your one-time password - "1333": user-account-created # 1333,Users,Authentication Access,User Activity,INFO,---,Create a User,%s - "1334": user-account-changed # 1334,Users,Authentication Access,User Activity,INFO,---,Edit a User,%s - "1335": user-account-deleted # 1335,Users,Authentication Access,User Activity,INFO,---,Delete a User,%s - "1341": user-account-changed # 1341,Users,Authentication Access,User Activity,INFO,---,Edit Customize Login Pages,%s - "1342": user-account-changed # 1342,Users,Authentication Access,User Activity,INFO,---,Edit user lockout params,Update administrator/user lockout params - %s - "1517": login-failure # 1517,Users,Authentication Access,User Activity,INFO,---,User Name Invalid Symbol,User name invalid symbol: %s - "1570": user-account-locked # 1570,Users,Authentication Access,Attack,ERROR,---,User Account Lockout,%s. - "1571": user-account-unlocked # 1571,Users,Authentication Access,Attack,ERROR,---,User Account Unlocked,User %s account is unlocked. - "1572": login-failure # 1572,Users,Authentication Access,Attack,ERROR,---,User is currently locked out,User login failed because the user is currently locked out. - "1585": login-failure # 1585,Users,Authentication Access,User Activity,INFO,---,User Login Denied,User login denied -%s - "1627": user-account-disabled # 1627,Users,Authentication Access,User Activity,INFO,---,User Account Expired due to inactivity,User account '%s' expired and disabled due to inactivity - "1655": login-failure # 1655,Users,Authentication Access,Attack,ERROR,---,User is now locked out,"User login failed, user is now locked out." - "1672": login-failure # 1672,Users,Authentication Access,User Activity,WARNING,---,CLI Limit Admin Denied From WAN,CLI limit administrator login denied from WAN - - # Radius Authentication - "243": login-failure # 243,Users,Radius Authentication,User Activity,INFO,8201,User Login Failed,User login denied - RADIUS authentication failure - "244": login-failure # 244,Users,Radius Authentication,User Activity,WARNING,8202,User Login Timeout,User login denied - RADIUS server Timeout - "245": login-failure # 245,Users,Radius Authentication,User Activity,WARNING,8203,User Login Error,User login denied - RADIUS configuration error - "744": login-failure # 744,Users,Radius Authentication,User Activity,WARNING,8205,RADIUS Communicatio n Problem,User login denied - RADIUS communication problem - "745": login-failure # 745,Users,Radius Authentication,User Activity,INFO,8206,LDAP Authentication Failure,User login denied - LDAP authentication failure - "746": login-failure # 746,Users,Radius Authentication,User Activity,WARNING,8207,LDAP Server Timeout,User login denied - LDAP server Timeout - "747": login-failure # 747,Users,Radius Authentication,User Activity,WARNING,8208,LDAP Server Error,User login denied - LDAP server down or misconfigured - "748": login-failure # 748,Users,Radius Authentication,User Activity,WARNING,8209,LDAP Communicatio n Problem,User login denied - LDAP communication problem - "749": login-failure # 749,Users,Radius Authentication,User Activity,WARNING,8210,LDAP Server Invalid Credential,User login denied - invalid credentials on LDAP server - "750": login-failure # 750,Users,Radius Authentication,User Activity,WARNING,8211,LDAP Server Insufficient Access,User login denied - insufficient access on LDAP server - "751": login-failure # 751,Users,Radius Authentication,User Activity,WARNING,8212,LDAP Schema Mismatch,User login denied - LDAP schema mismatch - "753": login-failure # 753,Users,Radius Authentication,User Activity,WARNING,8214,LDAP Server Name Resolution Failed,User login denied - LDAP server name resolution failed - "754": login-failure # 754,Users,Radius Authentication,User Activity,WARNING,8215,RADIUS Server Name Resolution Failed,User login denied - RADIUS server name resolution failed - "755": login-failure # 755,Users,Radius Authentication,User Activity,WARNING,8216,LDAP Server Certificate Invalid,User login denied - LDAP server certificate not valid - "756": login-failure # 756,Users,Radius Authentication,User Activity,WARNING,8217,LDAP TLS or Local Error,User login denied - TLS or local certificate problem - "757": login-failure # 757,Users,Radius Authentication,User Activity,WARNING,8218,LDAP Directory Mismatch,User login denied - LDAP directory mismatch - "1011": user-account-change-failure # 1011,Users,Radius Authentication,System Error,WARNING,4265,Non-Administr ative Attempt to Change Password,LDAP using non-administrative account - VPN client user will not be able to change passwords - - # SSO Agent Authentication - "988": login-failure # 988,Users,SSO Agent Authentication,User Activity,WARNING,12601,Timeout,User login denied - SSO agent Timeout - "989": login-failure # 989,Users,SSO Agent Authentication,User Activity,WARNING,12602,Configuration Error,User login denied - SSO agent configuration error - "990": login-failure # 990,Users,SSO Agent Authentication,User Activity,WARNING,12603,Communicatio n Problem,User login denied - SSO agent communication problem - "991": login-failure # 991,Users,SSO Agent Authentication,User Activity,WARNING,12604,Name Resolution Failed,User login denied - SSO agent name resolution failed - - # Anti-Spyware - "794": malware-info # 794,Security Services,Anti-Spyware,Attack,ALERT,6437,Anti-Spyware Prevention Alert,Anti-Spyware Prevention Alert: %s - "795": malware-info # 795,Security Services,Anti-Spyware,Attack,ALERT,6438,Anti-Spyware Detection Alert,Anti-Spyware Detection Alert: %s - "796": malware-info # 796,Security Services,Anti-Spyware,Maintenance,WARNING,8631,Anti-Spyware Service Expired,Anti-Spyware Service Expired - - # Anti-Virus - "123": malware-info # 123,Security Services,Anti-Virus,Maintenance,INFO,8605,AV Access Without Agent,Access attempt from host without Anti-Virus agent installed - "124": malware-info # 124,Security Services,Anti-Virus,Maintenance,INFO,8606,AV Agent Out of Date,Anti-Virus agent out-of-date on host - "125": malware-info # 125,Security Services,Anti-Virus,Maintenance,WARNING,524,AV Alert Receive,Received AV Alert: %s - "159": malware-info # 159,Security Services,Anti-Virus,Maintenance,WARNING,526,AV Expire message,Received AV Alert: Your Network Anti-Virus subscription has expired. %s - "408": malware-info # 408,Security Services,Anti-Virus,Maintenance,INFO,8617,AV License Exceeded,Anti-Virus Licenses Exceeded - "482": malware-info # 482,Security Services,Anti-Virus,Maintenance,WARNING,552,AV Expiration Warning,Received AV Alert: Your Network Anti-Virus subscription will expire in 7 days. %s - - # Next-Gen Anti-Virus - "1559": malware-info # 1559,Security Services,Next-Gen Anti-Virus,Maintenance,INFO,---,Next-Gen AV Access Without Agent,Access attempt from host without Next-Gen Anti-Virus agent installed - "1560": malware-info # 1560,Security Services,Next-Gen Anti-Virus,Maintenance,INFO,---,Next-Gen AV Agent Out of Date,Next-Gen Anti-Virus agent out-of-date on host - "1561": malware-info # 1561,Security Services,Next-Gen Anti-Virus,Maintenance,WARNING,---,Next-Gen AV Expire message,Received Next-Gen AV Alert: Your Network Next-Gen Anti-Virus subscription has expired. %s - "1562": malware-info # 1562,Security Services,Next-Gen Anti-Virus,Maintenance,WARNING,---,Next-Gen AV Expiration Warning,Received Next-Gen AV Alert: Your Network Next-Gen Anti-Virus subscription will expire in 7 days. %s - - # Application Control - "1154": malware-info # 1154,Security Services,Application Control,---,ALERT,15001,Application Control Detection Alert,Application Control Detection Alert: %s - "1155": malware-info # 1155,Security Services,Application Control,---,ALERT,15002,Application Control Prevention Alert,Application Control Prevention Alert: %s - - # Application Firewall - "793": malware-info # 793,Firewall,Application Firewall,User Activity,ALERT,13201,Application Firewall Alert,Application Firewall Alert: %s - "1654": malware-info # 1654,Firewall,Application Firewall,User Activity,DEBUG,---,Custom Match Applied,Custom Match applied %s - - # Access Rules - "440": config-add # 440,Firewall,Access Rules,User Activity,INFO,5801,Rule Added,Access rule added - "441": config-change # 441,Firewall,Access Rules,User Activity,INFO,5802,Rule Modified,Access rule viewed or modified - "442": config-delete # 442,Firewall,Access Rules,User Activity,INFO,5803,Rule Deleted,Access rule deleted - - # Administration - "340": config-change # 340,System,Administration,Maintenance,INFO,5212,HTTP Port Change,HTTP management port has changed - "341": config-change # 341,System,Administration,Maintenance,INFO,5213,HTTPS Port Change,HTTPS management port has changed - - # Advanced - "1590": config-info # 1590,Firewall Settings,Advanced,Debug,INFO,---,Internal VLAN Configuration,%s - - # Botnet Filter - "1195": attack-detected # 1195,Security Services,Botnet Filter,---,WARNING,---,Botnet Filter Subscription Expired,Received Alert: Your Firewall Botnet Filter subscription has expired. - "1200": attack-blocked # 1200,Security Services,Botnet Filter,---,ALERT,---,Botnet Initiator Blocked,Suspected Botnet initiator blocked: %s - "1201": attack-blocked # 1201,Security Services,Botnet Filter,---,ALERT,---,Botnet Responder Blocked,Suspected Botnet responder blocked: %s - "1476": attack-blocked # 1476,Security Services,Botnet Filter,---,ALERT,---,Custom Botnet Initiator Blocked,"Suspected Botnet initiator blocked: %s, Source: Custom List" - "1477": attack-blocked # 1477,Security Services,Botnet Filter,---,ALERT,---,Custom Botnet Responder Blocked,"Suspected Botnet responder blocked: %s, Source: Custom List" - "1518": attack-blocked # 1518,Security Services,Botnet Filter,---,ALERT,---,Botnet Initiator Blocked By Dynamic List,"Suspected Botnet initiator blocked: %s, Source: Dynamic List" - "1519": attack-blocked # 1519,Security Services,Botnet Filter,---,ALERT,---,Botnet Responder Blocked By Dynamic List,"Suspected Botnet responder blocked: %s, Source: Dynamic List" - - # Cloud Backup - "1511": internal-log-success # 1511,System,Cloud Backup,---,INFO,---,Automatic Cloud Backup Successful,%s - "1512": internal-log-failure # 1512,System,Cloud Backup,---,INFO,---,Automatic Cloud Backup Failed,%s - "1513": internal-log-success # 1513,System,Cloud Backup,---,INFO,---,Manual Cloud Backup Successful,%s - "1514": internal-log-failure # 1514,System,Cloud Backup,---,INFO,---,Manual Cloud Backup Failed,%s - "1515": internal-log-success # 1515,System,Cloud Backup,---,INFO,---,Delete Cloud Backup Successful,%s - "1516": internal-log-failure # 1516,System,Cloud Backup,---,INFO,---,Delete Cloud Backup Failed,%s - - # Restart - "93": internal-log-failure # 93,System,Restart,System Error,ERROR,611,Suspend Reboot,Diagnostic Code A - "94": internal-log-failure # 94,System,Restart,System Error,ERROR,612,Deadlock Reboot,Diagnostic Code B - "95": internal-log-failure # 95,System,Restart,System Error,ERROR,613,Low Memory Reboot,Diagnostic Code C - "164": internal-log-failure # 164,System,Restart,System Error,ERROR,621,HTTP Server Reboot,Diagnostic Code F - "599": internal-log-failure # 599,System,Restart,System Error,ERROR,655,Stack Margin Reboot,Diagnostic Code G - "600": internal-log-failure # 600,System,Restart,System Error,ERROR,656,Delete Reboot,Diagnostic Code H - "601": internal-log-failure # 601,System,Restart,System Error,ERROR,657,Delete Stack Reboot,Diagnostic Code I - "1046": internal-log-success # 1046,System,Restart,---,INFO,---,Diagnostic Auto-Restart Canceled,Diagnostic Auto-restart canceled - "1047": internal-log-success # 1047,System,Restart,---,INFO,---,Diagnostic Auto-Restart,"As per Diagnostic Auto-restart configuration Request, restarting system" - "1392": internal-log-success # 1392,System,Restart,Maintenance,ALERT,5243,SonicOS up,SonicOS up:%s - "1393": internal-log-success # 1393,System,Restart,Maintenance,ALERT,5244,SonicOS down,SonicOS down:%s - - # Settings - "573": internal-log-failure # 573,System,Settings,System Error,WARNING,649,Preferences Too Big,The preferences file is too large to be saved in available flash memory - "574": internal-log-failure # 574,System,Settings,System Error,WARNING,650,Preferences Defaulted,All preference values have been set to factory default values - "1049": internal-log-success # 1049,System,Settings,---,INFO,---,System Setting Imported,System Setting Imported - "1065": internal-log-success # 1065,System,Settings,Maintenance,INFO,---,Remote Backup Succeeded,Successfully sent %s file to remote backup server - "1066": internal-log-failure # 1066,System,Settings,Maintenance,ALERT,---,Remote Backup Failed,"Failed to send file to remote backup server, Error: %s" - "1160": internal-log-failure # 1160,System,Settings,Maintenance,DEBUG,---,Failed to Ping Remote Backup Server,Attempt to contact Remote backup server for upload approval failed - "1161": internal-log-failure # 1161,System,Settings,Maintenance,DEBUG,---,Failed to Upload Remote Backup Server,Backup remote server did not approve upload Request - "1268": internal-log-failure # 1268,System,Settings,---,NOTICE,---,Firmware Update Failed,Firmware Update Failed - "1269": config-change # 1269,System,Settings,---,NOTICE,---,Firmware Update Succeeded,Firmware Update Succeeded %s - "1336": config-change # 1336,System,Settings,---,INFO,---,Change Certification,Certification %s - "1337": user-account-changed # 1337,System,Settings,---,INFO,---,User Password Changed by Administrators,%s - "1338": user-account-changed # 1338,System,Settings,---,INFO,---,User Change Password,User %s password is changed - "1339": config-change # 1339,System,Settings,---,INFO,---,Change Password Rule,Password rule %s is changed - "1340": config-change # 1340,System,Settings,---,INFO,---,Change User Inactive time out,User Inactive timeout is changed to %s - "1432": config-change # 1432,System,Settings,---,INFO,---,Configuration Change,Configuration changed: %s - "1494": internal-log-success # 1494,System,Settings,---,INFO,---,System Setting Exported,System Setting Exported - "1520": internal-log-success # 1520,System,Settings,Maintenance,INFO,---,E-mail SFR Success,Successfully sent SFR file by E-mail - "1521": internal-log-failure # 1521,System,Settings,Maintenance,INFO,---,E-mail SFR Failed,"Failed to send SFR file by E-mail, %s" - "1565": internal-log-success # 1565,System,Settings,Maintenance,INFO,---,FTP Transfer Success,Successfully sent Flow Report file by FTP - "1566": internal-log-failure # 1566,System,Settings,Maintenance,INFO,---,FTP Transfer Failed,"Failed to send Flow Report file by FTP, %s" - "1567": internal-log-success # 1567,System,Settings,Maintenance,INFO,---,E-mail Transfer Success,Successfully sent Flow Report file by E-mail - "1568": internal-log-failure # 1568,System,Settings,Maintenance,INFO,---,E-mail Transfer Failed,"Failed to send Flow Report file by E-mail, %s" - "1636": internal-log-failure # 1636,System,Settings,---,INFO,---,Port Unreachable Received,Port Unreachable received from remote sender - "1637": internal-log-failure # 1637,System,Settings,---,INFO,---,Port Unreachable Ignored,Port Unreachable from remote sender ignored - - # Cluster - "1149": internal-log-failure # 1149,High Availability,Cluster,---,WARNING,---,VRRP Expiration Message,Your Active/Active Clustering subscription has expired. - "1152": internal-log-failure # 1152,High Availability,Cluster,---,ERROR,---,VRRP Cluster No license,Active/Active Clustering license is not activated on the following cluster units: %s - - # Status - "4": internal-log-success # 4,System,Status,Maintenance,ALERT,5201,Activate Firewall,Network Security Appliance activated - "53": internal-log-failure # 53,System,Status,System Error,ERROR,607,Connection Cache Full,The cache is full; %s open connections; some will be dropped - "521": internal-log-success # 521,System,Status,Maintenance,INFO,5218,Initializing,Network Security Appliance initializing - "1107": internal-log-failure # 1107,System,Status,System Error,ALERT,---,System Alert,%s - "1196": internal-log-failure # 1196,System,Status,Maintenance,ALERT,---,Firewall Limit Reached,Product maximum entries reached - %s - "1332": config-change # 1332,System,Status,Maintenance,ALERT,---,NDPP Mode Change,NDPP mode is changed to %s - "1495": internal-log-success # 1495,System,Status,Maintenance,INFO,---,Firewall was Rebooted by Setting Import,Firewall was rebooted by setting import at %s - "1496": internal-log-success # 1496,System,Status,Maintenance,INFO,---,Firewall was Rebooted by Firmware,Firewall was rebooted by %s - - # Configuration Auditing - "1382": config-change # 1382,Log,Configuration Auditing,User Activity,INFO,5609,Configuration Change Succeeded,Configuration succeeded: %s - "1383": config-change-failure # 1383,Log,Configuration Auditing,User Activity,INFO,5610,Configuration Change Failed,Configuration failed: %s - "1674": config-change # 1674,Log,Configuration Auditing,User Activity,INFO,---,Chassis settings change,Chassis: %s - - # Interfaces - "58": connection-denied # 58,Network,Interfaces,System Error,ERROR,608,Too Many IP on LAN,License exceeded: Connection dropped because too many IP addresses are in use on your LAN - - # SSL Control - "999": connection-info # 999,Firewall Settings,SSL Control,Blocked Sites,INFO,7247,Website Found in Blacklist,SSL Control: Website found in blacklist - "1001": connection-info # 1001,Firewall Settings,SSL Control,Blocked Sites,INFO,---,Weak SSL Version,SSL Control: Weak SSL Version being used - "1002": connection-info # 1002,Firewall Settings,SSL Control,Blocked Sites,INFO,7250,Certificate With Invalid Date,SSL Control: Certificate with invalid date - "1003": connection-info # 1003,Firewall Settings,SSL Control,Blocked Sites,INFO,7251,Self-Signed Certificate,SSL Control: Self-signed certificate - "1004": connection-info # 1004,Firewall Settings,SSL Control,Blocked Sites,INFO,7252,Weak Cipher Being Used,SSL Control: Weak cipher being used - "1005": connection-info # 1005,Firewall Settings,SSL Control,Blocked Sites,INFO,7253,Untrusted CA,SSL Control: Untrusted CA - "1006": connection-info # 1006,Firewall Settings,SSL Control,Blocked Sites,INFO,7254,Certificate Chain Incomplete,SSL Control: Certificate chain not complete - "1081": connection-info # 1081,Firewall Settings,SSL Control,Blocked Sites,INFO,---,Certificate Blocked Weak Digest,SSL Control: Certificate with Weak Digest Signature Algorithm - - on_failure: - - append: - field: error.message - value: 'internal ECS categorization error: {{{ _ingest.on_failure_message }}}' - source: | - def clone(def val) { - return val instanceof List? new ArrayList(val) : val; - } - def evtype = params.message_codes[ctx.event?.code]; - if (evtype == null) return; - def actions = params.event_types[evtype]; - if (actions == null) { - throw new Exception("message code " + ctx.event.code + " references missing event type " + evtype); - } - def event = ctx.computeIfAbsent('event', k -> new HashMap()); - for (def entry : actions.entrySet()) { - event[entry.getKey()] = clone(entry.getValue()); - } - event["action"] = evtype; - -# -# Builds url fields -# url = proto + :// + dstname + arg -# -# This requires `arg` field being present (url.path) -# as dstname can have a different meaning (email attachments) -# but arg is always used in the context of an HTTP transaction -# - - set: - field: url.scheme - value: '{{{ network.protocol }}}' - ignore_empty_value: true - if: 'ctx.url?.path != null' - - - rename: - field: url.domain - target_field: sonicwall.firewall.dstname - ignore_missing: true - if: 'ctx.url?.path == null' - - - set: - field: url.full - value: '{{{ url.scheme }}}://{{{ url.domain }}}{{{ url.path }}}' - if: 'ctx.url?.scheme != null && ctx.url?.domain != null' - - - set: - field: url.full - value: '//{{{ url.domain }}}{{{ url.path }}}' - if: 'ctx.url?.scheme == null && ctx.url?.domain != null' - -# -# Related fields -# - - append: - field: related.ip - value: "{{{ source.ip }}}" - allow_duplicates: false - if: 'ctx.source?.ip != null' - - append: - field: related.ip - value: "{{{ source.nat.ip }}}" - allow_duplicates: false - if: 'ctx.source?.nat?.ip != null' - - append: - field: related.ip - value: "{{{ destination.ip }}}" - allow_duplicates: false - if: 'ctx.destination?.ip != null' - - append: - field: related.ip - value: "{{{ destination.nat.ip }}}" - allow_duplicates: false - if: 'ctx.destination?.nat?.ip != null' - - append: - field: related.ip - value: "{{{ observer.ip }}}" - allow_duplicates: false - if: 'ctx.observer?.ip != null' - - append: - field: related.user - value: "{{{ user.name }}}" - allow_duplicates: false - if: 'ctx.user?.name != null' -# -# Cleanup -# - - remove: - field: - - _conf - - _temp_ - - sonicwall.firewall.srcV6 - - sonicwall.firewall.dstV6 - - sonicwall.firewall.note - - sonicwall.firewall.c - ignore_failure: true - ignore_missing: true - - - remove: - field: sonicwall - if: 'ctx.sonicwall?.firewall?.size() == 0' - - - remove: - field: event.original - if: "ctx?.tags == null || !ctx.tags.contains('preserve_original_event')" - ignore_failure: true - ignore_missing: true - -on_failure: - - set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/base-fields.yml b/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 016fb3dd86..0000000000 --- a/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: sonicwall_firewall -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sonicwall_firewall.log diff --git a/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/beats.yml b/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/beats.yml deleted file mode 100755 index 9275638f93..0000000000 --- a/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/ecs.yml b/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/ecs.yml deleted file mode 100755 index 7a9acc7d07..0000000000 --- a/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,246 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/package-fields.yml b/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/package-fields.yml deleted file mode 100755 index 9bf93ea54c..0000000000 --- a/packages/sonicwall_firewall/0.1.0/data_stream/log/fields/package-fields.yml +++ /dev/null @@ -1,66 +0,0 @@ -- name: sonicwall.firewall - type: group - description: Vendor fields from SonicWall firewall logs - fields: - - name: Category - type: keyword - description: Category of CFS blocked content. - - name: af_polid - type: keyword - description: Displays the Application Filter Policy ID. - - name: app - type: keyword - description: Numeric application ID. - - name: appName - type: keyword - description: Non-Signature Application Name. - - name: appcat - type: keyword - description: Application control category. - - name: appid - type: keyword - description: Application ID. - - name: auditId - type: keyword - - name: code - type: keyword - description: CFS blocking code. - - name: dpi - type: boolean - description: Indicates wether a flow underwent Deep Packet Inspection. - - name: event_group_category - type: keyword - description: Event group category. - - name: gcat - type: keyword - description: Event group category (numeric identifier). - - name: ipscat - type: keyword - description: IPS category. - - name: ipspri - type: keyword - description: IPS priority. - - name: oldValue - type: keyword - - name: sess - type: keyword - description: User session type. - - name: sid - type: keyword - description: IPS or Anti-Spyware signature ID. - - name: tranxId - type: keyword - - name: type - type: keyword - description: ICMP type. - - name: userMode - type: keyword - - name: uuid - type: keyword - description: Object UUID. - - name: vpnpolicy - type: keyword - description: source VPN policy name. - - name: vpnpolicyDst - type: keyword - description: destination VPN policy name. diff --git a/packages/sonicwall_firewall/0.1.0/data_stream/log/manifest.yml b/packages/sonicwall_firewall/0.1.0/data_stream/log/manifest.yml deleted file mode 100755 index dc29748332..0000000000 --- a/packages/sonicwall_firewall/0.1.0/data_stream/log/manifest.yml +++ /dev/null @@ -1,40 +0,0 @@ -title: "SonicWall Firewall logs" -type: logs -streams: - - input: udp - template_path: udp.yml.hbs - title: Syslog logs - description: Collect logs via syslog - vars: - - name: syslog_host - type: text - title: Listen address - description: | - Address where the agent will accept syslog messages. - Use 0.0.0.0 to receive syslog on all interfaces. - multi: false - required: true - show_user: true - default: 0.0.0.0 - - name: syslog_port - type: integer - title: Listen Port - description: UDP Port where the Agent will receive syslog messages. - multi: false - required: true - show_user: true - default: 9514 - - input: logfile - enabled: false - template_path: logfile.yml.hbs - title: Log files - description: Collect logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/sonicwall-firewall.log diff --git a/packages/sonicwall_firewall/0.1.0/data_stream/log/sample_event.json b/packages/sonicwall_firewall/0.1.0/data_stream/log/sample_event.json deleted file mode 100755 index eba948c3f4..0000000000 --- a/packages/sonicwall_firewall/0.1.0/data_stream/log/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2022-05-16T08:18:39.000+02:00", - "agent": { - "ephemeral_id": "6cc3228b-d89c-4104-b750-d9cb44ed5513", - "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "sonicwall_firewall.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.193", - "mac": "00-17-C5-30-F9-D9", - "port": 64889 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "connection-denied", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "713", - "dataset": "sonicwall_firewall.log", - "ingested": "2022-05-23T13:47:58Z", - "kind": "event", - "outcome": "success", - "sequence": "692", - "severity": "7", - "timezone": "+02:00", - "type": [ - "connection", - "denied" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "level": "debug", - "source": { - "address": "172.24.0.4:47831" - } - }, - "message": "� (TCP Flag(s): RST)", - "network": { - "bytes": 46, - "protocol": "https", - "transport": "tcp" - }, - "observer": { - "egress": { - "interface": { - "name": "X1" - }, - "zone": "Untrusted" - }, - "ingress": { - "interface": { - "name": "X1" - }, - "zone": "Untrusted" - }, - "ip": "10.0.0.96", - "name": "firewall", - "product": "SonicOS", - "serial_number": "0040103CE114", - "type": "firewall", - "vendor": "SonicWall" - }, - "related": { - "ip": [ - "10.0.0.96", - "81.2.69.193" - ], - "user": [ - "admin" - ] - }, - "rule": { - "id": "15 (WAN-\u003eWAN)" - }, - "sonicwall": { - "firewall": { - "app": "12", - "event_group_category": "Firewall Settings", - "gcat": "6", - "sess": "Web" - } - }, - "source": { - "bytes": 46, - "ip": "10.0.0.96", - "mac": "00-06-B1-DD-4F-D4", - "port": 443 - }, - "tags": [ - "sonicwall-firewall", - "forwarded" - ], - "user": { - "name": "admin" - } -} \ No newline at end of file diff --git a/packages/sonicwall_firewall/0.1.0/docs/README.md b/packages/sonicwall_firewall/0.1.0/docs/README.md deleted file mode 100755 index 9d152b95bb..0000000000 --- a/packages/sonicwall_firewall/0.1.0/docs/README.md +++ /dev/null @@ -1,311 +0,0 @@ -# SonicWall Firewall Integration - -This integration collects syslog messages from SonicWall firewalls. It has been tested with Enhanced -Syslog logs from SonicOS 6.5 and 7.0 as described in the [Log Events reference guide.](https://www.sonicwall.com/techdocs/pdf/sonicos-6-5-4-log-events-reference-guide.pdf) - -## Configuration - -Configure a Syslog Server in your firewall using the following options: - - **Name or IP Address:** The address where your Elastic Agent running this integration is reachable. - - **Port:** The Syslog port (UDP) configured in this integration. - - **Server Type:** Syslog Server. - - **Syslog Format:** Enhanced Syslog. - - **Syslog ID:** Change this default (`firewall`) if you need to differentiate between multiple firewalls. - This value will be stored in the `observer.name` field. - -It's recommended to enable the **Display UTC in logs (instead of local time)** setting under the -_Device > Settings > Time_ configuration menu. Otherwise you'll have to configure the **Timezone Offset** -setting of this integration to match the timezone configured in your firewall. - -Ensure proper connectivity between your firewall and Elastic Agent. - -## Supported messages - -This integration features generic support for enhanced syslog messages produced by SonicOS and features -more detailed ECS enrichment for the following messages: - -| Category | Subcategory | Message IDs | -|----------|-------------|-------------| -| Firewall | Access Rules | 440-442, 646, 647, 734, 735 | -| Firewall | Application Firewall | 793, 1654 | -| Firewall Settings | Advanced | 428, 1473, 1573, 1576, 1590 | -| Firewall Settings | Checksum Enforcement | 883-886, 1448, 1449 | -| Firewall Settings | FTP | 446, 527, 528, 538 | -| Firewall Settings | Flood Protection | 25, 856-860, 862-864, 897, 898, 901, 904, 905, 1180, 1213, 1214, 1366, 1369, 1450-1452 | -| Firewall Settings | Multicast | 683, 690, 694, 1233 | -| Firewall Settings | SSL Control | 999, 1001-1006, 1081 | -| High Availability | Cluster | 1149, 1152 | -| Log | Configuration Auditing | 1382, 1383, 1674 | -| Network | ARP | 45, 815, 1316 | -| Network | DNS | 1098, 1099 | -| Network | DNS Security | 1593 | -| Network | ICMP | 38, 63, 175, 182, 188, 523, 597, 598, 1254-1257, 1431, 1433, 1458 | -| Network | IP | 28, 522, 910, 1301-1303, 1429, 1430 | -| Network | IPcomp | 651-653 | -| Network | IPv6 Tunneling | 1253 | -| Network | Interfaces | 58 | -| Network | NAT | 339, 1197, 1436 | -| Network | NAT Policy | 1313-1315 | -| Network | Network Access | 41, 46, 98, 347, 524, 537, 590, 714, 1304 | -| Network | TCP | 36, 48, 173, 181, 580, 708, 709, 712, 713, 760, 887-896, 1029-1031, 1384, 1385, 1628, 1629 | -| Security Services | Anti-Spyware | 794-796 | -| Security Services | Anti-Virus | 123-125, 159, 408, 482 | -| Security Services | Application Control | 1154, 1155 | -| Security Services | Attacks | 22, 23, 27, 81-83, 177-179, 267, 606, 1373-1376, 1387, 1471 | -| Security Services | Botnet Filter | 1195, 1200, 1201, 1476, 1477, 1518, 1519 | -| Security Services | Content Filter | 14, 16, 1599-1601 | -| Security Services | Geo-IP Filter | 1198, 1199, 1474, 1475 | -| Security Services | IDP | 789, 790 | -| Security Services | IPS | 608, 609 | -| Security Services | Next-Gen Anti-Virus | 1559-1562 | -| Security Services | RBL Filter | 797, 798 | -| System | Administration | 340, 341 | -| System | Cloud Backup | 1511-1516 | -| System | Restart | 93-95, 164, 599-601, 1046, 1047, 1392, 1393 | -| System | Settings | 573, 574, 1049, 1065, 1066, 1160, 1161, 1268, 1269, 1336-1340, 1432, 1494, 1520, 1521, 1565-1568, 1636, 1637 | -| System | Status | 4, 53, 521, 1107, 1196, 1332, 1495, 1496 | -| Users | Authentication Access | 24, 29-35, 199, 200, 235-238, 246, 261-265, 328, 329, 438, 439, 486, 506-509, 520, 549-551, 557-562, 564, 583, 728, 729, 759, 986, 987, 994-998, 1008, 1035, 1048, 1080, 1117-1124, 1157, 1158, 1243, 1333-1335, 1341, 1342, 1517, 1570-1572, 1585, 1627, 1655, 1672 | -| Users | Radius Authentication | 243-245, 744-751, 753-757, 1011 | -| Users | SSO Agent Authentication | 988-991 | -| VPN | DHCP Relay | 229 | -| Wireless | RF Monitoring | 879 | -| Wireless | WLAN | 1363 | -| Wireless | WLAN IDS | 546, 548 | - -## Logs - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-05-16T08:18:39.000+02:00", - "agent": { - "ephemeral_id": "6cc3228b-d89c-4104-b750-d9cb44ed5513", - "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "sonicwall_firewall.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.193", - "mac": "00-17-C5-30-F9-D9", - "port": 64889 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "connection-denied", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "713", - "dataset": "sonicwall_firewall.log", - "ingested": "2022-05-23T13:47:58Z", - "kind": "event", - "outcome": "success", - "sequence": "692", - "severity": "7", - "timezone": "+02:00", - "type": [ - "connection", - "denied" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "level": "debug", - "source": { - "address": "172.24.0.4:47831" - } - }, - "message": "� (TCP Flag(s): RST)", - "network": { - "bytes": 46, - "protocol": "https", - "transport": "tcp" - }, - "observer": { - "egress": { - "interface": { - "name": "X1" - }, - "zone": "Untrusted" - }, - "ingress": { - "interface": { - "name": "X1" - }, - "zone": "Untrusted" - }, - "ip": "10.0.0.96", - "name": "firewall", - "product": "SonicOS", - "serial_number": "0040103CE114", - "type": "firewall", - "vendor": "SonicWall" - }, - "related": { - "ip": [ - "10.0.0.96", - "81.2.69.193" - ], - "user": [ - "admin" - ] - }, - "rule": { - "id": "15 (WAN-\u003eWAN)" - }, - "sonicwall": { - "firewall": { - "app": "12", - "event_group_category": "Firewall Settings", - "gcat": "6", - "sess": "Web" - } - }, - "source": { - "bytes": 46, - "ip": "10.0.0.96", - "mac": "00-06-B1-DD-4F-D4", - "port": 443 - }, - "tags": [ - "sonicwall-firewall", - "forwarded" - ], - "user": { - "name": "admin" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| sonicwall.firewall.Category | Category of CFS blocked content. | keyword | -| sonicwall.firewall.af_polid | Displays the Application Filter Policy ID. | keyword | -| sonicwall.firewall.app | Numeric application ID. | keyword | -| sonicwall.firewall.appName | Non-Signature Application Name. | keyword | -| sonicwall.firewall.appcat | Application control category. | keyword | -| sonicwall.firewall.appid | Application ID. | keyword | -| sonicwall.firewall.auditId | | keyword | -| sonicwall.firewall.code | CFS blocking code. | keyword | -| sonicwall.firewall.dpi | Indicates wether a flow underwent Deep Packet Inspection. | boolean | -| sonicwall.firewall.event_group_category | Event group category. | keyword | -| sonicwall.firewall.gcat | Event group category (numeric identifier). | keyword | -| sonicwall.firewall.ipscat | IPS category. | keyword | -| sonicwall.firewall.ipspri | IPS priority. | keyword | -| sonicwall.firewall.oldValue | | keyword | -| sonicwall.firewall.sess | User session type. | keyword | -| sonicwall.firewall.sid | IPS or Anti-Spyware signature ID. | keyword | -| sonicwall.firewall.tranxId | | keyword | -| sonicwall.firewall.type | ICMP type. | keyword | -| sonicwall.firewall.userMode | | keyword | -| sonicwall.firewall.uuid | Object UUID. | keyword | -| sonicwall.firewall.vpnpolicy | source VPN policy name. | keyword | -| sonicwall.firewall.vpnpolicyDst | destination VPN policy name. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - diff --git a/packages/sonicwall_firewall/0.1.0/img/dashboard.png b/packages/sonicwall_firewall/0.1.0/img/dashboard.png deleted file mode 100755 index 7c03fed3ad..0000000000 Binary files a/packages/sonicwall_firewall/0.1.0/img/dashboard.png and /dev/null differ diff --git a/packages/sonicwall_firewall/0.1.0/img/logo.svg b/packages/sonicwall_firewall/0.1.0/img/logo.svg deleted file mode 100755 index fb1aded68a..0000000000 --- a/packages/sonicwall_firewall/0.1.0/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/sonicwall_firewall/0.1.0/kibana/dashboard/sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde.json b/packages/sonicwall_firewall/0.1.0/kibana/dashboard/sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde.json deleted file mode 100755 index 0591f6b1d5..0000000000 --- a/packages/sonicwall_firewall/0.1.0/kibana/dashboard/sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Dashboard for SonicWall Firewall events", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"sonicwall_firewall.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"sonicwall_firewall.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"observer.name\",\"id\":\"1652981377419\",\"indexPatternRefName\":\"control_13a27ebe-963e-4539-9013-186e247e0b32_0_index_pattern\",\"label\":\"Firewall ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":true},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":4,\"i\":\"13a27ebe-963e-4539-9013-186e247e0b32\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"13a27ebe-963e-4539-9013-186e247e0b32\",\"title\":\"Filter by Firewall (Syslog ID)\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d6a337e6-588b-47b6-9414-c621dcf265c9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d6a337e6-588b-47b6-9414-c621dcf265c9\":{\"columnOrder\":[\"412981b2-ba5e-4e78-a96b-c51be9ae8870\",\"4e72963e-8fc8-475c-88ad-bafcc38a726b\",\"abcd61b9-9bfc-45e6-8c71-3167174a8bcd\"],\"columns\":{\"412981b2-ba5e-4e78-a96b-c51be9ae8870\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of event.code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"abcd61b9-9bfc-45e6-8c71-3167174a8bcd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.code\"},\"4e72963e-8fc8-475c-88ad-bafcc38a726b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"abcd61b9-9bfc-45e6-8c71-3167174a8bcd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"abcd61b9-9bfc-45e6-8c71-3167174a8bcd\"],\"layerId\":\"d6a337e6-588b-47b6-9414-c621dcf265c9\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"412981b2-ba5e-4e78-a96b-c51be9ae8870\",\"xAccessor\":\"4e72963e-8fc8-475c-88ad-bafcc38a726b\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5\",\"title\":\"Event code histogram\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2c3a0f47-236c-41cb-86e8-e8a27033d165\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"2ab93ebb-d843-4bdb-99a2-c55dd1b5c096\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2c3a0f47-236c-41cb-86e8-e8a27033d165\":{\"columnOrder\":[\"ac755b72-5005-416d-8da8-7001a2ba5366\",\"b988645c-c513-4755-b369-3f3787e6045d\"],\"columns\":{\"ac755b72-5005-416d-8da8-7001a2ba5366\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of observer.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b988645c-c513-4755-b369-3f3787e6045d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"observer.name\"},\"b988645c-c513-4755-b369-3f3787e6045d\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"2ab93ebb-d843-4bdb-99a2-c55dd1b5c096\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"sonicwall_firewall.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"sonicwall_firewall.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"ac755b72-5005-416d-8da8-7001a2ba5366\"},{\"columnId\":\"b988645c-c513-4755-b369-3f3787e6045d\"}],\"layerId\":\"2c3a0f47-236c-41cb-86e8-e8a27033d165\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"17735289-cfc4-429a-a5c5-f3d19df013dc\",\"w\":13,\"x\":0,\"y\":4},\"panelIndex\":\"17735289-cfc4-429a-a5c5-f3d19df013dc\",\"title\":\"Event count by firewall\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"93ebdd92-cae8-455c-affe-191e18edcb95\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"source.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"SUPER_FINE\\\",\\\"id\\\":\\\"7dc5cffe-5449-4411-8838-f1a1076f3592\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"id\\\":\\\"d4d78e49-4c8e-4980-9cb9-581d6dc6b826\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"theclassic\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.88,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15y\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"data_stream.dataset :\\\\\\\"sonicwall_firewall.log\\\\\\\" \\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"customIcons\\\":[],\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":45,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":46.36347,\"lon\":-7.06802,\"zoom\":2.88},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"a7718a64-7550-405a-8a75-4687c00dadde\",\"w\":24,\"x\":0,\"y\":14},\"panelIndex\":\"a7718a64-7550-405a-8a75-4687c00dadde\",\"title\":\"Network sources heat map\",\"type\":\"map\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"6e0adcd6-6a1b-4fdf-9e81-66ea18ac7577\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"SUPER_FINE\\\",\\\"id\\\":\\\"bdae40c0-6caf-4ba2-b179-7202f1e2be60\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"id\\\":\\\"75e1e0df-43ff-4e14-9df2-4962c751d3bf\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"theclassic\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.39,\\\"center\\\":{\\\"lon\\\":-32.42476,\\\"lat\\\":25.69542},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15y\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"data_stream.dataset :\\\\\\\"sonicwall_firewall.log\\\\\\\" \\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"customIcons\\\":[],\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":135,\"minLat\":0,\"minLon\":45},\"mapCenter\":{\"lat\":23.23703,\"lon\":86.01728,\"zoom\":3.15},\"openTOCDetails\":[\"75e1e0df-43ff-4e14-9df2-4962c751d3bf\"]},\"gridData\":{\"h\":15,\"i\":\"8e619b8c-80b2-46a8-8c9b-4581d3d14da5\",\"w\":24,\"x\":24,\"y\":14},\"panelIndex\":\"8e619b8c-80b2-46a8-8c9b-4581d3d14da5\",\"title\":\"Network destinations heat map\",\"type\":\"map\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"3717b68f-f5ab-4598-9f39-4a723d91165c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"80a65bd8-af97-4b14-87dc-c8b2f7e847a8\":{\"columnOrder\":[\"4aff95fe-c475-4dbc-a230-22c2005daead\",\"a04c7483-85de-470a-a875-3b6336f57228\",\"ba0383c2-1472-45fb-a465-9125f7120a32\",\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\"],\"columns\":{\"4aff95fe-c475-4dbc-a230-22c2005daead\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 3 values of network.transport\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"network.transport\"},\"a04c7483-85de-470a-a875-3b6336f57228\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.protocol\"},\"ba0383c2-1472-45fb-a465-9125f7120a32\":{\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Top 3 values of destination.port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"3717b68f-f5ab-4598-9f39-4a723d91165c\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"connection-start\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"connection-start\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"sonicwall_firewall.log\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ba0383c2-1472-45fb-a465-9125f7120a32\",\"4aff95fe-c475-4dbc-a230-22c2005daead\",\"a04c7483-85de-470a-a875-3b6336f57228\"],\"layerId\":\"80a65bd8-af97-4b14-87dc-c8b2f7e847a8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"palette\":{\"name\":\"positive\",\"type\":\"palette\"},\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"db14ebf1-c490-427c-bdde-d48da4496d45\",\"w\":19,\"x\":0,\"y\":29},\"panelIndex\":\"db14ebf1-c490-427c-bdde-d48da4496d45\",\"title\":\"Allowed connections by transport/protocol/destination.port\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-951e4235-9dec-43ae-b400-bfe367e43e0b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"951e4235-9dec-43ae-b400-bfe367e43e0b\":{\"columnOrder\":[\"7200128d-9260-4e3f-a280-5cf5f9c84d33\",\"155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4\"],\"columns\":{\"155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"7200128d-9260-4e3f-a280-5cf5f9c84d33\":{\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Top 5 values of source.ip\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7200128d-9260-4e3f-a280-5cf5f9c84d33\"},{\"columnId\":\"155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4\"}],\"layerId\":\"951e4235-9dec-43ae-b400-bfe367e43e0b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":true},\"gridData\":{\"h\":15,\"i\":\"06b11f86-c986-4a30-b1da-1724529bf864\",\"w\":15,\"x\":19,\"y\":29},\"panelIndex\":\"06b11f86-c986-4a30-b1da-1724529bf864\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-287c2e25-3cb0-41d5-8bf8-ae1fb696173c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"287c2e25-3cb0-41d5-8bf8-ae1fb696173c\":{\"columnOrder\":[\"ae8e1a22-3aff-4ca8-9fcc-566bb87aa283\",\"2c8c78cf-034a-4278-9335-66f22dd19e4b\"],\"columns\":{\"2c8c78cf-034a-4278-9335-66f22dd19e4b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"ae8e1a22-3aff-4ca8-9fcc-566bb87aa283\":{\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Top 5 values of destination.ip\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2c8c78cf-034a-4278-9335-66f22dd19e4b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"sonicwall_firewall.log\\\" \"},\"visualization\":{\"columns\":[{\"columnId\":\"ae8e1a22-3aff-4ca8-9fcc-566bb87aa283\"},{\"columnId\":\"2c8c78cf-034a-4278-9335-66f22dd19e4b\"}],\"layerId\":\"287c2e25-3cb0-41d5-8bf8-ae1fb696173c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":true},\"gridData\":{\"h\":15,\"i\":\"f6292d23-c9c5-4798-b7bd-ab0630e0e2f0\",\"w\":14,\"x\":34,\"y\":29},\"panelIndex\":\"f6292d23-c9c5-4798-b7bd-ab0630e0e2f0\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"845be485-ea9d-4aac-a3bb-5d99702828cb\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"c4ae20da-36fc-4e3b-90fb-1f7ff301b979\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"80a65bd8-af97-4b14-87dc-c8b2f7e847a8\":{\"columnOrder\":[\"4aff95fe-c475-4dbc-a230-22c2005daead\",\"a04c7483-85de-470a-a875-3b6336f57228\",\"ba0383c2-1472-45fb-a465-9125f7120a32\",\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\"],\"columns\":{\"4aff95fe-c475-4dbc-a230-22c2005daead\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 3 values of network.transport\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"network.transport\"},\"a04c7483-85de-470a-a875-3b6336f57228\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.protocol\"},\"ba0383c2-1472-45fb-a465-9125f7120a32\":{\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Top 3 values of destination.port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"845be485-ea9d-4aac-a3bb-5d99702828cb\",\"key\":\"event.category\",\"negate\":false,\"params\":[\"network\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.category\":\"network\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"c4ae20da-36fc-4e3b-90fb-1f7ff301b979\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"connection-denied\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"connection-denied\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"sonicwall_firewall.log\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ba0383c2-1472-45fb-a465-9125f7120a32\",\"4aff95fe-c475-4dbc-a230-22c2005daead\",\"a04c7483-85de-470a-a875-3b6336f57228\"],\"layerId\":\"80a65bd8-af97-4b14-87dc-c8b2f7e847a8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"palette\":{\"name\":\"negative\",\"type\":\"palette\"},\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b60bc6be-7082-43aa-8e3b-07468984046f\",\"w\":19,\"x\":0,\"y\":44},\"panelIndex\":\"b60bc6be-7082-43aa-8e3b-07468984046f\",\"title\":\"Denied connections by transport/protocol/destination.port\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c8843882-29d4-4afd-8c11-eeae1800d40c\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"a2c0360d-161b-4a36-b16d-0cf33a37314f\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"8c9a9a40-b2ef-44e0-8afd-8ef613afb85e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"d1a641a9-f4d4-459f-9723-b6a25d02680d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c8843882-29d4-4afd-8c11-eeae1800d40c\":{\"columnOrder\":[\"708e8def-b004-4b42-ad49-a88b44da0d8f\",\"f8fbcadb-7787-4e9b-9120-bf9dbd742beb\",\"046b793c-8c99-4656-a163-bac293b4c56c\"],\"columns\":{\"046b793c-8c99-4656-a163-bac293b4c56c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"708e8def-b004-4b42-ad49-a88b44da0d8f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of user.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"046b793c-8c99-4656-a163-bac293b4c56c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"f8fbcadb-7787-4e9b-9120-bf9dbd742beb\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 2 values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"fallback\":false,\"type\":\"alphabetical\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":2},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"a2c0360d-161b-4a36-b16d-0cf33a37314f\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"sonicwall_firewall.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"sonicwall_firewall.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"8c9a9a40-b2ef-44e0-8afd-8ef613afb85e\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"authentication\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"authentication\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"d1a641a9-f4d4-459f-9723-b6a25d02680d\",\"key\":\"event.type\",\"negate\":false,\"params\":{\"query\":\"start\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.type\":\"start\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"046b793c-8c99-4656-a163-bac293b4c56c\"],\"layerId\":\"c8843882-29d4-4afd-8c11-eeae1800d40c\",\"layerType\":\"data\",\"palette\":{\"name\":\"status\",\"type\":\"palette\"},\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"f8fbcadb-7787-4e9b-9120-bf9dbd742beb\",\"xAccessor\":\"708e8def-b004-4b42-ad49-a88b44da0d8f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c46fce93-0b52-4617-b88d-703bc0a2d5e6\",\"w\":29,\"x\":19,\"y\":44},\"panelIndex\":\"c46fce93-0b52-4617-b88d-703bc0a2d5e6\",\"title\":\"Top authentications\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"columns\":[\"@timestamp\",\"event.action\",\"source.ip\",\"message\"],\"enhancements\":{},\"hidePanelTitles\":false,\"rowHeight\":0},\"gridData\":{\"h\":18,\"i\":\"ed04883d-ba56-4502-a905-046c874e4a72\",\"w\":48,\"x\":0,\"y\":59},\"panelIndex\":\"ed04883d-ba56-4502-a905-046c874e4a72\",\"panelRefName\":\"panel_ed04883d-ba56-4502-a905-046c874e4a72\",\"title\":\"Attack events\",\"type\":\"search\",\"version\":\"8.2.0\"}]", - "timeRestore": false, - "title": "[SonicWall Firewall] Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.2.0", - "id": "sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde", - "migrationVersion": { - "dashboard": "8.2.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "13a27ebe-963e-4539-9013-186e247e0b32:control_13a27ebe-963e-4539-9013-186e247e0b32_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5:indexpattern-datasource-layer-d6a337e6-588b-47b6-9414-c621dcf265c9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "17735289-cfc4-429a-a5c5-f3d19df013dc:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "17735289-cfc4-429a-a5c5-f3d19df013dc:indexpattern-datasource-layer-2c3a0f47-236c-41cb-86e8-e8a27033d165", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "17735289-cfc4-429a-a5c5-f3d19df013dc:2ab93ebb-d843-4bdb-99a2-c55dd1b5c096", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a7718a64-7550-405a-8a75-4687c00dadde:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8e619b8c-80b2-46a8-8c9b-4581d3d14da5:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db14ebf1-c490-427c-bdde-d48da4496d45:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db14ebf1-c490-427c-bdde-d48da4496d45:indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db14ebf1-c490-427c-bdde-d48da4496d45:3717b68f-f5ab-4598-9f39-4a723d91165c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "06b11f86-c986-4a30-b1da-1724529bf864:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "06b11f86-c986-4a30-b1da-1724529bf864:indexpattern-datasource-layer-951e4235-9dec-43ae-b400-bfe367e43e0b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f6292d23-c9c5-4798-b7bd-ab0630e0e2f0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f6292d23-c9c5-4798-b7bd-ab0630e0e2f0:indexpattern-datasource-layer-287c2e25-3cb0-41d5-8bf8-ae1fb696173c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b60bc6be-7082-43aa-8e3b-07468984046f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b60bc6be-7082-43aa-8e3b-07468984046f:indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b60bc6be-7082-43aa-8e3b-07468984046f:845be485-ea9d-4aac-a3bb-5d99702828cb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b60bc6be-7082-43aa-8e3b-07468984046f:c4ae20da-36fc-4e3b-90fb-1f7ff301b979", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:indexpattern-datasource-layer-c8843882-29d4-4afd-8c11-eeae1800d40c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:a2c0360d-161b-4a36-b16d-0cf33a37314f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:8c9a9a40-b2ef-44e0-8afd-8ef613afb85e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:d1a641a9-f4d4-459f-9723-b6a25d02680d", - "type": "index-pattern" - }, - { - "id": "sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde", - "name": "ed04883d-ba56-4502-a905-046c874e4a72:panel_ed04883d-ba56-4502-a905-046c874e4a72", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sonicwall_firewall/0.1.0/kibana/search/sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde.json b/packages/sonicwall_firewall/0.1.0/kibana/search/sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde.json deleted file mode 100755 index 091cadff7d..0000000000 --- a/packages/sonicwall_firewall/0.1.0/kibana/search/sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "source.ip", - "message" - ], - "description": "Saved search for attacks detected and blocked by SonicWall Firewall", - "grid": { - "columns": { - "event.action": { - "width": 134.5 - }, - "source.ip": { - "width": 126.25 - } - } - }, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":[\"attack-blocked\",\"attack-detected\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.action\":\"attack-blocked\"}},{\"match_phrase\":{\"event.action\":\"attack-detected\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"sonicwall_firewall.log\\\" \"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SonicWall Firewall attacks" - }, - "coreMigrationVersion": "8.2.0", - "id": "sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/sonicwall_firewall/0.1.0/manifest.yml b/packages/sonicwall_firewall/0.1.0/manifest.yml deleted file mode 100755 index 6d8a79c060..0000000000 --- a/packages/sonicwall_firewall/0.1.0/manifest.yml +++ /dev/null @@ -1,72 +0,0 @@ -format_version: 1.0.0 -name: sonicwall_firewall -title: "SonicWall Firewall" -version: 0.1.0 -license: basic -release: beta -description: "Integration for SonicWall firewall logs" -type: integration -categories: - - network - - security -conditions: - kibana.version: "^8.2.0" -screenshots: - - src: /img/dashboard.png - title: Sample dashboard - size: 911x1531 - type: image/png -icons: - - src: /img/logo.svg - title: SonicWall logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: sample - title: Sample logs - description: Collect sample logs - inputs: - - type: udp - title: Collect logs via syslog - description: Collecting logs via syslog - - type: logfile - title: Collect logs from file - description: Collecting logs from file -vars: - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UTC. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sonicwall-firewall - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - -owner: - github: elastic/security-external-integrations diff --git a/packages/sonicwall_firewall/0.1.1/changelog.yml b/packages/sonicwall_firewall/0.1.1/changelog.yml deleted file mode 100755 index 36db47da9f..0000000000 --- a/packages/sonicwall_firewall/0.1.1/changelog.yml +++ /dev/null @@ -1,11 +0,0 @@ -# newer versions go on top -- version: "0.1.1" - changes: - - description: Fix handling of NAT fields - type: bugfix - link: https://github.com/elastic/integrations/pull/3420 -- version: "0.1.0" - changes: - - description: Initial beta version of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/3365 diff --git a/packages/sonicwall_firewall/0.1.1/data_stream/log/agent/stream/logfile.yml.hbs b/packages/sonicwall_firewall/0.1.1/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index d40e62f2b9..0000000000 --- a/packages/sonicwall_firewall/0.1.1/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,24 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -fields_under_root: true -fields: - _conf: - tz_offset: {{tz_offset}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/sonicwall_firewall/0.1.1/data_stream/log/agent/stream/udp.yml.hbs b/packages/sonicwall_firewall/0.1.1/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 93707136be..0000000000 --- a/packages/sonicwall_firewall/0.1.1/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -host: "{{syslog_host}}:{{syslog_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -fields_under_root: true -fields: - _conf: - tz_offset: {{tz_offset}} -processors: -- add_locale: ~ -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/sonicwall_firewall/0.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/sonicwall_firewall/0.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 63d5911160..0000000000 --- a/packages/sonicwall_firewall/0.1.1/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1303 +0,0 @@ ---- -description: Pipeline for processing SonicWall firewall logs -processors: - - set: - field: ecs.version - value: "8.2.0" - - - set: - field: observer.vendor - value: SonicWall - - - set: - field: observer.product - value: SonicOS - - - set: - field: observer.type - value: firewall - - - set: - field: event.timezone - value: "{{{_conf.tz_offset}}}" - if: ctx?._conf?.tz_offset != null && ctx?._conf?.tz_offset != 'local' - - - rename: - field: message - target_field: event.original - ignore_missing: true - - - grok: - field: event.original - description: Extracts key-value pairs from original message - patterns: - - '%{KEY_VALUES:_temp_.serialized_kv}' - pattern_definitions: - KEY_VALUES: 'id=.*' - on_failure: - - fail: - message: 'unable to extract key-values from log message: {{{ _ingest.on_failure_message }}}' - - - kv: - field: _temp_.serialized_kv - description: Splits key-value pairs extracted from original message - field_split: ' +(?=[a-zA-Z0-9_-]+=)' - value_split: '=' - prefix: 'sonicwall.firewall.' - ignore_failure: false - trim_value: "\"'" - on_failure: - - fail: - message: 'unable to process key-values from log message: {{{ _ingest.on_failure_message }}}' - - - script: - lang: painless - description: Maps SonicWall fields to ECS - if: 'ctx.sonicwall?.firewall != null' - params: - arg: - - to: url.path - dpi: - - to: sonicwall.firewall.dpi - map: - '0': 'false' - '1': 'true' - dstMac: - - to: destination.mac - dstname: - - to: url.domain - dstZone: - - to: observer.egress.zone - fw: - - to: observer.hostname - fw_action: - - to: event.action - map: - forward: packet-forwarded - drop: packet-dropped - mgmt: packet-management - gcat: - - to: sonicwall.firewall.gcat - - to: sonicwall.firewall.event_group_category - map: - '1': Value - '2': System - '3': Log - '4': Security Services - '5': Users - '6': Firewall Settings - '7': Network - '8': VPN - '9': High Availability - '10': 3G/4G, Modem, and Module Firewall - '11': Wireless - '12': VoIP - '13': SSL VPN - '14': Anti-Spam - '15': WAN Acceleration - '16': SD-WAN - '17': Multi-Tenancy - id: - - to: observer.name - m: - - to: event.code - msg: - - to: message - n: - - to: event.sequence - natDst: - - to: _temp_.destination_nat_ip - natDstV6: - - to: _temp_.destination_nat_ip - natSrc: - - to: _temp_.source_nat_ip - natSrcV6: - - to: _temp_.source_nat_ip - op: - - to: http.request.method - map: - '1': 'GET' - '2': 'POST' - '3': 'HEAD' - pri: - - to: event.severity - - to: log.level - map: - '0': emergency - '1': alert - '2': critical - '3': error - '4': warning - '5': notice - '6': info - '7': debug - proto: - - to: network.transport - rcvd: - - to: destination.bytes - rpkt: - - to: destination.packets - rule: - - to: rule.id - sent: - - to: source.bytes - spkt: - - to: source.packets - srcMac: - - to: source.mac - srcZone: - - to: observer.ingress.zone - sn: - - to: observer.serial_number - time: - - to: '@timestamp' - user: - - to: user.name - usr: - - to: user.name - source: | - List sets = ctx._temp_.computeIfAbsent("sets", k -> new ArrayList()); - List removes = ctx._temp_.computeIfAbsent("removes", k -> new ArrayList()); - for (def src_field : ctx.sonicwall.firewall.entrySet()) { - def key = src_field.getKey(); - if (params[key] != null) { - boolean mapped = false; - for (def action : params[key]) { - def value = action.map == null? src_field.getValue() : action.map[src_field.getValue()]; - if (value != null) { - sets.add([ - "target": action.to, - "value": value - ]); - } - } - removes.add(key); - } - } - -# -# Source and destination information -# -# The src and dst fields have the following format: -# [:[:[:]]] -# -# For IPv6 addresses the srcV6/dstV6 fields are used. -# These contain the ip address, and optionally the src/dst -# fields are used to include extra information, leaving -# the part empty (value starts with `:`). - - script: - lang: painless - description: Extracts additional information from src and dst - params: - src: - - source.address - - source.port - - observer.ingress.interface.name - - source.domain - dst: - - destination.address - - destination.port - - observer.egress.interface.name - - destination.domain - source: | - List sets = ctx._temp_.computeIfAbsent("sets", k -> new ArrayList()); - List removes = ctx._temp_.computeIfAbsent("removes", k -> new ArrayList()); - for (def field : params.entrySet()) { - String value = ctx.sonicwall.firewall[field.getKey()]; - if (value == null) continue; - String[] parts = value.splitOnToken(":"); - List mapping = field.getValue(); - for ( int i = (int)Math.min(parts.length, mapping.size()) - 1 - ; i>=0 - ; i--) { - sets.add([ - "target": mapping[i], - "value": parts[i] - ]); - } - removes.add(field.getKey()); - } - -# -# Duration fields dur / cdur -# - - script: - lang: painless - description: Calculates event.duration - params: - destination: event.duration - sources: - - field: dur - append: '000000000' - - field: cdur - append: '000000' - source: | - List sets = ctx._temp_.computeIfAbsent("sets", k -> new ArrayList()); - List removes = ctx._temp_.computeIfAbsent("removes", k -> new ArrayList()); - Map base = ctx.sonicwall?.firewall; - if (base == null) return; - for (def entry : params.sources) { - if (base.containsKey(entry.field)) { - sets.add([ - "target": params.destination, - "value": base[entry.field] + entry.append - ]); - } - removes.add(entry.field); - } - - - foreach: - field: _temp_.removes - processor: - remove: - field: 'sonicwall.firewall.{{{ _ingest._value }}}' - ignore_missing: true - - - foreach: - field: _temp_.sets - processor: - set: - field: '{{{ _ingest._value.target }}}' - value: '{{{ _ingest._value.value }}}' - - - set: - field: source.address - copy_from: sonicwall.firewall.srcV6 - override: true - ignore_failure: true - - - set: - field: destination.address - copy_from: sonicwall.firewall.dstV6 - override: true - ignore_failure: true - - - date: - field: '@timestamp' - formats: - - 'yyyy-MM-dd HH:mm:ss VV' - - 'yyyy-MM-dd HH:mm:ss' - - ISO8601 - timezone: '{{{_conf.tz_offset}}}' - if: 'ctx._conf?.tz_offset != null && ctx._conf.tz_offset != "local"' - on_failure: - - append: - field: error.message - value: 'failed to parse time field ({{{ @timestamp }}}): {{{ _ingest.on_failure_message }}}' - - date: - field: '@timestamp' - formats: - - 'yyyy-MM-dd HH:mm:ss VV' - - 'yyyy-MM-dd HH:mm:ss' - - ISO8601 - if: 'ctx._conf?.tz_offset == null || ctx._conf.tz_offset == "local"' - on_failure: - - append: - field: error.message - value: 'failed to parse time field ({{{ @timestamp }}}): {{{ _ingest.on_failure_message }}}' - -# -# Validate IP addresses -# - - convert: - field: observer.hostname - target_field: observer.ip - type: ip - ignore_missing: true - ignore_failure: true - - - remove: - field: observer.hostname - if: 'ctx.observer?.ip != null' - - - convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true - - - remove: - field: source.address - if: 'ctx.source?.ip != null' - - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - ignore_failure: true - - - remove: - field: destination.address - if: 'ctx.destination?.ip != null' - -# -# Geoip enrichment -# - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - -# -# Convert MAC addresses -# - - uppercase: - field: source.mac - ignore_missing: true - - - gsub: - field: source.mac - pattern: ':' - replacement: '-' - ignore_missing: true - - - uppercase: - field: destination.mac - ignore_missing: true - - - gsub: - field: destination.mac - pattern: ':' - replacement: '-' - ignore_missing: true - -# -# Process proto field -# - - grok: - field: network.transport - description: Extracts transport and protocol information from proto field - patterns: - # transport/portnum (discard port) - - '^%{NOSLASH_WORD:network.transport}/%{NUMBER}$' - # transport/proto - - '^%{NOSLASH_WORD:network.transport}/%{NOSLASH_WORD:network.protocol}$' - # fallback (no pattern match): Keep everything in .transport - pattern_definitions: - NOSLASH_WORD: '[^/]*' - ignore_failure: true - -# -# Extract optional (undocumented) port in nat fields. -# - - grok: - field: _temp_.source_nat_ip - description: Extracts optional port number from src nat field - ignore_missing: true - ignore_failure: true - patterns: - - '^%{IPV4:source.nat.ip}(:?:%{POSINT:source.nat.port})?$' - - '^%{IPV6:source.nat.ip}$' - - '^\[%{IPV6:source.nat.ip}\]:%{POSINT:source.nat.port}$' - - - grok: - field: _temp_.destination_nat_ip - description: Extracts optional port number from dst nat field - ignore_missing: true - ignore_failure: true - patterns: - - '^%{IPV4:destination.nat.ip}(:?:%{POSINT:destination.nat.port})?$' - - '^%{IPV6:destination.nat.ip}$' - - '^\[%{IPV6:destination.nat.ip}\]:%{POSINT:destination.nat.port}$' - -# -# Validate integer fields -# - - convert: - field: source.bytes - type: long - ignore_missing: true - on_failure: - - remove: - field: source.bytes - - - convert: - field: source.port - type: integer - ignore_missing: true - on_failure: - - remove: - field: source.port - - - convert: - field: source.nat.port - type: integer - ignore_missing: true - on_failure: - - remove: - field: source.nat.port - - - convert: - field: source.packets - type: long - ignore_missing: true - on_failure: - - remove: - field: source.packets - - - convert: - field: destination.bytes - type: long - ignore_missing: true - on_failure: - - remove: - field: destination.bytes - - - convert: - field: destination.port - type: integer - ignore_missing: true - on_failure: - - remove: - field: destination.port - - - convert: - field: destination.nat.port - type: integer - ignore_missing: true - on_failure: - - remove: - field: destination.nat.port - - - convert: - field: destination.packets - type: long - ignore_missing: true - on_failure: - - remove: - field: destination.packets - - - convert: - field: event.duration - type: long - ignore_missing: true - on_failure: - - remove: - field: event.duration - - - script: - lang: painless - description: Aggregates bytes/packets counters - params: - keys: - - bytes - - packets - from: - - source - - destination - to: network - source: | - for (def src : params.from) { - for (def key : params.keys) { - def v = null; - if (ctx[src] != null && (v = ctx[src][key]) != null && v instanceof Long) { - if (ctx[params.to] == null || !(ctx[params.to] instanceof Map)) { - ctx[params.to] = new HashMap(); - } - if (ctx[params.to][key] == null || !(ctx[params.to][key] instanceof Long)) { - ctx[params.to][key] = v; - } else { - ctx[params.to][key] += v; - } - } - } - } - -# -# Extends message field with note -# - - set: - field: message - description: Extends message field with note - value: '{{{ message }}} ({{{ sonicwall.firewall.note }}})' - override: true - if: 'ctx.message != null && ctx.sonicwall?.firewall?.note != null' - - set: - field: message - value: '{{{ sonicwall.firewall.note }}}' - ignore_empty_value: true - override: false - -# -# ECS event categorization by message type -# - - script: - lang: painless - description: Fills ECS categorization fields depending on message Event ID - params: - event_types: - internal-log-success: - kind: event - category: - - host - type: - - info - outcome: success - internal-log-failure: - kind: event - category: - - host - type: - - info - outcome: failure - login-success: - kind: event - category: - - authentication - type: - - start - - info - outcome: success - login-failure: - kind: event - category: - - authentication - type: - - start - - info - outcome: failure - logout: - kind: event - category: - - authentication - type: - - end - - info - outcome: success - user-account-locked: - kind: event - category: - - iam - type: - - info - - user - outcome: success - user-account-unlocked: - kind: event - category: - - iam - type: - - info - - user - outcome: success - user-account-enabled: - kind: event - category: - - iam - type: - - info - - user - outcome: success - user-account-disabled: - kind: event - category: - - iam - type: - - info - - user - outcome: success - user-account-created: - kind: event - category: - - iam - type: - - info - - user - - deletion - outcome: success - user-account-changed: - kind: event - category: - - iam - type: - - info - - user - - change - outcome: success - user-account-change-failure: - kind: event - category: - - iam - type: - - info - - user - - change - outcome: failure - admin-account-changed: - kind: event - category: - - iam - type: - - info - - user - - change - - admin - outcome: success - user-account-deleted: - kind: event - category: - - iam - type: - - info - - user - - deletion - outcome: success - session-start: - kind: event - category: - - session - type: - - start - outcome: success - session-end: - kind: event - category: - - session - type: - - end - outcome: success - attack-detected: - kind: alert - category: - - intrusion_detection - type: - - info - outcome: success - attack-blocked: - kind: alert - category: - - intrusion_detection - type: - - denied - outcome: success - connection-start: - kind: event - category: [ network ] - type: - - connection - - start - outcome: success - connection-end: - kind: event - category: [ network ] - type: - - connection - - end - outcome: success - connection-denied: - kind: event - category: [ network ] - type: - - connection - - denied - outcome: success - packet-dropped: - kind: event - category: [ network ] - type: - - denied - outcome: success - connection-info: - kind: event - category: [ network ] - type: - - connection - - info - outcome: success - malware-info: - kind: alert - category: - - malware - type: - - info - outcome: success - config-change: - kind: event - category: - - configuration - type: - - change - outcome: success - config-change-failure: - kind: event - category: - - configuration - type: - - change - outcome: failure - config-info: - kind: event - category: - - configuration - type: - - info - outcome: success - config-delete: - kind: event - category: - - configuration - type: - - deletion - outcome: success - config-add: - kind: event - category: - - configuration - type: - - creation - outcome: success - - message_codes: - # CSV table of SonicOS messages obtained by scraping the pdf docs - # https://gist.github.com/adriansr/d7ad20e15fca1ef2df6a4cdeb53b2989 - - # Firewall - "646": packet-dropped # 646,Firewall,Access Rules,System Error,WARNING,5238,Source IP Connection Limit,Packet dropped; connection limit for this source IP address has been reached - "647": packet-dropped # 647,Firewall,Access Rules,System Error,WARNING,5239,Destination IP Connection Limit,Packet dropped; connection limit for this destination IP address has been reached - "734": connection-info # 734,Firewall,Access Rules,---,WARNING,---,Source Connection Status,Source IP address connection status: %s - "735": packet-dropped # 735,Firewall,Access Rules,---,WARNING,---,Destination Connection Status,Destination IP address connection status: %s - "45": connection-info # 45,Network,ARP,Debug,DEBUG,7002,ARP Failure,ARP Timeout - "815": connection-info # 815,Network,ARP,---,WARNING,7022,Too Many Gratuitous ARPs Detected,Too many gratuitous ARPs detected - "428": packet-dropped # 428,Firewall Settings,Advanced,Debug,WARNING,6424,Drop Source Route Packet,Source routed IP packet dropped - "1473": packet-dropped # 1473,Firewall Settings,Advanced,Debug,INFO,---,Drop Source IP Subnet Broadcast,Source IP is a subnet broadcast address - "1573": packet-dropped # 1573,Firewall Settings,Advanced,Debug,INFO,---,Drop All IPv6 Traffic,IPv6 packet dropped due to IPv6 traffic processing is disabled on this firewall - "1576": packet-dropped # 1576,Firewall Settings,Advanced,Debug,INFO,---,Drop Record Route Packet,Record routed IP packet dropped - - # Network Access - "41": packet-dropped # 41,Network,Network Access,Debug,NOTICE,7214,Unknown Protocol Dropped,Unknown protocol dropped - "46": packet-dropped # 46,Network,Network Access,Debug,DEBUG,7217,Broadcast Packets Dropped,Broadcast packet dropped - "98": connection-start # 98,Network,Network Access,Connection,INFO,7402,Connection Opened,Connection Opened - "347": packet-dropped # 347,Network,Network Access,TCP | UDP | ICMP,WARNING,7225,Drop Clear Packet,Port configured to receive IPsec protocol ONLY; drop packet received in the clear - "537": connection-end # 537,Network,Network Access,Connection Traffic,INFO,7403,Connection Closed,Connection Closed - "590": packet-dropped # 590,Network,Network Access,LAN UDP | LAN TCP,NOTICE,7232,LAN IP Deny,IP type %s packet dropped - "714": packet-dropped # 714,Network,Network Access,Debug,NOTICE,7236,EIGRP Packet Drop,EIGRP packet dropped - "1304": packet-dropped # 1304,Network,Network Access,Debug,ALERT,---,Packet Dropped Due to NDPP Rules,Packet is dropped due to NDPP rules. - - # Checksum Enforcement - "883": packet-dropped # 883,Firewall Settings,Checksum Enforcement,TCP|UDP,NOTICE,7243,IP Checksum Error,IP Header checksum error; packet dropped - "884": packet-dropped # 884,Firewall Settings,Checksum Enforcement,TCP,NOTICE,7244,TCP Checksum Error,TCP checksum error; packet dropped - "885": packet-dropped # 885,Firewall Settings,Checksum Enforcement,UDP,NOTICE,7245,UDP Checksum Error,UDP checksum error; packet dropped - "886": packet-dropped # 886,Firewall Settings,Checksum Enforcement,UDP,NOTICE,7246,ICMP Checksum Error,ICMP checksum error; packet dropped - "1448": packet-dropped # 1448,Firewall Settings,Checksum Enforcement,UDP,NOTICE,---,UDPv6 Checksum Error,UDPv6 checksum error; packet dropped - "1449": packet-dropped # 1449,Firewall Settings,Checksum Enforcement,UDP,NOTICE,---,ICMPv6 Checksum Error,ICMPv6 checksum error; packet dropped - - # Geo-IP Filter - "1198": connection-denied # 1198,Security Services,Geo-IP Filter,---,ALERT,---,Geo IP Initiator Blocked,Initiator from country blocked: %s - "1199": connection-denied # 1199,Security Services,Geo-IP Filter,---,ALERT,---,Geo IP Responder Blocked,Responder from country blocked: %s - "1474": connection-denied # 1474,Security Services,Geo-IP Filter,---,ALERT,---,Custom Geo IP Initiator Blocked,"Initiator from country blocked: %s, Source: Custom List" - "1475": connection-denied # 1475,Security Services,Geo-IP Filter,---,ALERT,---,Custom Geo IP Responder Blocked,"Responder from country blocked: %s, Source: Custom List" - - # ICMP - "38": packet-dropped # 38,Network,ICMP,ICMP,NOTICE,7211,ICMP Packets Dropped,ICMP packet dropped due to Policy - "63": packet-dropped # 63,Network,ICMP,Debug,DEBUG,7003,ICMP Too Big,Received fragmented packet or fragmentation needed - "175": packet-dropped # 175,Network,ICMP,LAN ICMP | LAN TCP,NOTICE,7224,LAN ICMP Deny,ICMP packet from LAN dropped - "182": connection-info # 182,Network,ICMP,User Activity,INFO,7006,Path MTU Receive,Received a path MTU ICMP message from router/gateway - "188": connection-info # 188,Network,ICMP,User Activity,INFO,7007,Path MTU ICMP,Received a path MTU ICMP message from router/gateway - "523": packet-dropped # 523,Network,ICMP,ICMP,NOTICE,7227,No Match ICMP Drop,ICMP packet dropped no match - "597": connection-info # 597,Network,ICMP,Debug,INFO,7233,ICMP Allow,ICMP packet allowed - "598": connection-info # 598,Network,ICMP,Debug,INFO,7234,LAN ICMP Allow,ICMP packet from LAN allowed - "1254": packet-dropped # 1254,Network,ICMP,---,INFO,---,LAN ICMPv6 Deny,ICMPv6 packet from LAN dropped - "1255": connection-info # 1255,Network,ICMP,---,INFO,---,LAN ICMPv6 Allow,ICMPv6 packet from LAN allowed - "1256": connection-info # 1256,Network,ICMP,---,INFO,---,ICMPv6 Allow,ICMPv6 packet allowed - "1257": packet-dropped # 1257,Network,ICMP,---,INFO,---,ICMPv6 Packets Dropped,ICMPv6 packet dropped due to policy - "1431": connection-info # 1431,Network,ICMP,---,INFO,---,ICMPv6 Packets Received,ICMPv6 packet received - "1433": packet-dropped # 1433,Network,ICMP,---,NOTICE,---,NDP Packets Dropped,%s - "1458": connection-info # 1458,Network,ICMP,---,NOTICE,---,NDP Packets Received,%s - - # IP - "28": packet-dropped # 28,Network,IP,TCP | UDP | ICMP,NOTICE,7001,Fragmented Packet,Fragmented packet dropped - "522": packet-dropped # 522,Network,IP,Debug,INFO,554,Malformed IP Packet,Malformed or unhandled IP packet dropped - "910": packet-dropped # 910,Network,IP,Debug,NOTICE,7037,IP TTL Expire,Packet Dropped - IP TTL expired - "1301": packet-dropped # 1301,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Reserved IP,Source or Destination IPv6 address is reserved by RFC 4291. Packet is dropped - "1302": packet-dropped # 1302,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Unspecified Destination IP,Destination IPv6 address is unspecified. Packet is dropped - "1303": packet-dropped # 1303,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Unspecified Source IP,Source IPv6 address is unspecified but this packet is not Neighbor Solicitation message for DAD. Packet is dropped - "1429": packet-dropped # 1429,Network,IP,Debug,ALERT,---,IPv6 Packet Dropped With Site Local IP,Source or Destination IPv6 address is site-local unicast address. Packet is dropped - "1430": packet-dropped # 1430,Network,IP,Debug,INFO,---,IPv6 Packet with Ext Header,IPv6 Packet with extension header received - - # IPcomp - "651": packet-dropped # 651,Network,IPcomp,Debug,DEBUG,12401,IPcomp Interrupt Error,IPcomp connection interrupt - "652": packet-dropped # 652,Network,IPcomp,TCP | UDP | ICMP,NOTICE,12402,IPcomp Packet Drop,IPcomp packet dropped - "653": packet-dropped # 653,Network,IPcomp,Debug,DEBUG,12403,"IPcomp Packet Drop, Waiting",IPcomp packet dropped; waiting for pending IPcomp connection - - # IPv6 Tunneling - "1253": packet-dropped # 1253,Network,IPv6 Tunneling,---,NOTICE,---,IPv6 Tunnel Dropped,IPv6 Tunnel packet dropped - - # Multicast - "683": packet-dropped # 683,Firewall Settings,Multicast,---,NOTICE,10608,Wrong IGMP Checksum,"IGMP packet dropped, wrong checksum received on interface %s" - "690": packet-dropped # 690,Firewall Settings,Multicast,---,NOTICE,10615,UDP Packet Drop,"Multicast UDP packet dropped, no state entry" - "694": packet-dropped # 694,Firewall Settings,Multicast,---,WARNING,10619,RTP Stateful Failed,"Multicast UDP packet dropped, RTP stateful failed" - "1233": packet-dropped # 1233,Firewall Settings,Multicast,Debug,NOTICE,---,Link-Local/Mult icast IPv6 Packet,Unhandled link-local or multicast IPv6 packet dropped - - # NAT - "339": packet-dropped # 339,Network,NAT,Debug,DEBUG,7008,NAT Overwrite,"NAT translated packet exceeds size limit, packet dropped" - "1197": connection-info # 1197,Network,NAT,---,NOTICE,---,Connection NAT Mapping,NAT Mapping - "1436": packet-dropped # 1436,Network,NAT,Debug,DEBUG,---,NAT Policy Dropped Packets,"Packet dropped by NAT Policy, reason: %s" - - # NAT Policy - "1313": config-add # 1313,Network,NAT Policy,---,INFO,---,NAT Policy Add,NAT policy added - "1314": config-change # 1314,Network,NAT Policy,---,INFO,---,NAT Policy Modify,NAT policy modified - "1315": config-delete # 1315,Network,NAT Policy,---,INFO,---,NAT Policy Delete,NAT policy deleted - - # TCP - "36": connection-end # 36,Network,TCP,TCP,NOTICE,7209,TCP Packets Dropped,TCP connection dropped - "48": packet-dropped # 48,Network,TCP,Debug,DEBUG,7218,Out of Order Packets Dropped,Out-of-order command packet dropped - "173": connection-denied # 173,Network,TCP,LAN TCP,NOTICE,7222,LAN TCP Deny,TCP connection from LAN denied - "181": packet-dropped # 181,Network,TCP,Debug,DEBUG,7005,TCP FIN Drop,TCP FIN packet dropped - "524": connection-denied # 524,Network,Network Access,TCP,NOTICE,7228,Web Request Drop,Web access Request dropped - "580": packet-dropped # 580,Network,TCP,Attack,ALERT,558,TCP SYN/FIN Packet Drop,TCP SYN/FIN packet dropped - "708": packet-dropped # 708,Network,TCP,Debug,DEBUG,7010,TCP Invalid SEQ Number,TCP packet received with invalid SEQ number; TCP packet dropped - "709": packet-dropped # 709,Network,TCP,Debug,DEBUG,7011,TCP Invalid ACK Number,TCP packet received with invalid ACK number; TCP packet dropped - "712": connection-denied # 712,Network,TCP,Debug,DEBUG,7014,TCP Connection Reject,TCP connection reject received; TCP connection dropped - "713": connection-denied # 713,Network,TCP,Debug,DEBUG,7015,TCP Connection Abort,TCP connection abort received; TCP connection dropped - "760": connection-denied # 760,Network,TCP,---,NOTICE,7240,TCP Handshake Violation Detected,TCP handshake violation detected; TCP connection dropped - "887": packet-dropped # 887,Network,TCP,Debug,DEBUG,7026,Invalid TCP Header Length,TCP packet received with invalid header length; TCP packet dropped - "888": packet-dropped # 888,Network,TCP,Debug,DEBUG,7027,TCP Connection Does Not Exist,TCP packet received on non-existent/closed connection; TCP packet dropped - "889": packet-dropped # 889,Network,TCP,Debug,DEBUG,7028,TCP Without Mandatory SYN Flag,TCP packet received without mandatory SYN flag; TCP packet dropped - "890": packet-dropped # 890,Network,TCP,Debug,DEBUG,7029,TCP Without Mandatory ACK Flag,TCP packet received without mandatory ACK flag; TCP packet dropped - "891": packet-dropped # 891,Network,TCP,Debug,DEBUG,7030,TCP Packet on Closing Connection,TCP packet received on a closing connection; TCP packet dropped - "892": packet-dropped # 892,Network,TCP,Debug,INFO,7031,SYN Flag on Existing Connection,TCP packet received with SYN flag on an existing connection; TCP packet dropped - "893": packet-dropped # 893,Network,TCP,Debug,DEBUG,7032,Invalid TCP SACK Option Length,TCP packet received with invalid SACK option length; TCP packet dropped - "894": packet-dropped # 894,Network,TCP,Debug,DEBUG,7033,Invalid TCP MSS Option Length,TCP packet received with invalid MSS option length; TCP packet dropped - "895": packet-dropped # 895,Network,TCP,Debug,DEBUG,7034,Invalid TCP Option Length,TCP packet received with invalid option length; TCP packet dropped - "896": packet-dropped # 896,Network,TCP,Debug,DEBUG,7035,Invalid TCP Source Port,TCP packet received with invalid source port; TCP packet dropped - "1029": packet-dropped # 1029,Network,TCP,Debug,DEBUG,7038,Non-Permitted Option TCP Packet,TCP packet received with non-permitted option; TCP packet dropped - "1030": packet-dropped # 1030,Network,TCP,Debug,DEBUG,7039,Invalid TCP Window Scale Option Length,TCP packet received with invalid Window Scale option length; TCP packet dropped - "1031": packet-dropped # 1031,Network,TCP,Debug,DEBUG,7040,Invalid TCP Window Scale Option Value,TCP packet received with invalid Window Scale option value; TCP packet dropped - "1384": packet-dropped # 1384,Network,TCP,Debug,DEBUG,---,Invalid TCP Timestamps Option Length,TCP packet received with invalid Timestamps option length; TCP packet dropped - "1385": packet-dropped # 1385,Network,TCP,Debug,DEBUG,---,TCP Sequence Number Wrapped,TCP packet received with wrapped sequence number; TCP packet dropped - "1628": packet-dropped # 1628,Network,TCP,Debug,DEBUG,---,TCP SYN Packet With Data,TCP SYN packet received with data; TCP packet dropped - "1629": packet-dropped # 1629,Network,TCP,Debug,DEBUG,---,TCP Urgent Flag or Pointer,TCP packet received with Urgent flag or pointer; TCP packet dropped - - # Content Filter - "14": connection-denied # 14,Security Services,Content Filter,Blocked Sites,ERROR,701,Website Blocked,Web site access denied - "16": connection-info # 16,Security Services,Content Filter,Blocked Sites,NOTICE,703,Website Accessed,Web site access allowed - "1599": config-add # 1599,Security Services,Content Filter,User Activity,INFO,---,CFS Policy Added,CFS policy added - "1600": config-change # 1600,Security Services,Content Filter,User Activity,INFO,---,CFS Policy Modified,CFS policy modified - "1601": config-change # 1601,Security Services,Content Filter,User Activity,INFO,---,CFS Policy Deleted,CFS policy deleted - - # RBL Filter - "797": connection-denied # 797,Security Services,RBL Filter,---,NOTICE,12001,Outbound Connection Drop,Outbound connection to RBL-listed SMTP server dropped - "798": connection-denied # 798,Security Services,RBL Filter,---,NOTICE,12002,Inbound Connection Drop,Inbound connection from RBL-listed SMTP server dropped - - # Attacks - "22": attack-blocked # 22,Security Services,Attacks,Attack,ALERT,501,Ping of Death Blocked,Ping of death dropped - "23": attack-blocked # 23,Security Services,Attacks,Attack,ALERT,502,IP Spoof Detected,IP spoof dropped - "27": attack-blocked # 27,Security Services,Attacks,Attack,ALERT,505,Land Attack,Land attack dropped - "81": attack-blocked # 81,Security Services,Attacks,Attack,ALERT,520,Smurf Attack,Smurf Amplification attack dropped - "82": attack-detected # 82,Security Services,Attacks,Attack,ALERT,521,Port Scan Possible,Possible port scan detected - "83": attack-detected # 83,Security Services,Attacks,Attack,ALERT,522,Port Scan Probable,Probable port scan detected - "177": attack-detected # 177,Security Services,Attacks,Attack,ALERT,528,TCP FIN Scan,Probable TCP FIN scan detected - "178": attack-detected # 178,Security Services,Attacks,Attack,ALERT,529,TCP Xmas Scan,Probable TCP XMAS scan detected - "179": attack-detected # 179,Security Services,Attacks,Attack,ALERT,530,TCP Null Scan,Probable TCP NULL scan detected - "267": attack-blocked # 267,Security Services,Attacks,Attack,ALERT,547,TCP Xmas Tree Attack,TCP Xmas Tree dropped - "606": attack-blocked # 606,Security Services,Attacks,Attack,ALERT,568,Spank Attack,Spank attack multicast packet dropped - "1316": attack-detected # 1316,Network,ARP,---,ALERT,---,ARP Attack Detected,Possible ARP attack from MAC address %s - "1373": attack-detected # 1373,Security Services,Attacks,Attack,ALERT,---,IPv6 fragment size is less than minimum (<1280),"IPv6 fragment dropped, invalid length (<1280 Bytes)" - "1374": attack-detected # 1374,Security Services,Attacks,Attack,ALERT,---,IP Reassembly : Incomplete IGMP fragment,"IGMP packet dropped, incomplete fragments" - "1375": attack-detected # 1375,Security Services,Attacks,Attack,ALERT,---,UDP fragmented datagram is too big (>65535),"UDP fragment dropped, exceeds maximum IP datagram size (>65535)" - "1376": attack-blocked # 1376,Security Services,Attacks,Attack,ALERT,---,Nestea/Teardro p Attack,Nestea/Teardrop attack dropped - "1387": attack-blocked # 1387,Security Services,Attacks,Attack,ALERT,---,TCP Null Flag Attack,TCP Null Flag dropped - "1471": attack-detected # 1471,Security Services,Attacks,Attack,ALERT,---,External IDS,External IDS: %s - "229": attack-blocked # 229,VPN,DHCP Relay,Attack,WARNING,533,DHCPR IP Spoof,"IP spoof detected on packet to Central Gateway, packet dropped" - "1098": attack-detected # 1098,Network,DNS,---,ALERT,6465,DNS Rebind Attack Detected,Possible DNS rebind attack detected - "1099": attack-blocked # 1099,Network,DNS,---,ALERT,6466,DNS Rebind Attack Blocked,DNS rebind attack blocked - "1593": attack-detected # 1593,Network,DNS Security,Maintenance,NOTICE,---,DNS Tunnel Attack,Find DNS tunnel attack - %s - "446": attack-blocked # 446,Firewall Settings,FTP,Attack,ERROR,551,FTP Passive Attack,FTP: PASV response spoof attack dropped - "527": attack-blocked # 527,Firewall Settings,FTP,Attack,ALERT,555,FTP Port Bounce Attack,FTP: PORT bounce attack dropped. - "528": attack-blocked # 528,Firewall Settings,FTP,Attack,ALERT,556,FTP Passive Bounce Attack,FTP: PASV response bounce attack dropped. - "538": attack-blocked # 538,Firewall Settings,FTP,Attack,ALERT,557,FTP Data Port,FTP: Data connection from non default port dropped - - # IDP - "789": attack-detected # 789,Security Services,IDP,Attack,ALERT,6435,IDP Detection Alert,IDP Detection Alert: %s - "790": attack-blocked # 790,Security Services,IDP,Attack,ALERT,6436,IDP Prevention Alert,IDP Prevention Alert: %s - - # IPS - "608": attack-detected # 608,Security Services,IPS,Attack,ALERT,569,IPS Detection Alert,IPS Detection Alert: %s - "609": attack-blocked # 609,Security Services,IPS,Attack,ALERT,570,IPS Prevention Alert,IPS Prevention Alert: %s - - - # Flood Protection - "25": attack-detected # 25,Firewall Settings,Flood Protection,Attack,WARNING,503,Possible SYN Flood,Possible SYN flood attack detected - "856": config-change # 856,Firewall Settings,Flood Protection,Attack,WARNING,6439,SYN Flood Watch Mode,SYN Flood Mode changed by user to: Watch and report possible SYN floods - "857": config-change # 857,Firewall Settings,Flood Protection,Attack,WARNING,6440,SYN Flood Trigger Mode,SYN Flood Mode changed by user to: Watch and proxy WAN connections when under attack - "858": config-change # 858,Firewall Settings,Flood Protection,Attack,WARNING,6441,SYN Flood Proxy Mode,SYN Flood Mode changed by user to: Always proxy WAN connections - "859": attack-detected # 859,Firewall Settings,Flood Protection,Attack,ALERT,6442,SYN Flood Proxy Trigger Mode,Possible SYN flood detected on WAN IF %s - switching to connection-proxy mode - "860": attack-detected # 860,Firewall Settings,Flood Protection,Attack,ALERT,6443,SYN Flood Detected,Possible SYN Flood on IF %s - "862": config-change # 862,Firewall Settings,Flood Protection,Attack,WARNING,6445,SYN Flood Blacklist On,SYN Flood blacklisting enabled by user - "863": config-change # 863,Firewall Settings,Flood Protection,Attack,WARNING,6446,SYN Flood Blacklist Off,SYN Flood blacklisting disabled by user - "864": attack-blocked # 864,Firewall Settings,Flood Protection,Attack,ALERT,6447,SYN-Flooding Machine Blacklisted,SYN-Flooding machine %s blacklisted - "897": attack-detected # 897,Firewall Settings,Flood Protection,Attack,INFO,7036,Invalid TCP SYN Flood Cookie,TCP packet received with invalid SYN Flood cookie; TCP packet dropped - "898": attack-blocked # 898,Firewall Settings,Flood Protection,Attack,ALERT,6453,RST-Flooding Machine Blacklisted,RST-Flooding machine %s blacklisted - "901": attack-blocked # 901,Firewall Settings,Flood Protection,Attack,ALERT,6456,FIN-Flooding Machine Blacklisted,FIN-Flooding machine %s blacklisted - "904": attack-detected # 904,Firewall Settings,Flood Protection,Attack,ALERT,6459,Possible RST Flood,Possible RST Flood on IF %s - "905": attack-detected # 905,Firewall Settings,Flood Protection,Attack,ALERT,6460,Possible FIN Flood,Possible FIN Flood on IF %s - "1180": attack-blocked # 1180,Firewall Settings,Flood Protection,---,ALERT,---,DOS Protection on WAN Begin,DOS protection on WAN begins %s - "1213": attack-detected # 1213,Firewall Settings,Flood Protection,Attack,ALERT,---,UDP Flood Detected,Possible UDP flood attack detected - "1214": attack-detected # 1214,Firewall Settings,Flood Protection,Attack,ALERT,---,ICMP Flood Detected,Possible ICMP flood attack detected - "1366": attack-blocked # 1366,Firewall Settings,Flood Protection,Attack,ALERT,---,TCP-Flooding Machine Blacklisted,TCP-Flooding machine %s blacklisted - "1369": attack-detected # 1369,Firewall Settings,Flood Protection,Attack,ALERT,---,Possible TCP Flood,Possible TCP Flood on IF %s - "1450": attack-detected # 1450,Firewall Settings,Flood Protection,Attack,ALERT,---,UDPv6 Flood Detected,Possible UDPv6 flood attack detected - "1451": attack-detected # 1451,Firewall Settings,Flood Protection,Attack,ALERT,---,ICMPv6 Flood Detected,Possible ICMPv6 flood attack detected - "1452": attack-detected # 1452,Firewall Settings,Flood Protection,Attack,ALERT,---,Half Open TCP Connection Threshold Exceeded,Too many half-open TCP connections - - # RF Monitoring - "879": attack-detected # 879,Wireless,RF Monitoring,---,WARNING,---,WLAN Radio Frequency Threat Detected,WLAN radio frequency threat detected - - # WLAN - "1363": attack-detected # 1363,Wireless,WLAN,802.11b Management,ALERT,---,WLAN 802.11 Flood,Wireless Flood Attack - - # WLAN IDS - "546": attack-detected # 546,Wireless,WLAN IDS,WLAN IDS,ALERT,901,Rogue AP or MitM AP Found,Found Rogue or MitM Access Point - "548": attack-detected # 548,Wireless,WLAN IDS,WLAN IDS,ALERT,903,WLAN Association Flood,Association Flood from WLAN station - - # Authentication Access - "24": logout # 24,Users,Authentication Access,User Activity,INFO,4201,User Disconnect Detected,User logged out - user disconnect detected - "29": login-success # 29,Users,Authentication Access,User Activity,INFO,4202,Successful Admin Login,Administrator login allowed - "30": login-failure # 30,Users,Authentication Access,Attack,ALERT,560,Wrong Admin Password,Administrator login denied due to bad credentials - "31": login-success # 31,Users,Authentication Access,User Activity,INFO,4204,Successful User Login,User login from an internal zone allowed - "32": login-failure # 32,Users,Authentication Access,User Activity,INFO,4205,Wrong User Password,User login denied due to bad credentials - "33": login-failure # 33,Users,Authentication Access,User Activity,INFO,4206,Unknown User Login Attempt,User login denied due to bad credentials - "34": login-failure # 34,Users,Authentication Access,User Activity,INFO,4207,Login Timeout,Pending login timed out - "35": login-failure # 35,Users,Authentication Access,Attack,ALERT,506,Admin Login Disabled,Administrator login denied from %s; logins disabled from this interface - "199": login-success # 199,Users,Authentication Access,User Activity,INFO,4209,Admin Login From CLI,CLI administrator login allowed - "200": login-failure # 200,Users,Authentication Access,User Activity,WARNING,4210,Admin Password Error From CLI,CLI administrator login denied due to bad credentials - "235": login-success # 235,Users,Authentication Access,User Activity,INFO,4211,Admin VPN Login,VPN zone administrator login allowed - "236": login-success # 236,Users,Authentication Access,User Activity,INFO,4212,Admin WAN Login,WAN zone administrator login allowed - "237": login-success # 237,Users,Authentication Access,User Activity,INFO,4213,User VPN Login,VPN zone remote user login allowed - "238": login-success # 238,Users,Authentication Access,User Activity,INFO,4214,User WAN Login,WAN zone remote user login allowed - "246": login-failure # 246,Users,Authentication Access,User Activity,INFO,8204,User Login From Wrong Location,User login denied - User has no privileges for login from that location - "261": logout # 261,Users,Authentication Access,User Activity,INFO,4215,Admin Logout,Administrator logged out - "262": logout # 262,Users,Authentication Access,User Activity,INFO,4216,Admin Logout - Timer Expire,Administrator logged out - inactivity timer expired - "263": logout # 263,Users,Authentication Access,User Activity,INFO,4217,User Logout,User logged out - %s - "264": logout # 264,Users,Authentication Access,User Activity,INFO,4218,User Logout - Max Session,User logged out - max session time exceeded - "265": logout # 265,Users,Authentication Access,User Activity,INFO,4219,User Logout - Timer Expire,User logged out - inactivity timer expired - "328": admin-account-changed # 328,Users,Authentication Access,Maintenance,INFO,4220,Admin Name Change,Administrator name changed - "329": login-failure # 329,Users,Authentication Access,Attack,ERROR,561,User Login Lockout,User login failure rate exceeded - logins from user IP address denied - "438": user-account-unlocked # 438,Users,Authentication Access,User Activity,INFO,4222,User Login Lockout Expired,Locked-out user logins allowed - lockout period expired - "439": user-account-unlocked # 439,Users,Authentication Access,User Activity,INFO,4223,User Login Lockout Clear,Locked-out user logins allowed by %s - "486": login-failure # 486,Users,Authentication Access,User Activity,INFO,4224,WLAN User Login Deny,User login denied - User has no privileges for guest service - "506": config-change # 506,Users,Authentication Access,Maintenance,INFO,4225,VPN Disabled,VPN disabled by administrator - "507": config-change # 507,Users,Authentication Access,Maintenance,INFO,4226,VPN Enabled,VPN enabled by administrator - "508": config-change # 508,Users,Authentication Access,Maintenance,INFO,4227,WLAN Disabled,WLAN disabled by administrator - "509": config-change # 509,Users,Authentication Access,Maintenance,INFO,4228,WLAN Enabled,WLAN enabled by administrator - "520": logout # 520,Users,Authentication Access,User Activity,INFO,4235,Admin Logout From CLI,CLI administrator logged out - "549": login-failure # 549,Users,Authentication Access,User Activity,WARNING,4236,WLAN Guest Limit,User login failed - Guest service limit reached - "550": session-end # 550,Users,Authentication Access,User Activity,INFO,4237,WLAN Session Timeout,User Session Quota Expired - "551": session-end # 551,Users,Authentication Access,User Activity,INFO,4238,WLAN Account Timeout,Guest Account Timeout - "557": login-failure # 557,Users,Authentication Access,User Activity,INFO,4239,WLAN Guest Already Login,Guest login denied. Guest '%s' is already logged in. Please try again later. - "558": user-account-created # 558,Users,Authentication Access,User Activity,INFO,4240,WLAN Guest Create,Guest account '%s' created - "559": user-account-deleted # 559,Users,Authentication Access,User Activity,INFO,4241,WLAN Guest Delete,Guest account '%s' deleted - "560": user-account-disabled # 560,Users,Authentication Access,User Activity,INFO,4242,WLAN Guest Disable,Guest account '%s' disabled - "561": user-account-enabled # 561,Users,Authentication Access,User Activity,INFO,4243,WLAN Guest Re-enable,Guest account '%s' re-enabled - "562": user-account-deleted # 562,Users,Authentication Access,User Activity,INFO,4244,WLAN Guest Prune,Guest account '%s' pruned - "564": session-end # 564,Users,Authentication Access,User Activity,INFO,4246,WLAN Idle Timeout,Guest Idle Timeout - "583": login-failure # 583,Users,Authentication Access,Attack,ERROR,559,User Login Disable,User login disabled from %s - "728": config-change # 728,Users,Authentication Access,Maintenance,INFO,4248,WLAN Disable By Schedule,WLAN disabled by schedule - "729": config-change # 729,Users,Authentication Access,Maintenance,INFO,4249,WLAN Enabled By Schedule,WLAN enabled by schedule - "759": login-failure # 759,Users,Authentication Access,User Activity,INFO,---,User Already Logged-In,User login denied - user already logged in - "986": login-failure # 986,Users,Authentication Access,User Activity,INFO,4256,Not Allowed by Policy Rule,User login denied - not allowed by Policy rule - "987": login-failure # 987,Users,Authentication Access,User Activity,INFO,4257,Not Found Locally,User login denied - not found locally - "994": session-start # 994,Users,Authentication Access,User Activity,INFO,4258,Configuration Mode Administration Session Started,Configuration mode administration session started - "995": session-end # 995,Users,Authentication Access,User Activity,INFO,4259,Configuration Mode Administration Session Ended,Configuration mode administration session ended - "996": session-start # 996,Users,Authentication Access,User Activity,INFO,4260,Read-only Mode GUI Administration Session Started,Read-only mode GUI administration session started - "997": session-start # 997,Users,Authentication Access,User Activity,INFO,4261,Non-Config Mode GUI Administration Session Started,Non-config mode GUI administration session started - "998": session-end # 998,Users,Authentication Access,User Activity,INFO,4262,GUI Administration Session End,GUI administration session ended - "1008": logout # 1008,Users,Authentication Access,User Activity,INFO,---,Logout Detected by SSO,User logged out - logout detected by SSO - "1035": login-failure # 1035,Users,Authentication Access,User Activity,INFO,---,Password Expire,User login denied - password expired - "1048": login-failure # 1048,Users,Authentication Access,---,INFO,---,Password doesn't meet constraints,User login denied - password doesn't meet constraints - "1080": login-success # 1080,Users,Authentication Access,---,INFO,---,Successful SSL VPN User Login,SSL VPN zone remote user login allowed - "1117": login-failure # 1117,Users,Authentication Access,User Activity,WARNING,---,SSO Probe Failed,User login denied - SSO probe failed - "1118": login-failure # 1118,Users,Authentication Access,User Activity,INFO,---,SMTP Server Not Configured,User login denied - Mail Address(From/to) or SMTP Server is not configured - "1119": login-failure # 1119,Users,Authentication Access,User Activity,INFO,---,RADIUS User Cannot Use One Time Password,RADIUS user cannot use One Time Password - no mail address set for equivalent local user - "1120": login-failure # 1120,Users,Authentication Access,User Activity,WARNING,---,TSA Timeout,User login denied - Terminal Services agent Timeout - "1121": login-failure # 1121,Users,Authentication Access,User Activity,WARNING,---,TSA Name Resolution Failed,User login denied - Terminal Services agent name resolution failed - "1122": login-failure # 1122,Users,Authentication Access,User Activity,WARNING,---,No Name Received from TSA,User login denied - No name received from Terminal Services agent - "1123": login-failure # 1123,Users,Authentication Access,User Activity,WARNING,---,TSA Communicatio n Problem,User login denied - Terminal Services agent communication problem - "1124": logout # 1124,Users,Authentication Access,User Activity,INFO,---,TSA User logout,User logged out - logout reported by Terminal Services agent - "1157": user-account-disabled # 1157,Users,Authentication Access,User Activity,INFO,---,User Account Expired,User account '%s' expired and disabled - "1158": user-account-deleted # 1158,Users,Authentication Access,User Activity,INFO,---,User Account Pruned,User account '%s' expired and pruned - "1243": login-failure # 1243,Users,Authentication Access,User Activity,INFO,---,Sending OTP Failed,User login Failed - An error has occurred while sending your one-time password - "1333": user-account-created # 1333,Users,Authentication Access,User Activity,INFO,---,Create a User,%s - "1334": user-account-changed # 1334,Users,Authentication Access,User Activity,INFO,---,Edit a User,%s - "1335": user-account-deleted # 1335,Users,Authentication Access,User Activity,INFO,---,Delete a User,%s - "1341": user-account-changed # 1341,Users,Authentication Access,User Activity,INFO,---,Edit Customize Login Pages,%s - "1342": user-account-changed # 1342,Users,Authentication Access,User Activity,INFO,---,Edit user lockout params,Update administrator/user lockout params - %s - "1517": login-failure # 1517,Users,Authentication Access,User Activity,INFO,---,User Name Invalid Symbol,User name invalid symbol: %s - "1570": user-account-locked # 1570,Users,Authentication Access,Attack,ERROR,---,User Account Lockout,%s. - "1571": user-account-unlocked # 1571,Users,Authentication Access,Attack,ERROR,---,User Account Unlocked,User %s account is unlocked. - "1572": login-failure # 1572,Users,Authentication Access,Attack,ERROR,---,User is currently locked out,User login failed because the user is currently locked out. - "1585": login-failure # 1585,Users,Authentication Access,User Activity,INFO,---,User Login Denied,User login denied -%s - "1627": user-account-disabled # 1627,Users,Authentication Access,User Activity,INFO,---,User Account Expired due to inactivity,User account '%s' expired and disabled due to inactivity - "1655": login-failure # 1655,Users,Authentication Access,Attack,ERROR,---,User is now locked out,"User login failed, user is now locked out." - "1672": login-failure # 1672,Users,Authentication Access,User Activity,WARNING,---,CLI Limit Admin Denied From WAN,CLI limit administrator login denied from WAN - - # Radius Authentication - "243": login-failure # 243,Users,Radius Authentication,User Activity,INFO,8201,User Login Failed,User login denied - RADIUS authentication failure - "244": login-failure # 244,Users,Radius Authentication,User Activity,WARNING,8202,User Login Timeout,User login denied - RADIUS server Timeout - "245": login-failure # 245,Users,Radius Authentication,User Activity,WARNING,8203,User Login Error,User login denied - RADIUS configuration error - "744": login-failure # 744,Users,Radius Authentication,User Activity,WARNING,8205,RADIUS Communicatio n Problem,User login denied - RADIUS communication problem - "745": login-failure # 745,Users,Radius Authentication,User Activity,INFO,8206,LDAP Authentication Failure,User login denied - LDAP authentication failure - "746": login-failure # 746,Users,Radius Authentication,User Activity,WARNING,8207,LDAP Server Timeout,User login denied - LDAP server Timeout - "747": login-failure # 747,Users,Radius Authentication,User Activity,WARNING,8208,LDAP Server Error,User login denied - LDAP server down or misconfigured - "748": login-failure # 748,Users,Radius Authentication,User Activity,WARNING,8209,LDAP Communicatio n Problem,User login denied - LDAP communication problem - "749": login-failure # 749,Users,Radius Authentication,User Activity,WARNING,8210,LDAP Server Invalid Credential,User login denied - invalid credentials on LDAP server - "750": login-failure # 750,Users,Radius Authentication,User Activity,WARNING,8211,LDAP Server Insufficient Access,User login denied - insufficient access on LDAP server - "751": login-failure # 751,Users,Radius Authentication,User Activity,WARNING,8212,LDAP Schema Mismatch,User login denied - LDAP schema mismatch - "753": login-failure # 753,Users,Radius Authentication,User Activity,WARNING,8214,LDAP Server Name Resolution Failed,User login denied - LDAP server name resolution failed - "754": login-failure # 754,Users,Radius Authentication,User Activity,WARNING,8215,RADIUS Server Name Resolution Failed,User login denied - RADIUS server name resolution failed - "755": login-failure # 755,Users,Radius Authentication,User Activity,WARNING,8216,LDAP Server Certificate Invalid,User login denied - LDAP server certificate not valid - "756": login-failure # 756,Users,Radius Authentication,User Activity,WARNING,8217,LDAP TLS or Local Error,User login denied - TLS or local certificate problem - "757": login-failure # 757,Users,Radius Authentication,User Activity,WARNING,8218,LDAP Directory Mismatch,User login denied - LDAP directory mismatch - "1011": user-account-change-failure # 1011,Users,Radius Authentication,System Error,WARNING,4265,Non-Administr ative Attempt to Change Password,LDAP using non-administrative account - VPN client user will not be able to change passwords - - # SSO Agent Authentication - "988": login-failure # 988,Users,SSO Agent Authentication,User Activity,WARNING,12601,Timeout,User login denied - SSO agent Timeout - "989": login-failure # 989,Users,SSO Agent Authentication,User Activity,WARNING,12602,Configuration Error,User login denied - SSO agent configuration error - "990": login-failure # 990,Users,SSO Agent Authentication,User Activity,WARNING,12603,Communicatio n Problem,User login denied - SSO agent communication problem - "991": login-failure # 991,Users,SSO Agent Authentication,User Activity,WARNING,12604,Name Resolution Failed,User login denied - SSO agent name resolution failed - - # Anti-Spyware - "794": malware-info # 794,Security Services,Anti-Spyware,Attack,ALERT,6437,Anti-Spyware Prevention Alert,Anti-Spyware Prevention Alert: %s - "795": malware-info # 795,Security Services,Anti-Spyware,Attack,ALERT,6438,Anti-Spyware Detection Alert,Anti-Spyware Detection Alert: %s - "796": malware-info # 796,Security Services,Anti-Spyware,Maintenance,WARNING,8631,Anti-Spyware Service Expired,Anti-Spyware Service Expired - - # Anti-Virus - "123": malware-info # 123,Security Services,Anti-Virus,Maintenance,INFO,8605,AV Access Without Agent,Access attempt from host without Anti-Virus agent installed - "124": malware-info # 124,Security Services,Anti-Virus,Maintenance,INFO,8606,AV Agent Out of Date,Anti-Virus agent out-of-date on host - "125": malware-info # 125,Security Services,Anti-Virus,Maintenance,WARNING,524,AV Alert Receive,Received AV Alert: %s - "159": malware-info # 159,Security Services,Anti-Virus,Maintenance,WARNING,526,AV Expire message,Received AV Alert: Your Network Anti-Virus subscription has expired. %s - "408": malware-info # 408,Security Services,Anti-Virus,Maintenance,INFO,8617,AV License Exceeded,Anti-Virus Licenses Exceeded - "482": malware-info # 482,Security Services,Anti-Virus,Maintenance,WARNING,552,AV Expiration Warning,Received AV Alert: Your Network Anti-Virus subscription will expire in 7 days. %s - - # Next-Gen Anti-Virus - "1559": malware-info # 1559,Security Services,Next-Gen Anti-Virus,Maintenance,INFO,---,Next-Gen AV Access Without Agent,Access attempt from host without Next-Gen Anti-Virus agent installed - "1560": malware-info # 1560,Security Services,Next-Gen Anti-Virus,Maintenance,INFO,---,Next-Gen AV Agent Out of Date,Next-Gen Anti-Virus agent out-of-date on host - "1561": malware-info # 1561,Security Services,Next-Gen Anti-Virus,Maintenance,WARNING,---,Next-Gen AV Expire message,Received Next-Gen AV Alert: Your Network Next-Gen Anti-Virus subscription has expired. %s - "1562": malware-info # 1562,Security Services,Next-Gen Anti-Virus,Maintenance,WARNING,---,Next-Gen AV Expiration Warning,Received Next-Gen AV Alert: Your Network Next-Gen Anti-Virus subscription will expire in 7 days. %s - - # Application Control - "1154": malware-info # 1154,Security Services,Application Control,---,ALERT,15001,Application Control Detection Alert,Application Control Detection Alert: %s - "1155": malware-info # 1155,Security Services,Application Control,---,ALERT,15002,Application Control Prevention Alert,Application Control Prevention Alert: %s - - # Application Firewall - "793": malware-info # 793,Firewall,Application Firewall,User Activity,ALERT,13201,Application Firewall Alert,Application Firewall Alert: %s - "1654": malware-info # 1654,Firewall,Application Firewall,User Activity,DEBUG,---,Custom Match Applied,Custom Match applied %s - - # Access Rules - "440": config-add # 440,Firewall,Access Rules,User Activity,INFO,5801,Rule Added,Access rule added - "441": config-change # 441,Firewall,Access Rules,User Activity,INFO,5802,Rule Modified,Access rule viewed or modified - "442": config-delete # 442,Firewall,Access Rules,User Activity,INFO,5803,Rule Deleted,Access rule deleted - - # Administration - "340": config-change # 340,System,Administration,Maintenance,INFO,5212,HTTP Port Change,HTTP management port has changed - "341": config-change # 341,System,Administration,Maintenance,INFO,5213,HTTPS Port Change,HTTPS management port has changed - - # Advanced - "1590": config-info # 1590,Firewall Settings,Advanced,Debug,INFO,---,Internal VLAN Configuration,%s - - # Botnet Filter - "1195": attack-detected # 1195,Security Services,Botnet Filter,---,WARNING,---,Botnet Filter Subscription Expired,Received Alert: Your Firewall Botnet Filter subscription has expired. - "1200": attack-blocked # 1200,Security Services,Botnet Filter,---,ALERT,---,Botnet Initiator Blocked,Suspected Botnet initiator blocked: %s - "1201": attack-blocked # 1201,Security Services,Botnet Filter,---,ALERT,---,Botnet Responder Blocked,Suspected Botnet responder blocked: %s - "1476": attack-blocked # 1476,Security Services,Botnet Filter,---,ALERT,---,Custom Botnet Initiator Blocked,"Suspected Botnet initiator blocked: %s, Source: Custom List" - "1477": attack-blocked # 1477,Security Services,Botnet Filter,---,ALERT,---,Custom Botnet Responder Blocked,"Suspected Botnet responder blocked: %s, Source: Custom List" - "1518": attack-blocked # 1518,Security Services,Botnet Filter,---,ALERT,---,Botnet Initiator Blocked By Dynamic List,"Suspected Botnet initiator blocked: %s, Source: Dynamic List" - "1519": attack-blocked # 1519,Security Services,Botnet Filter,---,ALERT,---,Botnet Responder Blocked By Dynamic List,"Suspected Botnet responder blocked: %s, Source: Dynamic List" - - # Cloud Backup - "1511": internal-log-success # 1511,System,Cloud Backup,---,INFO,---,Automatic Cloud Backup Successful,%s - "1512": internal-log-failure # 1512,System,Cloud Backup,---,INFO,---,Automatic Cloud Backup Failed,%s - "1513": internal-log-success # 1513,System,Cloud Backup,---,INFO,---,Manual Cloud Backup Successful,%s - "1514": internal-log-failure # 1514,System,Cloud Backup,---,INFO,---,Manual Cloud Backup Failed,%s - "1515": internal-log-success # 1515,System,Cloud Backup,---,INFO,---,Delete Cloud Backup Successful,%s - "1516": internal-log-failure # 1516,System,Cloud Backup,---,INFO,---,Delete Cloud Backup Failed,%s - - # Restart - "93": internal-log-failure # 93,System,Restart,System Error,ERROR,611,Suspend Reboot,Diagnostic Code A - "94": internal-log-failure # 94,System,Restart,System Error,ERROR,612,Deadlock Reboot,Diagnostic Code B - "95": internal-log-failure # 95,System,Restart,System Error,ERROR,613,Low Memory Reboot,Diagnostic Code C - "164": internal-log-failure # 164,System,Restart,System Error,ERROR,621,HTTP Server Reboot,Diagnostic Code F - "599": internal-log-failure # 599,System,Restart,System Error,ERROR,655,Stack Margin Reboot,Diagnostic Code G - "600": internal-log-failure # 600,System,Restart,System Error,ERROR,656,Delete Reboot,Diagnostic Code H - "601": internal-log-failure # 601,System,Restart,System Error,ERROR,657,Delete Stack Reboot,Diagnostic Code I - "1046": internal-log-success # 1046,System,Restart,---,INFO,---,Diagnostic Auto-Restart Canceled,Diagnostic Auto-restart canceled - "1047": internal-log-success # 1047,System,Restart,---,INFO,---,Diagnostic Auto-Restart,"As per Diagnostic Auto-restart configuration Request, restarting system" - "1392": internal-log-success # 1392,System,Restart,Maintenance,ALERT,5243,SonicOS up,SonicOS up:%s - "1393": internal-log-success # 1393,System,Restart,Maintenance,ALERT,5244,SonicOS down,SonicOS down:%s - - # Settings - "573": internal-log-failure # 573,System,Settings,System Error,WARNING,649,Preferences Too Big,The preferences file is too large to be saved in available flash memory - "574": internal-log-failure # 574,System,Settings,System Error,WARNING,650,Preferences Defaulted,All preference values have been set to factory default values - "1049": internal-log-success # 1049,System,Settings,---,INFO,---,System Setting Imported,System Setting Imported - "1065": internal-log-success # 1065,System,Settings,Maintenance,INFO,---,Remote Backup Succeeded,Successfully sent %s file to remote backup server - "1066": internal-log-failure # 1066,System,Settings,Maintenance,ALERT,---,Remote Backup Failed,"Failed to send file to remote backup server, Error: %s" - "1160": internal-log-failure # 1160,System,Settings,Maintenance,DEBUG,---,Failed to Ping Remote Backup Server,Attempt to contact Remote backup server for upload approval failed - "1161": internal-log-failure # 1161,System,Settings,Maintenance,DEBUG,---,Failed to Upload Remote Backup Server,Backup remote server did not approve upload Request - "1268": internal-log-failure # 1268,System,Settings,---,NOTICE,---,Firmware Update Failed,Firmware Update Failed - "1269": config-change # 1269,System,Settings,---,NOTICE,---,Firmware Update Succeeded,Firmware Update Succeeded %s - "1336": config-change # 1336,System,Settings,---,INFO,---,Change Certification,Certification %s - "1337": user-account-changed # 1337,System,Settings,---,INFO,---,User Password Changed by Administrators,%s - "1338": user-account-changed # 1338,System,Settings,---,INFO,---,User Change Password,User %s password is changed - "1339": config-change # 1339,System,Settings,---,INFO,---,Change Password Rule,Password rule %s is changed - "1340": config-change # 1340,System,Settings,---,INFO,---,Change User Inactive time out,User Inactive timeout is changed to %s - "1432": config-change # 1432,System,Settings,---,INFO,---,Configuration Change,Configuration changed: %s - "1494": internal-log-success # 1494,System,Settings,---,INFO,---,System Setting Exported,System Setting Exported - "1520": internal-log-success # 1520,System,Settings,Maintenance,INFO,---,E-mail SFR Success,Successfully sent SFR file by E-mail - "1521": internal-log-failure # 1521,System,Settings,Maintenance,INFO,---,E-mail SFR Failed,"Failed to send SFR file by E-mail, %s" - "1565": internal-log-success # 1565,System,Settings,Maintenance,INFO,---,FTP Transfer Success,Successfully sent Flow Report file by FTP - "1566": internal-log-failure # 1566,System,Settings,Maintenance,INFO,---,FTP Transfer Failed,"Failed to send Flow Report file by FTP, %s" - "1567": internal-log-success # 1567,System,Settings,Maintenance,INFO,---,E-mail Transfer Success,Successfully sent Flow Report file by E-mail - "1568": internal-log-failure # 1568,System,Settings,Maintenance,INFO,---,E-mail Transfer Failed,"Failed to send Flow Report file by E-mail, %s" - "1636": internal-log-failure # 1636,System,Settings,---,INFO,---,Port Unreachable Received,Port Unreachable received from remote sender - "1637": internal-log-failure # 1637,System,Settings,---,INFO,---,Port Unreachable Ignored,Port Unreachable from remote sender ignored - - # Cluster - "1149": internal-log-failure # 1149,High Availability,Cluster,---,WARNING,---,VRRP Expiration Message,Your Active/Active Clustering subscription has expired. - "1152": internal-log-failure # 1152,High Availability,Cluster,---,ERROR,---,VRRP Cluster No license,Active/Active Clustering license is not activated on the following cluster units: %s - - # Status - "4": internal-log-success # 4,System,Status,Maintenance,ALERT,5201,Activate Firewall,Network Security Appliance activated - "53": internal-log-failure # 53,System,Status,System Error,ERROR,607,Connection Cache Full,The cache is full; %s open connections; some will be dropped - "521": internal-log-success # 521,System,Status,Maintenance,INFO,5218,Initializing,Network Security Appliance initializing - "1107": internal-log-failure # 1107,System,Status,System Error,ALERT,---,System Alert,%s - "1196": internal-log-failure # 1196,System,Status,Maintenance,ALERT,---,Firewall Limit Reached,Product maximum entries reached - %s - "1332": config-change # 1332,System,Status,Maintenance,ALERT,---,NDPP Mode Change,NDPP mode is changed to %s - "1495": internal-log-success # 1495,System,Status,Maintenance,INFO,---,Firewall was Rebooted by Setting Import,Firewall was rebooted by setting import at %s - "1496": internal-log-success # 1496,System,Status,Maintenance,INFO,---,Firewall was Rebooted by Firmware,Firewall was rebooted by %s - - # Configuration Auditing - "1382": config-change # 1382,Log,Configuration Auditing,User Activity,INFO,5609,Configuration Change Succeeded,Configuration succeeded: %s - "1383": config-change-failure # 1383,Log,Configuration Auditing,User Activity,INFO,5610,Configuration Change Failed,Configuration failed: %s - "1674": config-change # 1674,Log,Configuration Auditing,User Activity,INFO,---,Chassis settings change,Chassis: %s - - # Interfaces - "58": connection-denied # 58,Network,Interfaces,System Error,ERROR,608,Too Many IP on LAN,License exceeded: Connection dropped because too many IP addresses are in use on your LAN - - # SSL Control - "999": connection-info # 999,Firewall Settings,SSL Control,Blocked Sites,INFO,7247,Website Found in Blacklist,SSL Control: Website found in blacklist - "1001": connection-info # 1001,Firewall Settings,SSL Control,Blocked Sites,INFO,---,Weak SSL Version,SSL Control: Weak SSL Version being used - "1002": connection-info # 1002,Firewall Settings,SSL Control,Blocked Sites,INFO,7250,Certificate With Invalid Date,SSL Control: Certificate with invalid date - "1003": connection-info # 1003,Firewall Settings,SSL Control,Blocked Sites,INFO,7251,Self-Signed Certificate,SSL Control: Self-signed certificate - "1004": connection-info # 1004,Firewall Settings,SSL Control,Blocked Sites,INFO,7252,Weak Cipher Being Used,SSL Control: Weak cipher being used - "1005": connection-info # 1005,Firewall Settings,SSL Control,Blocked Sites,INFO,7253,Untrusted CA,SSL Control: Untrusted CA - "1006": connection-info # 1006,Firewall Settings,SSL Control,Blocked Sites,INFO,7254,Certificate Chain Incomplete,SSL Control: Certificate chain not complete - "1081": connection-info # 1081,Firewall Settings,SSL Control,Blocked Sites,INFO,---,Certificate Blocked Weak Digest,SSL Control: Certificate with Weak Digest Signature Algorithm - - on_failure: - - append: - field: error.message - value: 'internal ECS categorization error: {{{ _ingest.on_failure_message }}}' - source: | - def clone(def val) { - return val instanceof List? new ArrayList(val) : val; - } - def evtype = params.message_codes[ctx.event?.code]; - if (evtype == null) return; - def actions = params.event_types[evtype]; - if (actions == null) { - throw new Exception("message code " + ctx.event.code + " references missing event type " + evtype); - } - def event = ctx.computeIfAbsent('event', k -> new HashMap()); - for (def entry : actions.entrySet()) { - event[entry.getKey()] = clone(entry.getValue()); - } - event["action"] = evtype; - -# -# Builds url fields -# url = proto + :// + dstname + arg -# -# This requires `arg` field being present (url.path) -# as dstname can have a different meaning (email attachments) -# but arg is always used in the context of an HTTP transaction -# - - set: - field: url.scheme - value: '{{{ network.protocol }}}' - ignore_empty_value: true - if: 'ctx.url?.path != null' - - - rename: - field: url.domain - target_field: sonicwall.firewall.dstname - ignore_missing: true - if: 'ctx.url?.path == null' - - - set: - field: url.full - value: '{{{ url.scheme }}}://{{{ url.domain }}}{{{ url.path }}}' - if: 'ctx.url?.scheme != null && ctx.url?.domain != null' - - - set: - field: url.full - value: '//{{{ url.domain }}}{{{ url.path }}}' - if: 'ctx.url?.scheme == null && ctx.url?.domain != null' - -# -# Related fields -# - - append: - field: related.ip - value: "{{{ source.ip }}}" - allow_duplicates: false - if: 'ctx.source?.ip != null' - - append: - field: related.ip - value: "{{{ source.nat.ip }}}" - allow_duplicates: false - if: 'ctx.source?.nat?.ip != null' - - append: - field: related.ip - value: "{{{ destination.ip }}}" - allow_duplicates: false - if: 'ctx.destination?.ip != null' - - append: - field: related.ip - value: "{{{ destination.nat.ip }}}" - allow_duplicates: false - if: 'ctx.destination?.nat?.ip != null' - - append: - field: related.ip - value: "{{{ observer.ip }}}" - allow_duplicates: false - if: 'ctx.observer?.ip != null' - - append: - field: related.user - value: "{{{ user.name }}}" - allow_duplicates: false - if: 'ctx.user?.name != null' -# -# Cleanup -# - - remove: - field: - - _conf - - _temp_ - - sonicwall.firewall.srcV6 - - sonicwall.firewall.dstV6 - - sonicwall.firewall.note - - sonicwall.firewall.c - ignore_failure: true - ignore_missing: true - - - remove: - field: sonicwall - if: 'ctx.sonicwall?.firewall?.size() == 0' - - - remove: - field: event.original - if: "ctx?.tags == null || !ctx.tags.contains('preserve_original_event')" - ignore_failure: true - ignore_missing: true - -on_failure: - - set: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/base-fields.yml b/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/base-fields.yml deleted file mode 100755 index 016fb3dd86..0000000000 --- a/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: sonicwall_firewall -- name: event.dataset - type: constant_keyword - description: Event dataset - value: sonicwall_firewall.log diff --git a/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/beats.yml b/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/beats.yml deleted file mode 100755 index 9275638f93..0000000000 --- a/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/beats.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/ecs.yml b/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/ecs.yml deleted file mode 100755 index 7a9acc7d07..0000000000 --- a/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,246 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: |- - The domain name of the destination system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: |- - Translated ip of destination based NAT sessions (e.g. internet to private DMZ) - Typically used with load balancers, firewalls, or routers. - name: destination.nat.ip - type: ip -- description: |- - Port the source session is translated to by NAT Device. - Typically used with load balancers, firewalls, or routers. - name: destination.nat.port - type: long -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - Total bytes transferred in both directions. - If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - name: network.bytes - type: long -- description: |- - Total packets transferred in both directions. - If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - name: network.packets - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - name: observer.egress.zone - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - name: observer.ingress.zone - type: keyword -- description: Hostname of the observer. - name: observer.hostname - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: |- - Custom name of the observer. - This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. - If no custom name is needed, the field can be left empty. - name: observer.name - type: keyword -- description: The product name of the observer. - name: observer.product - type: keyword -- description: Observer serial number. - name: observer.serial_number - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Vendor name of the observer. - name: observer.vendor - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: |- - The domain name of the source system. - This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: |- - Translated port of source based NAT sessions. (e.g. internal client to internet) - Typically used with load balancers, firewalls, or routers. - name: source.nat.port - type: long -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: url.full - type: wildcard -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/package-fields.yml b/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/package-fields.yml deleted file mode 100755 index 9bf93ea54c..0000000000 --- a/packages/sonicwall_firewall/0.1.1/data_stream/log/fields/package-fields.yml +++ /dev/null @@ -1,66 +0,0 @@ -- name: sonicwall.firewall - type: group - description: Vendor fields from SonicWall firewall logs - fields: - - name: Category - type: keyword - description: Category of CFS blocked content. - - name: af_polid - type: keyword - description: Displays the Application Filter Policy ID. - - name: app - type: keyword - description: Numeric application ID. - - name: appName - type: keyword - description: Non-Signature Application Name. - - name: appcat - type: keyword - description: Application control category. - - name: appid - type: keyword - description: Application ID. - - name: auditId - type: keyword - - name: code - type: keyword - description: CFS blocking code. - - name: dpi - type: boolean - description: Indicates wether a flow underwent Deep Packet Inspection. - - name: event_group_category - type: keyword - description: Event group category. - - name: gcat - type: keyword - description: Event group category (numeric identifier). - - name: ipscat - type: keyword - description: IPS category. - - name: ipspri - type: keyword - description: IPS priority. - - name: oldValue - type: keyword - - name: sess - type: keyword - description: User session type. - - name: sid - type: keyword - description: IPS or Anti-Spyware signature ID. - - name: tranxId - type: keyword - - name: type - type: keyword - description: ICMP type. - - name: userMode - type: keyword - - name: uuid - type: keyword - description: Object UUID. - - name: vpnpolicy - type: keyword - description: source VPN policy name. - - name: vpnpolicyDst - type: keyword - description: destination VPN policy name. diff --git a/packages/sonicwall_firewall/0.1.1/data_stream/log/manifest.yml b/packages/sonicwall_firewall/0.1.1/data_stream/log/manifest.yml deleted file mode 100755 index dc29748332..0000000000 --- a/packages/sonicwall_firewall/0.1.1/data_stream/log/manifest.yml +++ /dev/null @@ -1,40 +0,0 @@ -title: "SonicWall Firewall logs" -type: logs -streams: - - input: udp - template_path: udp.yml.hbs - title: Syslog logs - description: Collect logs via syslog - vars: - - name: syslog_host - type: text - title: Listen address - description: | - Address where the agent will accept syslog messages. - Use 0.0.0.0 to receive syslog on all interfaces. - multi: false - required: true - show_user: true - default: 0.0.0.0 - - name: syslog_port - type: integer - title: Listen Port - description: UDP Port where the Agent will receive syslog messages. - multi: false - required: true - show_user: true - default: 9514 - - input: logfile - enabled: false - template_path: logfile.yml.hbs - title: Log files - description: Collect logs from file - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - default: - - /var/log/sonicwall-firewall.log diff --git a/packages/sonicwall_firewall/0.1.1/data_stream/log/sample_event.json b/packages/sonicwall_firewall/0.1.1/data_stream/log/sample_event.json deleted file mode 100755 index eba948c3f4..0000000000 --- a/packages/sonicwall_firewall/0.1.1/data_stream/log/sample_event.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "@timestamp": "2022-05-16T08:18:39.000+02:00", - "agent": { - "ephemeral_id": "6cc3228b-d89c-4104-b750-d9cb44ed5513", - "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "sonicwall_firewall.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.193", - "mac": "00-17-C5-30-F9-D9", - "port": 64889 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "connection-denied", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "713", - "dataset": "sonicwall_firewall.log", - "ingested": "2022-05-23T13:47:58Z", - "kind": "event", - "outcome": "success", - "sequence": "692", - "severity": "7", - "timezone": "+02:00", - "type": [ - "connection", - "denied" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "level": "debug", - "source": { - "address": "172.24.0.4:47831" - } - }, - "message": "� (TCP Flag(s): RST)", - "network": { - "bytes": 46, - "protocol": "https", - "transport": "tcp" - }, - "observer": { - "egress": { - "interface": { - "name": "X1" - }, - "zone": "Untrusted" - }, - "ingress": { - "interface": { - "name": "X1" - }, - "zone": "Untrusted" - }, - "ip": "10.0.0.96", - "name": "firewall", - "product": "SonicOS", - "serial_number": "0040103CE114", - "type": "firewall", - "vendor": "SonicWall" - }, - "related": { - "ip": [ - "10.0.0.96", - "81.2.69.193" - ], - "user": [ - "admin" - ] - }, - "rule": { - "id": "15 (WAN-\u003eWAN)" - }, - "sonicwall": { - "firewall": { - "app": "12", - "event_group_category": "Firewall Settings", - "gcat": "6", - "sess": "Web" - } - }, - "source": { - "bytes": 46, - "ip": "10.0.0.96", - "mac": "00-06-B1-DD-4F-D4", - "port": 443 - }, - "tags": [ - "sonicwall-firewall", - "forwarded" - ], - "user": { - "name": "admin" - } -} \ No newline at end of file diff --git a/packages/sonicwall_firewall/0.1.1/docs/README.md b/packages/sonicwall_firewall/0.1.1/docs/README.md deleted file mode 100755 index 9d152b95bb..0000000000 --- a/packages/sonicwall_firewall/0.1.1/docs/README.md +++ /dev/null @@ -1,311 +0,0 @@ -# SonicWall Firewall Integration - -This integration collects syslog messages from SonicWall firewalls. It has been tested with Enhanced -Syslog logs from SonicOS 6.5 and 7.0 as described in the [Log Events reference guide.](https://www.sonicwall.com/techdocs/pdf/sonicos-6-5-4-log-events-reference-guide.pdf) - -## Configuration - -Configure a Syslog Server in your firewall using the following options: - - **Name or IP Address:** The address where your Elastic Agent running this integration is reachable. - - **Port:** The Syslog port (UDP) configured in this integration. - - **Server Type:** Syslog Server. - - **Syslog Format:** Enhanced Syslog. - - **Syslog ID:** Change this default (`firewall`) if you need to differentiate between multiple firewalls. - This value will be stored in the `observer.name` field. - -It's recommended to enable the **Display UTC in logs (instead of local time)** setting under the -_Device > Settings > Time_ configuration menu. Otherwise you'll have to configure the **Timezone Offset** -setting of this integration to match the timezone configured in your firewall. - -Ensure proper connectivity between your firewall and Elastic Agent. - -## Supported messages - -This integration features generic support for enhanced syslog messages produced by SonicOS and features -more detailed ECS enrichment for the following messages: - -| Category | Subcategory | Message IDs | -|----------|-------------|-------------| -| Firewall | Access Rules | 440-442, 646, 647, 734, 735 | -| Firewall | Application Firewall | 793, 1654 | -| Firewall Settings | Advanced | 428, 1473, 1573, 1576, 1590 | -| Firewall Settings | Checksum Enforcement | 883-886, 1448, 1449 | -| Firewall Settings | FTP | 446, 527, 528, 538 | -| Firewall Settings | Flood Protection | 25, 856-860, 862-864, 897, 898, 901, 904, 905, 1180, 1213, 1214, 1366, 1369, 1450-1452 | -| Firewall Settings | Multicast | 683, 690, 694, 1233 | -| Firewall Settings | SSL Control | 999, 1001-1006, 1081 | -| High Availability | Cluster | 1149, 1152 | -| Log | Configuration Auditing | 1382, 1383, 1674 | -| Network | ARP | 45, 815, 1316 | -| Network | DNS | 1098, 1099 | -| Network | DNS Security | 1593 | -| Network | ICMP | 38, 63, 175, 182, 188, 523, 597, 598, 1254-1257, 1431, 1433, 1458 | -| Network | IP | 28, 522, 910, 1301-1303, 1429, 1430 | -| Network | IPcomp | 651-653 | -| Network | IPv6 Tunneling | 1253 | -| Network | Interfaces | 58 | -| Network | NAT | 339, 1197, 1436 | -| Network | NAT Policy | 1313-1315 | -| Network | Network Access | 41, 46, 98, 347, 524, 537, 590, 714, 1304 | -| Network | TCP | 36, 48, 173, 181, 580, 708, 709, 712, 713, 760, 887-896, 1029-1031, 1384, 1385, 1628, 1629 | -| Security Services | Anti-Spyware | 794-796 | -| Security Services | Anti-Virus | 123-125, 159, 408, 482 | -| Security Services | Application Control | 1154, 1155 | -| Security Services | Attacks | 22, 23, 27, 81-83, 177-179, 267, 606, 1373-1376, 1387, 1471 | -| Security Services | Botnet Filter | 1195, 1200, 1201, 1476, 1477, 1518, 1519 | -| Security Services | Content Filter | 14, 16, 1599-1601 | -| Security Services | Geo-IP Filter | 1198, 1199, 1474, 1475 | -| Security Services | IDP | 789, 790 | -| Security Services | IPS | 608, 609 | -| Security Services | Next-Gen Anti-Virus | 1559-1562 | -| Security Services | RBL Filter | 797, 798 | -| System | Administration | 340, 341 | -| System | Cloud Backup | 1511-1516 | -| System | Restart | 93-95, 164, 599-601, 1046, 1047, 1392, 1393 | -| System | Settings | 573, 574, 1049, 1065, 1066, 1160, 1161, 1268, 1269, 1336-1340, 1432, 1494, 1520, 1521, 1565-1568, 1636, 1637 | -| System | Status | 4, 53, 521, 1107, 1196, 1332, 1495, 1496 | -| Users | Authentication Access | 24, 29-35, 199, 200, 235-238, 246, 261-265, 328, 329, 438, 439, 486, 506-509, 520, 549-551, 557-562, 564, 583, 728, 729, 759, 986, 987, 994-998, 1008, 1035, 1048, 1080, 1117-1124, 1157, 1158, 1243, 1333-1335, 1341, 1342, 1517, 1570-1572, 1585, 1627, 1655, 1672 | -| Users | Radius Authentication | 243-245, 744-751, 753-757, 1011 | -| Users | SSO Agent Authentication | 988-991 | -| VPN | DHCP Relay | 229 | -| Wireless | RF Monitoring | 879 | -| Wireless | WLAN | 1363 | -| Wireless | WLAN IDS | 546, 548 | - -## Logs - -An example event for `log` looks as following: - -```json -{ - "@timestamp": "2022-05-16T08:18:39.000+02:00", - "agent": { - "ephemeral_id": "6cc3228b-d89c-4104-b750-d9cb44ed5513", - "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.2.0" - }, - "data_stream": { - "dataset": "sonicwall_firewall.log", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.193", - "mac": "00-17-C5-30-F9-D9", - "port": 64889 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "08a5caf6-a717-4f5f-90e2-0f4eb7c59b00", - "snapshot": false, - "version": "8.2.0" - }, - "event": { - "action": "connection-denied", - "agent_id_status": "verified", - "category": [ - "network" - ], - "code": "713", - "dataset": "sonicwall_firewall.log", - "ingested": "2022-05-23T13:47:58Z", - "kind": "event", - "outcome": "success", - "sequence": "692", - "severity": "7", - "timezone": "+02:00", - "type": [ - "connection", - "denied" - ] - }, - "input": { - "type": "udp" - }, - "log": { - "level": "debug", - "source": { - "address": "172.24.0.4:47831" - } - }, - "message": "� (TCP Flag(s): RST)", - "network": { - "bytes": 46, - "protocol": "https", - "transport": "tcp" - }, - "observer": { - "egress": { - "interface": { - "name": "X1" - }, - "zone": "Untrusted" - }, - "ingress": { - "interface": { - "name": "X1" - }, - "zone": "Untrusted" - }, - "ip": "10.0.0.96", - "name": "firewall", - "product": "SonicOS", - "serial_number": "0040103CE114", - "type": "firewall", - "vendor": "SonicWall" - }, - "related": { - "ip": [ - "10.0.0.96", - "81.2.69.193" - ], - "user": [ - "admin" - ] - }, - "rule": { - "id": "15 (WAN-\u003eWAN)" - }, - "sonicwall": { - "firewall": { - "app": "12", - "event_group_category": "Firewall Settings", - "gcat": "6", - "sess": "Web" - } - }, - "source": { - "bytes": 46, - "ip": "10.0.0.96", - "mac": "00-06-B1-DD-4F-D4", - "port": 443 - }, - "tags": [ - "sonicwall-firewall", - "forwarded" - ], - "user": { - "name": "admin" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | -| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | -| observer.product | The product name of the observer. | keyword | -| observer.serial_number | Observer serial number. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| sonicwall.firewall.Category | Category of CFS blocked content. | keyword | -| sonicwall.firewall.af_polid | Displays the Application Filter Policy ID. | keyword | -| sonicwall.firewall.app | Numeric application ID. | keyword | -| sonicwall.firewall.appName | Non-Signature Application Name. | keyword | -| sonicwall.firewall.appcat | Application control category. | keyword | -| sonicwall.firewall.appid | Application ID. | keyword | -| sonicwall.firewall.auditId | | keyword | -| sonicwall.firewall.code | CFS blocking code. | keyword | -| sonicwall.firewall.dpi | Indicates wether a flow underwent Deep Packet Inspection. | boolean | -| sonicwall.firewall.event_group_category | Event group category. | keyword | -| sonicwall.firewall.gcat | Event group category (numeric identifier). | keyword | -| sonicwall.firewall.ipscat | IPS category. | keyword | -| sonicwall.firewall.ipspri | IPS priority. | keyword | -| sonicwall.firewall.oldValue | | keyword | -| sonicwall.firewall.sess | User session type. | keyword | -| sonicwall.firewall.sid | IPS or Anti-Spyware signature ID. | keyword | -| sonicwall.firewall.tranxId | | keyword | -| sonicwall.firewall.type | ICMP type. | keyword | -| sonicwall.firewall.userMode | | keyword | -| sonicwall.firewall.uuid | Object UUID. | keyword | -| sonicwall.firewall.vpnpolicy | source VPN policy name. | keyword | -| sonicwall.firewall.vpnpolicyDst | destination VPN policy name. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| url.full.text | Multi-field of `url.full`. | match_only_text | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | - diff --git a/packages/sonicwall_firewall/0.1.1/img/dashboard.png b/packages/sonicwall_firewall/0.1.1/img/dashboard.png deleted file mode 100755 index 7c03fed3ad..0000000000 Binary files a/packages/sonicwall_firewall/0.1.1/img/dashboard.png and /dev/null differ diff --git a/packages/sonicwall_firewall/0.1.1/img/logo.svg b/packages/sonicwall_firewall/0.1.1/img/logo.svg deleted file mode 100755 index fb1aded68a..0000000000 --- a/packages/sonicwall_firewall/0.1.1/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/sonicwall_firewall/0.1.1/kibana/dashboard/sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde.json b/packages/sonicwall_firewall/0.1.1/kibana/dashboard/sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde.json deleted file mode 100755 index 0591f6b1d5..0000000000 --- a/packages/sonicwall_firewall/0.1.1/kibana/dashboard/sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "attributes": { - "description": "Dashboard for SonicWall Firewall events", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"sonicwall_firewall.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"sonicwall_firewall.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"observer.name\",\"id\":\"1652981377419\",\"indexPatternRefName\":\"control_13a27ebe-963e-4539-9013-186e247e0b32_0_index_pattern\",\"label\":\"Firewall ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":true},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":4,\"i\":\"13a27ebe-963e-4539-9013-186e247e0b32\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"13a27ebe-963e-4539-9013-186e247e0b32\",\"title\":\"Filter by Firewall (Syslog ID)\",\"type\":\"visualization\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d6a337e6-588b-47b6-9414-c621dcf265c9\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d6a337e6-588b-47b6-9414-c621dcf265c9\":{\"columnOrder\":[\"412981b2-ba5e-4e78-a96b-c51be9ae8870\",\"4e72963e-8fc8-475c-88ad-bafcc38a726b\",\"abcd61b9-9bfc-45e6-8c71-3167174a8bcd\"],\"columns\":{\"412981b2-ba5e-4e78-a96b-c51be9ae8870\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of event.code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"abcd61b9-9bfc-45e6-8c71-3167174a8bcd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.code\"},\"4e72963e-8fc8-475c-88ad-bafcc38a726b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"dropPartials\":false,\"includeEmptyRows\":true,\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"abcd61b9-9bfc-45e6-8c71-3167174a8bcd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"abcd61b9-9bfc-45e6-8c71-3167174a8bcd\"],\"layerId\":\"d6a337e6-588b-47b6-9414-c621dcf265c9\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"412981b2-ba5e-4e78-a96b-c51be9ae8870\",\"xAccessor\":\"4e72963e-8fc8-475c-88ad-bafcc38a726b\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5\",\"w\":35,\"x\":13,\"y\":0},\"panelIndex\":\"b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5\",\"title\":\"Event code histogram\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2c3a0f47-236c-41cb-86e8-e8a27033d165\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"2ab93ebb-d843-4bdb-99a2-c55dd1b5c096\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2c3a0f47-236c-41cb-86e8-e8a27033d165\":{\"columnOrder\":[\"ac755b72-5005-416d-8da8-7001a2ba5366\",\"b988645c-c513-4755-b369-3f3787e6045d\"],\"columns\":{\"ac755b72-5005-416d-8da8-7001a2ba5366\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of observer.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b988645c-c513-4755-b369-3f3787e6045d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"observer.name\"},\"b988645c-c513-4755-b369-3f3787e6045d\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"2ab93ebb-d843-4bdb-99a2-c55dd1b5c096\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"sonicwall_firewall.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"sonicwall_firewall.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"ac755b72-5005-416d-8da8-7001a2ba5366\"},{\"columnId\":\"b988645c-c513-4755-b369-3f3787e6045d\"}],\"layerId\":\"2c3a0f47-236c-41cb-86e8-e8a27033d165\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"17735289-cfc4-429a-a5c5-f3d19df013dc\",\"w\":13,\"x\":0,\"y\":4},\"panelIndex\":\"17735289-cfc4-429a-a5c5-f3d19df013dc\",\"title\":\"Event count by firewall\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"93ebdd92-cae8-455c-affe-191e18edcb95\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"source.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"SUPER_FINE\\\",\\\"id\\\":\\\"7dc5cffe-5449-4411-8838-f1a1076f3592\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"id\\\":\\\"d4d78e49-4c8e-4980-9cb9-581d6dc6b826\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"theclassic\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.88,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":19.94277},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15y\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"data_stream.dataset :\\\\\\\"sonicwall_firewall.log\\\\\\\" \\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"customIcons\\\":[],\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":45,\"minLat\":0,\"minLon\":-90},\"mapCenter\":{\"lat\":46.36347,\"lon\":-7.06802,\"zoom\":2.88},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"a7718a64-7550-405a-8a75-4687c00dadde\",\"w\":24,\"x\":0,\"y\":14},\"panelIndex\":\"a7718a64-7550-405a-8a75-4687c00dadde\",\"title\":\"Network sources heat map\",\"type\":\"map\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"6e0adcd6-6a1b-4fdf-9e81-66ea18ac7577\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"EMS_VECTOR_TILE\\\"},{\\\"sourceDescriptor\\\":{\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"requestType\\\":\\\"heatmap\\\",\\\"resolution\\\":\\\"SUPER_FINE\\\",\\\"id\\\":\\\"bdae40c0-6caf-4ba2-b179-7202f1e2be60\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\",\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"applyForceRefresh\\\":true,\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"indexPatternRefName\\\":\\\"layer_1_source_index_pattern\\\"},\\\"id\\\":\\\"75e1e0df-43ff-4e14-9df2-4962c751d3bf\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":0.75,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"HEATMAP\\\",\\\"colorRampName\\\":\\\"theclassic\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"HEATMAP\\\"}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.39,\\\"center\\\":{\\\"lon\\\":-32.42476,\\\"lat\\\":25.69542},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-15y\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"data_stream.dataset :\\\\\\\"sonicwall_firewall.log\\\\\\\" \\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"customIcons\\\":[],\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"title\":\"\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":40.9799,\"maxLon\":135,\"minLat\":0,\"minLon\":45},\"mapCenter\":{\"lat\":23.23703,\"lon\":86.01728,\"zoom\":3.15},\"openTOCDetails\":[\"75e1e0df-43ff-4e14-9df2-4962c751d3bf\"]},\"gridData\":{\"h\":15,\"i\":\"8e619b8c-80b2-46a8-8c9b-4581d3d14da5\",\"w\":24,\"x\":24,\"y\":14},\"panelIndex\":\"8e619b8c-80b2-46a8-8c9b-4581d3d14da5\",\"title\":\"Network destinations heat map\",\"type\":\"map\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"3717b68f-f5ab-4598-9f39-4a723d91165c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"80a65bd8-af97-4b14-87dc-c8b2f7e847a8\":{\"columnOrder\":[\"4aff95fe-c475-4dbc-a230-22c2005daead\",\"a04c7483-85de-470a-a875-3b6336f57228\",\"ba0383c2-1472-45fb-a465-9125f7120a32\",\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\"],\"columns\":{\"4aff95fe-c475-4dbc-a230-22c2005daead\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 3 values of network.transport\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"network.transport\"},\"a04c7483-85de-470a-a875-3b6336f57228\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.protocol\"},\"ba0383c2-1472-45fb-a465-9125f7120a32\":{\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Top 3 values of destination.port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"3717b68f-f5ab-4598-9f39-4a723d91165c\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"connection-start\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"connection-start\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"sonicwall_firewall.log\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ba0383c2-1472-45fb-a465-9125f7120a32\",\"4aff95fe-c475-4dbc-a230-22c2005daead\",\"a04c7483-85de-470a-a875-3b6336f57228\"],\"layerId\":\"80a65bd8-af97-4b14-87dc-c8b2f7e847a8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"palette\":{\"name\":\"positive\",\"type\":\"palette\"},\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"db14ebf1-c490-427c-bdde-d48da4496d45\",\"w\":19,\"x\":0,\"y\":29},\"panelIndex\":\"db14ebf1-c490-427c-bdde-d48da4496d45\",\"title\":\"Allowed connections by transport/protocol/destination.port\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-951e4235-9dec-43ae-b400-bfe367e43e0b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"951e4235-9dec-43ae-b400-bfe367e43e0b\":{\"columnOrder\":[\"7200128d-9260-4e3f-a280-5cf5f9c84d33\",\"155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4\"],\"columns\":{\"155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"7200128d-9260-4e3f-a280-5cf5f9c84d33\":{\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Top 5 values of source.ip\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7200128d-9260-4e3f-a280-5cf5f9c84d33\"},{\"columnId\":\"155e5ba9-caa5-4b01-a9c4-e53ac5ec7ce4\"}],\"layerId\":\"951e4235-9dec-43ae-b400-bfe367e43e0b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":true},\"gridData\":{\"h\":15,\"i\":\"06b11f86-c986-4a30-b1da-1724529bf864\",\"w\":15,\"x\":19,\"y\":29},\"panelIndex\":\"06b11f86-c986-4a30-b1da-1724529bf864\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-287c2e25-3cb0-41d5-8bf8-ae1fb696173c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"287c2e25-3cb0-41d5-8bf8-ae1fb696173c\":{\"columnOrder\":[\"ae8e1a22-3aff-4ca8-9fcc-566bb87aa283\",\"2c8c78cf-034a-4278-9335-66f22dd19e4b\"],\"columns\":{\"2c8c78cf-034a-4278-9335-66f22dd19e4b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"ae8e1a22-3aff-4ca8-9fcc-566bb87aa283\":{\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Top 5 values of destination.ip\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2c8c78cf-034a-4278-9335-66f22dd19e4b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"sonicwall_firewall.log\\\" \"},\"visualization\":{\"columns\":[{\"columnId\":\"ae8e1a22-3aff-4ca8-9fcc-566bb87aa283\"},{\"columnId\":\"2c8c78cf-034a-4278-9335-66f22dd19e4b\"}],\"layerId\":\"287c2e25-3cb0-41d5-8bf8-ae1fb696173c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":true},\"gridData\":{\"h\":15,\"i\":\"f6292d23-c9c5-4798-b7bd-ab0630e0e2f0\",\"w\":14,\"x\":34,\"y\":29},\"panelIndex\":\"f6292d23-c9c5-4798-b7bd-ab0630e0e2f0\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"845be485-ea9d-4aac-a3bb-5d99702828cb\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"c4ae20da-36fc-4e3b-90fb-1f7ff301b979\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"80a65bd8-af97-4b14-87dc-c8b2f7e847a8\":{\"columnOrder\":[\"4aff95fe-c475-4dbc-a230-22c2005daead\",\"a04c7483-85de-470a-a875-3b6336f57228\",\"ba0383c2-1472-45fb-a465-9125f7120a32\",\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\"],\"columns\":{\"4aff95fe-c475-4dbc-a230-22c2005daead\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 3 values of network.transport\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"network.transport\"},\"a04c7483-85de-470a-a875-3b6336f57228\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of network.protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.protocol\"},\"ba0383c2-1472-45fb-a465-9125f7120a32\":{\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Top 3 values of destination.port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"845be485-ea9d-4aac-a3bb-5d99702828cb\",\"key\":\"event.category\",\"negate\":false,\"params\":[\"network\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.category\":\"network\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"c4ae20da-36fc-4e3b-90fb-1f7ff301b979\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"connection-denied\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"connection-denied\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"sonicwall_firewall.log\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"ba0383c2-1472-45fb-a465-9125f7120a32\",\"4aff95fe-c475-4dbc-a230-22c2005daead\",\"a04c7483-85de-470a-a875-3b6336f57228\"],\"layerId\":\"80a65bd8-af97-4b14-87dc-c8b2f7e847a8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"ec6161de-fac2-420d-9b3f-e2d2df2caf68\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"palette\":{\"name\":\"negative\",\"type\":\"palette\"},\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"b60bc6be-7082-43aa-8e3b-07468984046f\",\"w\":19,\"x\":0,\"y\":44},\"panelIndex\":\"b60bc6be-7082-43aa-8e3b-07468984046f\",\"title\":\"Denied connections by transport/protocol/destination.port\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c8843882-29d4-4afd-8c11-eeae1800d40c\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"a2c0360d-161b-4a36-b16d-0cf33a37314f\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"8c9a9a40-b2ef-44e0-8afd-8ef613afb85e\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"d1a641a9-f4d4-459f-9723-b6a25d02680d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c8843882-29d4-4afd-8c11-eeae1800d40c\":{\"columnOrder\":[\"708e8def-b004-4b42-ad49-a88b44da0d8f\",\"f8fbcadb-7787-4e9b-9120-bf9dbd742beb\",\"046b793c-8c99-4656-a163-bac293b4c56c\"],\"columns\":{\"046b793c-8c99-4656-a163-bac293b4c56c\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"params\":{\"emptyAsNull\":true},\"scale\":\"ratio\",\"sourceField\":\"___records___\"},\"708e8def-b004-4b42-ad49-a88b44da0d8f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 5 values of user.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"046b793c-8c99-4656-a163-bac293b4c56c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"user.name\"},\"f8fbcadb-7787-4e9b-9120-bf9dbd742beb\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top 2 values of event.outcome\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"fallback\":false,\"type\":\"alphabetical\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"parentFormat\":{\"id\":\"terms\"},\"size\":2},\"scale\":\"ordinal\",\"sourceField\":\"event.outcome\"}},\"incompleteColumns\":{}}}}},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"a2c0360d-161b-4a36-b16d-0cf33a37314f\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"sonicwall_firewall.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"sonicwall_firewall.log\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"8c9a9a40-b2ef-44e0-8afd-8ef613afb85e\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"authentication\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"authentication\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"d1a641a9-f4d4-459f-9723-b6a25d02680d\",\"key\":\"event.type\",\"negate\":false,\"params\":{\"query\":\"start\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.type\":\"start\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"046b793c-8c99-4656-a163-bac293b4c56c\"],\"layerId\":\"c8843882-29d4-4afd-8c11-eeae1800d40c\",\"layerType\":\"data\",\"palette\":{\"name\":\"status\",\"type\":\"palette\"},\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"f8fbcadb-7787-4e9b-9120-bf9dbd742beb\",\"xAccessor\":\"708e8def-b004-4b42-ad49-a88b44da0d8f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c46fce93-0b52-4617-b88d-703bc0a2d5e6\",\"w\":29,\"x\":19,\"y\":44},\"panelIndex\":\"c46fce93-0b52-4617-b88d-703bc0a2d5e6\",\"title\":\"Top authentications\",\"type\":\"lens\",\"version\":\"8.2.0\"},{\"embeddableConfig\":{\"columns\":[\"@timestamp\",\"event.action\",\"source.ip\",\"message\"],\"enhancements\":{},\"hidePanelTitles\":false,\"rowHeight\":0},\"gridData\":{\"h\":18,\"i\":\"ed04883d-ba56-4502-a905-046c874e4a72\",\"w\":48,\"x\":0,\"y\":59},\"panelIndex\":\"ed04883d-ba56-4502-a905-046c874e4a72\",\"panelRefName\":\"panel_ed04883d-ba56-4502-a905-046c874e4a72\",\"title\":\"Attack events\",\"type\":\"search\",\"version\":\"8.2.0\"}]", - "timeRestore": false, - "title": "[SonicWall Firewall] Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.2.0", - "id": "sonicwall_firewall-782e2cf0-d78f-11ec-bc4f-47419689dcde", - "migrationVersion": { - "dashboard": "8.2.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "13a27ebe-963e-4539-9013-186e247e0b32:control_13a27ebe-963e-4539-9013-186e247e0b32_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b0ebfbc0-3fbd-4b2e-a6f8-7aee80e043b5:indexpattern-datasource-layer-d6a337e6-588b-47b6-9414-c621dcf265c9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "17735289-cfc4-429a-a5c5-f3d19df013dc:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "17735289-cfc4-429a-a5c5-f3d19df013dc:indexpattern-datasource-layer-2c3a0f47-236c-41cb-86e8-e8a27033d165", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "17735289-cfc4-429a-a5c5-f3d19df013dc:2ab93ebb-d843-4bdb-99a2-c55dd1b5c096", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a7718a64-7550-405a-8a75-4687c00dadde:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8e619b8c-80b2-46a8-8c9b-4581d3d14da5:layer_1_source_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db14ebf1-c490-427c-bdde-d48da4496d45:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db14ebf1-c490-427c-bdde-d48da4496d45:indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db14ebf1-c490-427c-bdde-d48da4496d45:3717b68f-f5ab-4598-9f39-4a723d91165c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "06b11f86-c986-4a30-b1da-1724529bf864:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "06b11f86-c986-4a30-b1da-1724529bf864:indexpattern-datasource-layer-951e4235-9dec-43ae-b400-bfe367e43e0b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f6292d23-c9c5-4798-b7bd-ab0630e0e2f0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f6292d23-c9c5-4798-b7bd-ab0630e0e2f0:indexpattern-datasource-layer-287c2e25-3cb0-41d5-8bf8-ae1fb696173c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b60bc6be-7082-43aa-8e3b-07468984046f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b60bc6be-7082-43aa-8e3b-07468984046f:indexpattern-datasource-layer-80a65bd8-af97-4b14-87dc-c8b2f7e847a8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b60bc6be-7082-43aa-8e3b-07468984046f:845be485-ea9d-4aac-a3bb-5d99702828cb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b60bc6be-7082-43aa-8e3b-07468984046f:c4ae20da-36fc-4e3b-90fb-1f7ff301b979", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:indexpattern-datasource-layer-c8843882-29d4-4afd-8c11-eeae1800d40c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:a2c0360d-161b-4a36-b16d-0cf33a37314f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:8c9a9a40-b2ef-44e0-8afd-8ef613afb85e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c46fce93-0b52-4617-b88d-703bc0a2d5e6:d1a641a9-f4d4-459f-9723-b6a25d02680d", - "type": "index-pattern" - }, - { - "id": "sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde", - "name": "ed04883d-ba56-4502-a905-046c874e4a72:panel_ed04883d-ba56-4502-a905-046c874e4a72", - "type": "search" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/sonicwall_firewall/0.1.1/kibana/search/sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde.json b/packages/sonicwall_firewall/0.1.1/kibana/search/sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde.json deleted file mode 100755 index 091cadff7d..0000000000 --- a/packages/sonicwall_firewall/0.1.1/kibana/search/sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "source.ip", - "message" - ], - "description": "Saved search for attacks detected and blocked by SonicWall Firewall", - "grid": { - "columns": { - "event.action": { - "width": 134.5 - }, - "source.ip": { - "width": 126.25 - } - } - }, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.action\",\"negate\":false,\"params\":[\"attack-blocked\",\"attack-detected\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.action\":\"attack-blocked\"}},{\"match_phrase\":{\"event.action\":\"attack-detected\"}}]}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"sonicwall_firewall.log\\\" \"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SonicWall Firewall attacks" - }, - "coreMigrationVersion": "8.2.0", - "id": "sonicwall_firewall-93af7ae0-d796-11ec-bc4f-47419689dcde", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/sonicwall_firewall/0.1.1/manifest.yml b/packages/sonicwall_firewall/0.1.1/manifest.yml deleted file mode 100755 index 82e3b862bc..0000000000 --- a/packages/sonicwall_firewall/0.1.1/manifest.yml +++ /dev/null @@ -1,72 +0,0 @@ -format_version: 1.0.0 -name: sonicwall_firewall -title: "SonicWall Firewall" -version: 0.1.1 -license: basic -release: beta -description: "Integration for SonicWall firewall logs" -type: integration -categories: - - network - - security -conditions: - kibana.version: "^8.2.0" -screenshots: - - src: /img/dashboard.png - title: Sample dashboard - size: 911x1531 - type: image/png -icons: - - src: /img/logo.svg - title: SonicWall logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: sample - title: Sample logs - description: Collect sample logs - inputs: - - type: udp - title: Collect logs via syslog - description: Collecting logs via syslog - - type: logfile - title: Collect logs from file - description: Collecting logs from file -vars: - - name: tz_offset - type: text - title: Timezone Offset - multi: false - required: true - show_user: true - default: local - description: >- - By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UTC. - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - sonicwall-firewall - - forwarded - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - -owner: - github: elastic/security-external-integrations diff --git a/packages/symantec_endpoint/1.0.0/changelog.yml b/packages/symantec_endpoint/1.0.0/changelog.yml deleted file mode 100755 index c29df2b3f5..0000000000 --- a/packages/symantec_endpoint/1.0.0/changelog.yml +++ /dev/null @@ -1,26 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.0.4" - changes: - - description: Make field values conform to ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3330 -- version: "0.0.3" - changes: - - description: Make field values conform to ECS - type: bugfix - link: https://github.com/elastic/integrations/pull/3244 -- version: "0.0.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.0.1" - changes: - - description: Initial Release - type: enhancement - link: https://github.com/elastic/integrations/pull/2187 diff --git a/packages/symantec_endpoint/1.0.0/data_stream/log/agent/stream/logfile.yml.hbs b/packages/symantec_endpoint/1.0.0/data_stream/log/agent/stream/logfile.yml.hbs deleted file mode 100755 index f1500f2dbf..0000000000 --- a/packages/symantec_endpoint/1.0.0/data_stream/log/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,28 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - remove_mapped_fields: {{remove_mapped_fields}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/1.0.0/data_stream/log/agent/stream/tcp.yml.hbs b/packages/symantec_endpoint/1.0.0/data_stream/log/agent/stream/tcp.yml.hbs deleted file mode 100755 index 9ef03795f9..0000000000 --- a/packages/symantec_endpoint/1.0.0/data_stream/log/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - remove_mapped_fields: {{remove_mapped_fields}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/1.0.0/data_stream/log/agent/stream/udp.yml.hbs b/packages/symantec_endpoint/1.0.0/data_stream/log/agent/stream/udp.yml.hbs deleted file mode 100755 index 9ef03795f9..0000000000 --- a/packages/symantec_endpoint/1.0.0/data_stream/log/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,25 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -max_message_size: 1 MiB - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} - -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} - -fields_under_root: true -fields: - _conf: - tz_offset: '{{tz_offset}}' - remove_mapped_fields: {{remove_mapped_fields}} - -{{#if processors}} -processors: -{{processors}} -{{/if}} \ No newline at end of file diff --git a/packages/symantec_endpoint/1.0.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/symantec_endpoint/1.0.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 9616d31362..0000000000 --- a/packages/symantec_endpoint/1.0.0/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,1109 +0,0 @@ ---- -description: Pipeline for parsing Symantec Endpoint logs -processors: -- set: - field: event.original - copy_from: message - # Never override event.original (for the reindexing use case). - override: false - -- set: - field: ecs.version - value: '1.12.0' - -- grok: - description: Parse syslog header. - if: ctx.event.original.startsWith('<') - field: event.original - patterns: - - '^<%{NONNEGINT:log.syslog.priority:long}>(?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp})(?: %{SYSLOGFACILITY})?(?: %{SYSLOGHOST:log.syslog.hostname})?(?: %{SYSLOGPROG}:)? %{GREEDYDATA:message}' - - '^%{SYSLOG5424LINE}' - pattern_definitions: - SYSLOGPROG: '%{PROG:log.syslog.process.name}(?:\[%{POSINT:log.syslog.process.pid:long}\])?' - SYSLOG5424PRI: '<%{NONNEGINT:log.syslog.priority:long}>' - SYSLOG5424BASE: '%{SYSLOG5424PRI}%{NONNEGINT:log.syslog.version:long} +(?:-|%{TIMESTAMP_ISO8601:timestamp}) +(?:-|%{IPORHOST:log.syslog.hostname}) +(?:-|%{SYSLOG5424PRINTASCII:log.syslog.process.name}) +(?:-|%{POSINT:log.syslog.process.pid:long}) +(?:-|%{SYSLOG5424PRINTASCII:log.syslog.message_id}) +(?:-|%{SYSLOG5424SD:log.syslog.structured_data})?' - SYSLOG5424LINE: '%{SYSLOG5424BASE} +%{GREEDYDATA:message}' -- grok: - description: Parse date/severity from log file dump format. - if: ctx.event.original.startsWith('20') || ctx.event.original.startsWith('19') - field: event.original - patterns: - - '^%{TIMESTAMP_ISO8601:timestamp},%{LOG_SEVERITY:log.level},%{GREEDYDATA:message}' - pattern_definitions: - LOG_SEVERITY: '(?:%{LOGLEVEL}|[Cc]ritical|CRITICAL|[Mm]ajor|MAJOR|[Mm]inor|MINOR|[Ii]nfo|INFO|[Ww]arning|WARNING|[Ee]rror|ERROR|[Ff]atal|FATAL)' - ignore_failure: true -- date: - if: ctx?.timestamp != null - field: timestamp - target_field: "@timestamp" - formats: - - "MMM dd HH:mm:ss" - - "MMM d HH:mm:ss" - - "MMM d HH:mm:ss" - - ISO8601 - - "YYYY-dd-MM HH:mm:ss" - timezone: '{{{_conf.tz_offset}}}' -- remove: - ignore_missing: true - field: timestamp - -### -# Processing steps: -# 1. Parse the CSV into an array of column values. -# 2. Parse labels from each column if the value takes the form of 'Label Name: Some Value' or 'Label Name:'. -# 3. Fingerprint the message based by joining the labels separated by '|'. Use 'NONE' for columns without an embedded label. -# 4. Set 'event.provider' based on the message fingerprint. The different log types are listed in https://knowledge.broadcom.com/external/article?legacyId=tech171741#Administrative. -# 5. Handle columns without an embedded label. Based on the fingerprint, map unlabeled columns to a key. -### - -- csv: - field: message - empty_value: "" - target_fields: - - '_csv_array.00' - - '_csv_array.01' - - '_csv_array.02' - - '_csv_array.03' - - '_csv_array.04' - - '_csv_array.05' - - '_csv_array.06' - - '_csv_array.07' - - '_csv_array.08' - - '_csv_array.09' - - '_csv_array.10' - - '_csv_array.11' - - '_csv_array.12' - - '_csv_array.13' - - '_csv_array.14' - - '_csv_array.15' - - '_csv_array.16' - - '_csv_array.17' - - '_csv_array.18' - - '_csv_array.19' - - '_csv_array.20' - - '_csv_array.21' - - '_csv_array.22' - - '_csv_array.23' - - '_csv_array.24' - - '_csv_array.25' - - '_csv_array.26' - - '_csv_array.27' - - '_csv_array.28' - - '_csv_array.29' - - '_csv_array.30' - - '_csv_array.31' - - '_csv_array.32' - - '_csv_array.33' - - '_csv_array.34' - - '_csv_array.35' - - '_csv_array.36' - - '_csv_array.37' - - '_csv_array.38' - - '_csv_array.39' - - '_csv_array.40' - - '_csv_array.41' - - '_csv_array.42' - - '_csv_array.43' - - '_csv_array.44' - - '_csv_array.45' - - '_csv_array.46' - - '_csv_array.47' - - '_csv_array.48' - - '_csv_array.49' - - '_csv_array.50' - -- script: - description: Create array from CSV values. - tag: csv-map-to-array - lang: painless - source: | - def columnArray = []; - def sortedMap = new TreeMap(); - sortedMap.putAll(ctx._csv_array); - sortedMap.forEach((key, value) -> { - def v = value; - if (v.startsWith("'") && v.endsWith("'")) - { - v = v.substring(1, v.length() - 1); - } - columnArray.add(v); - }); - ctx['_csv_array'] = columnArray; - -- script: - description: Split colon separated key/values. - tag: split-colon-separated-key-value - lang: painless - source: | - def aliases = Collections.unmodifiableMap([ - 'computer': 'computer_name', - 'domain': 'domain_name', - 'end_time': 'end', - 'local': 'local_host_ip', - 'local_host': 'local_host_ip', - 'server_name': 'server', - 'user': 'user_name' - ]); - - def keyPattern = /^([a-zA-Z][a-zA-Z0-9 \(\)-]{0,28}):(?:\s(.+)|\s)?/; - def keyValue = [:]; - def fingerprint = []; - ctx._csv_array.forEach(v -> { - def m = keyPattern.matcher(v); - def key = 'NONE'; - if (m.matches()) { - key = m.group(1).toLowerCase().replace(' ', '_'); - key = /[\(\)]+/.matcher(key).replaceAll(''); - - def tmp = aliases[key]; - if (tmp != null) { - key = tmp; - } - - - def value = m.group(2); - if (value != null && !value.trim().isEmpty()) { - keyValue[key] = value.trim(); - } - } - - fingerprint.add(key); - return true; - }); - if (!keyValue.isEmpty()) { - ctx['_csv_map'] = keyValue; - } - ctx['_fingerprint'] = String.join("|", fingerprint); - -- remove: - field: message - ignore_missing: true - -### -# Note to maintainers: -# The fingerprints below can be generated by adding 'debug' to the tags field. -# This causes a new _fingerprint field to be added to the event. -### -- script: - description: Assign keys to unlabeled columns based on fingerprints. - lang: painless - params: - providers: - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Behavior - - name: 'Agent Behavior Log' - fingerprint: NONE|NONE|NONE|NONE|NONE|begin|end|rule|NONE|NONE|NONE|NONE|NONE|user_name|domain_name|action_type|file_size_bytes|device_id - event_category: [intrusion_detection, process] - columns: - - index: 1 - name: local_host_ip - - index: 2 - name: action - - index: 3 - name: event_description - - index: 4 - name: api_name - - index: 8 - name: caller_process_id - - index: 9 - name: caller_process_name - - index: 10 - name: caller_return_address - - index: 11 - name: caller_return_module_name - - index: 12 - name: parameters # name of the module, process, registry location or file - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Security - - name: 'Agent Security Log' - fingerprint: - - NONE|event_description|local_host_ip|local_host_mac|remote_host_name|remote_host_ip|remote_host_mac|NONE|NONE|intrusion_id|begin|end|occurrences|application|location|user_name|domain_name|local_port|remote_port|cids_signature_id|cids_signature_string|cids_signature_subid|intrusion_url|intrusion_payload_url|sha-256|md-5 - - NONE|event_description|local_host_ip|local_host_mac|remote_host_name|remote_host_ip|remote_host_mac|NONE|NONE|NONE|begin|end|occurrences|application|location|user_name|domain_name|local_port|remote_port|cids_signature_id|cids_signature_string|cids_signature_subid|intrusion_url|intrusion_payload_url|sha-256|md-5 - event_category: [intrusion_detection, network, process] - event_type: [connection] - columns: - - index: 7 - name: traffic_direction - - index: 8 - name: network_protocol - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Traffic - - name: 'Agent Traffic Log' - fingerprint: NONE|local_host_ip|local_port|local_host_mac|remote_host_ip|remote_host_name|remote_port|remote_host_mac|NONE|NONE|begin|end|occurrences|application|rule|location|user_name|domain_name|action|sha-256|md-5 - event_category: [intrusion_detection, network, process] - event_type: [connection] - columns: - - index: 9 - name: traffic_direction - - index: 8 - name: network_protocol - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Activity - - name: 'Agent Activity Log' - fingerprint: site|server|domain_name|NONE|NONE|NONE|NONE - columns: - - index: 3 - name: event_description - - index: 4 - name: local_host_name - - index: 5 - name: user_name - - index: 6 - name: domain_name - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Packet - - name: 'Agent Packet Log' - fingerprint: - - NONE|local_host_ip|local_port|remote_host_ip|remote_host_name|remote_port|NONE|application|action - event_category: [intrusion_detection, network, process] - event_type: [connection] - columns: - - index: 6 - name: traffic_direction - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_System - - name: 'Agent System Log' - fingerprint: - - NONE|category|NONE|NONE|event_time - columns: - - index: 2 - name: event_source - - index: 3 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Administrative - - name: 'Administrative Log' - fingerprint: site|server|domain_name|admin|NONE - columns: - - index: 4 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#System - - name: 'System Log' - fingerprint: site|server|NONE - columns: - - index: 2 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Proactive_Detection - - name: 'Agent Proactive Detection Log' - fingerprint: NONE|computer_name|detection_type|first_seen|application_name|application_type|application_version|hash_type|application_hash|company_name|file_size_bytes|sensitivity|detection_score|coh_engine_version|NONE|permitted_application_reason|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|risk_level|detection_source|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|domain_name|group|server|user_name|source_computer|source_ip - columns: - - index: 0 - name: event_description - - index: 16 - name: submission_recommended - - index: 28 - name: file_path - - index: 29 - name: description - - name: 'Agent Proactive Detection Log' - fingerprint: NONE|computer_name|ip_address|detection_type|first_seen|application_name|application_type|application_version|hash_type|application_hash|company_name|file_size_bytes|sensitivity|detection_score|coh_engine_version|NONE|permitted_application_reason|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|risk_level|risk_type|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|domain_name|group|server|user_name|source_computer|source_ip|intensive_protection_level|certificate_issuer|certificate_signer|certificate_thumbprint|signing_timestamp|certificate_serial_number - columns: - - index: 0 - name: event_description - - index: 17 - name: submission_recommended - - index: 29 - name: file_path - - index: 30 - name: description - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Policy - - name: 'Policy Log' - fingerprint: site|server|domain_name|admin|event_description|NONE - columns: - - index: 5 - name: policy_name - # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Scan - - name: 'Agent Scan Log' - fingerprint: scan_id|begin|end|NONE|duration_seconds|user1|user2|NONE|scan_complete|command|threats|infected|total_files|omitted|computer_name|ip_address|domain_name|group|server - columns: - - index: 3 - name: action - - index: 7 - name: event_description - # https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Risk - - name: 'Agent Risk Log' - fingerprint: NONE|ip_address|computer_name|source|risk_name|occurrences|NONE|NONE|actual_action|requested_action|secondary_action|event_time|inserted|end|last_update_time|domain_name|group|server|user_name|source_computer|source_ip|disposition|download_site|web_domain|downloaded_by|prevalence|confidence|url_tracking_status|first_seen|sensitivity|permitted_application_reason|application_hash|hash_type|company_name|application_name|application_version|application_type|file_size_bytes|category_set|category_type|location|intensive_protection_level|certificate_issuer|certificate_signer|certificate_thumbprint|signing_timestamp|certificate_serial_number - columns: - - index: 0 - name: event_description - - index: 6 - name: file_path - source: | - // Assume first column is always the host.hostname. - def hostname = ctx._csv_array.get(0); - if (/[\.a-zA-Z0-9_-]+/.matcher(hostname).matches()) { - if (ctx?.host == null) { - ctx['host'] = [:]; - } - ctx['host']['hostname'] = hostname; - } - - def provider = null; - for (def p: params.providers) { - if (p.fingerprint == ctx._fingerprint || (p.fingerprint instanceof Collection && p.fingerprint.contains(ctx._fingerprint))) { - provider = p; - break; - } - } - if (provider == null) { return; } - - ctx['event']['provider'] = provider.name; - if (provider?.event_category != null) { - ctx['event']['category'] = new ArrayList(provider.event_category); - } - if (provider?.event_type!= null) { - ctx['event']['type'] = new ArrayList(provider.event_type); - } - for (def c : provider.columns) { - def v = ctx._csv_array.get(c.index).trim(); - if (!v.isEmpty()) { - ctx._csv_map[c.name] = v; - } - } - - -- rename: - field: _csv_map - target_field: symantec_endpoint.log - ignore_missing: true - -### -# BEGIN handling of Symantec Endpoint fields. -### - -# Action -- lowercase: - field: symantec_endpoint.log.action - ignore_missing: true -- set: - field: event.action - copy_from: symantec_endpoint.log.action - ignore_failure: true - -# Actual Action -- set: - if: ctx?.event?.action == null - field: event.action - copy_from: symantec_endpoint.log.actual_action - ignore_failure: true - -# Admin -- set: - field: user.name - copy_from: symantec_endpoint.log.admin - ignore_failure: true - -# Application -- set: - if: ctx?.process?.executable == null - field: process.executable - copy_from: symantec_endpoint.log.application - ignore_failure: true - -# Application Name -- set: - field: file.pe.product - copy_from: symantec_endpoint.log.application_name - ignore_failure: true - -# Application Version -- set: - field: file.pe.file_version - copy_from: symantec_endpoint.log.application_version - ignore_failure: true - -# Begin -- date: - field: symantec_endpoint.log.begin - target_field: event.start - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - -# Caller MD-5 -- dissect: - tag: caller-md5 - field: symantec_endpoint.log.event_description - pattern: '%{} Caller MD5=%{process.hash.md5}' - ignore_failure: true - -# Caller Process ID -- convert: - field: symantec_endpoint.log.caller_process_id - target_field: process.pid - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.caller_process_id - -# Caller Process Name -- set: - if: ctx?.process?.executable == null - field: process.executable - copy_from: symantec_endpoint.log.caller_process_name - ignore_failure: true - -# Certificate Issuer -- append: - if: ctx?.symantec_endpoint?.log?.certificate_issuer != null - field: file.x509.issuer.common_name - value: '{{{symantec_endpoint.log.certificate_issuer}}}' - -# Certificate Serial Number -- set: - field: file.x509.serial_number - copy_from: symantec_endpoint.log.certificate_serial_number - ignore_failure: true - - # Certificate Signer -- append: - if: ctx?.symantec_endpoint?.log?.certificate_signer != null - field: file.x509.issuer.common_name - value: '{{{symantec_endpoint.log.certificate_signer}}}' - -# Certificate Thumbprint (hex encoded sha1 hashes are 40 characters) -- lowercase: - if: ctx?.symantec_endpoint?.log?.certificate_thumbprint != null && ctx.symantec_endpoint.log.certificate_thumbprint.length() == 40 - field: symantec_endpoint.log.certificate_thumbprint - target_field: file.hash.sha1 - -# Company Name -- set: - field: file.pe.company - copy_from: symantec_endpoint.log.company_name - ignore_failure: true - -# Company Name -- set: - field: host.hostname - copy_from: symantec_endpoint.log.computer_name - override: false - ignore_failure: true - -# Domain Name -- set: - if: ctx?.user?.domain == null - field: user.domain - copy_from: symantec_endpoint.log.domain_name - ignore_failure: true - -# Downloaded by -- set: - if: ctx?.process?.executable == null - field: process.executable - copy_from: symantec_endpoint.log.downloaded_by - ignore_failure: true - -# Download site -- uri_parts: - field: symantec_endpoint.log.download_site - ignore_failure: true - -# Duration (seconds) -- convert: - field: symantec_endpoint.log.duration_seconds - target_field: event.duration - type: long - ignore_missing: true - ignore_failure: true -- script: - description: Convert event.duration from seconds to nanoseconds. - if: ctx?.event?.duration != null - lang: painless - source: - ctx.event['duration'] = ctx.event.duration * 1e9; - -# End -- date: - field: symantec_endpoint.log.end - target_field: event.end - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - -# Event Description -- set: - field: message - copy_from: symantec_endpoint.log.event_description - ignore_failure: true - -# Event Time -- date: - if: ctx?.symantec_endpoint?.log?.event_time != null - field: symantec_endpoint.log.event_time - target_field: symantec_endpoint.log.event_time - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - on_failure: - - remove: - field: symantec_endpoint.log.event_time -- set: - if: ctx?.symantec_endpoint?.log?.event_time != null - field: '@timestamp' - copy_from: symantec_endpoint.log.event_time - -# File Path -- set: - field: file.path - copy_from: symantec_endpoint.log.file_path - ignore_failure: true - -# File Size (bytes) -- convert: - field: symantec_endpoint.log.file_size_bytes - target_field: file.size - type: long - ignore_missing: true - ignore_failure: true - -# Infected -- convert: - field: symantec_endpoint.log.infected - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.infected - -# Inserted -- date: - if: ctx?.symantec_endpoint?.log?.inserted != null - field: symantec_endpoint.log.inserted - target_field: symantec_endpoint.log.inserted - ignore_failure: true - formats: - - yyyy-MM-dd HH:mm:ss - on_failure: - - remove: - field: symantec_endpoint.log.inserted - -# Intrusion ID -- set: - field: rule.id - copy_from: symantec_endpoint.log.intrusion_id - ignore_failure: true - -# Intrusion Payload URL - -# Intrusion URL -- set: - field: url.original - copy_from: symantec_endpoint.log.intrusion_url - ignore_failure: true - -# IP Address -- append: - if: ctx?.symantec_endpoint.log?.ip_address != null - field: host.ip - value: '{{{symantec_endpoint.log.ip_address}}}' - allow_duplicates: false - -# Last Update Time (listed as always being in GMT) -- date: - if: ctx?.symantec_endpoint?.log?.last_update_time != null - field: symantec_endpoint.log.last_update_time - target_field: symantec_endpoint.log.last_update_time - formats: - - yyyy-MM-dd HH:mm:ss - on_failure: - - remove: - field: symantec_endpoint.log.last_update_time - -# Local Host IP -- set: - if: ctx?.symantec_endpoint?.log?.local_host_ip != null && ctx.symantec_endpoint.log.local_host_ip != "0.0.0.0" - field: source.address - copy_from: symantec_endpoint.log.local_host_ip - -# Local Host MAC -- set: - field: source.mac - copy_from: symantec_endpoint.log.local_host_mac - ignore_failure: true -- gsub: - field: source.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- remove: - if: ctx?.source?.mac == '000000000000' - field: source.mac -- gsub: - field: source.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: source.mac - ignore_missing: true - -# Local Host Name -- set: - if: ctx?.symantec_endpoint?.log?.local_host_name != "" - field: source.domain - copy_from: symantec_endpoint.log.local_host_name - ignore_failure: true - -# Local Port -- convert: - if: ctx?.symantec_endpoint?.log?.local_port != "0" - field: symantec_endpoint.log.local_port - target_field: source.port - type: long - ignore_failure: true - -# Location -- set: - field: source.geo.name - copy_from: symantec_endpoint.log.location - ignore_failure: true - -# MD-5 -- set: - field: process.hash.md5 - copy_from: symantec_endpoint.log.md-5 - ignore_failure: true -- lowercase: - field: process.hash.md5 - ignore_missing: true - -# Network Protocol (known as ECS network transport) -- set: - field: network.transport - copy_from: symantec_endpoint.log.network_protocol - ignore_failure: true -- lowercase: - field: network.transport - ignore_missing: true - -# Occurrences -- convert: - field: symantec_endpoint.log.occurrences - target_field: event.count - type: long - ignore_failure: true - -# Omitted -- convert: - field: symantec_endpoint.log.omitted - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.omitted - -# Remote Host IP -- set: - if: ctx?.symantec_endpoint?.log?.remote_host_ip != null && ctx.symantec_endpoint.log.remote_host_ip != "0.0.0.0" - field: destination.address - copy_from: symantec_endpoint.log.remote_host_ip - -# Remote Host MAC -- set: - field: destination.mac - copy_from: symantec_endpoint.log.remote_host_mac - ignore_failure: true -- gsub: - field: destination.mac - pattern: '[-:.]' - replacement: '' - ignore_missing: true -- remove: - if: ctx?.destination?.mac == '000000000000' - field: destination.mac -- gsub: - field: destination.mac - pattern: '(..)(?!$)' - replacement: '$1-' - ignore_missing: true -- uppercase: - field: destination.mac - ignore_missing: true - -# Remote Host Name -- set: - if: ctx?.symantec_endpoint?.log?.remote_host_name != "" - field: destination.domain - copy_from: symantec_endpoint.log.remote_host_name - ignore_failure: true - -# Remote Port -- convert: - if: ctx?.symantec_endpoint?.log?.remote_port != "0" - field: symantec_endpoint.log.remote_port - target_field: destination.port - type: long - ignore_failure: true - -# Rule -- set: - field: rule.name - copy_from: symantec_endpoint.log.rule - ignore_failure: true - -# Sensitivity -- convert: - field: symantec_endpoint.log.sensitivity - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.sensitivity - -# SHA-256 -- set: - field: process.hash.sha256 - copy_from: symantec_endpoint.log.sha-256 - ignore_failure: true -- lowercase: - field: process.hash.sha256 - ignore_missing: true - -# Signing Timestamp (Agent Risk Log) -- date: - if: ctx?.symantec_endpoint?.log?.signing_timestamp != null - field: symantec_endpoint.log.signing_timestamp - target_field: symantec_endpoint.log.signing_timestamp - formats: - - UNIX - on_failure: - - remove: - field: symantec_endpoint.log.signing_timestamp -- set: - field: file.x509.not_before - copy_from: symantec_endpoint.log.signing_timestamp - ignore_failure: true - -# Source Computer -- set: - field: source.domain - copy_from: symantec_endpoint.log.source_computer - ignore_failure: true - -# Source IP -- set: - field: source.address - copy_from: symantec_endpoint.log.source_ip - ignore_failure: true - -# Submission Recommended (Recommendation in the form of YES or NO on whether to submit this detection to Symantec or not.) -- set: - if: ctx?.symantec_endpoint?.log?.submission_recommended != null && ctx.symantec_endpoint.log.submission_recommended.toLowerCase().contains('yes') - field: symantec_endpoint.log.submission_recommended - value: true -- set: - if: ctx?.symantec_endpoint?.log?.submission_recommended != null && !ctx.symantec_endpoint.log.submission_recommended.toLowerCase().contains('yes') - field: symantec_endpoint.log.submission_recommended - value: false - -# Traffic Direction -# NOTE: inbound/outbound is changed to ingress/egress because this is a host -# based EDR and ECS guidelines say to use ingress/egress for hosts. -- set: - field: network.direction - copy_from: symantec_endpoint.log.traffic_direction - ignore_failure: true -- lowercase: - field: network.direction - ignore_missing: true -- set: - if: ctx?.network?.direction == "inbound" - field: network.direction - value: ingress -- set: - if: ctx?.network?.direction == "outbound" - field: network.direction - value: egress - -# Threats -- convert: - field: symantec_endpoint.log.threats - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.threats - -# Total files -- convert: - field: symantec_endpoint.log.total_files - type: long - ignore_missing: true - on_failure: - - remove: - field: symantec_endpoint.log.total_files - -# User Name -- set: - field: user.name - copy_from: symantec_endpoint.log.user_name - ignore_failure: true - -# User1 -- set: - if: ctx?.symantec_endpoint?.log?.user1 != null && ctx?.user?.name == null - field: user.name - copy_from: symantec_endpoint.log.user1 - -### -# END handling of Symantec Endpoint fields. -### - -- remove: - if: ctx?._conf?.remove_mapped_fields == true - description: Remove symantec_endpoint.log fields that are mapped in some way to ECS. - ignore_missing: true - field: - - symantec_endpoint.log.action - - symantec_endpoint.log.actual_action - - symantec_endpoint.log.admin - - symantec_endpoint.log.application - - symantec_endpoint.log.application_name - - symantec_endpoint.log.application_version - - symantec_endpoint.log.begin - - symantec_endpoint.log.caller_process_id - - symantec_endpoint.log.caller_process_name - - symantec_endpoint.log.certificate_serial_number - - symantec_endpoint.log.certificate_thumbprint - - symantec_endpoint.log.company_name - - symantec_endpoint.log.domain_name - - symantec_endpoint.log.download_site - - symantec_endpoint.log.downloaded_by - - symantec_endpoint.log.duration_seconds - - symantec_endpoint.log.end - - symantec_endpoint.log.event_description - - symantec_endpoint.log.event_time - - symantec_endpoint.log.file_path - - symantec_endpoint.log.file_size_bytes - - symantec_endpoint.log.inserted - - symantec_endpoint.log.intrusion_id - - symantec_endpoint.log.intrusion_url - - symantec_endpoint.log.last_update_time - - symantec_endpoint.log.local_host_ip - - symantec_endpoint.log.local_host_mac - - symantec_endpoint.log.local_host_name - - symantec_endpoint.log.local_port - - symantec_endpoint.log.location - - symantec_endpoint.log.md-5 - - symantec_endpoint.log.network_protocol - - symantec_endpoint.log.occurrences - - symantec_endpoint.log.remote_host_ip - - symantec_endpoint.log.remote_host_mac - - symantec_endpoint.log.remote_host_name - - symantec_endpoint.log.remote_port - - symantec_endpoint.log.rule - - symantec_endpoint.log.sha-256 - - symantec_endpoint.log.signing_timestamp - - symantec_endpoint.log.source_computer - - symantec_endpoint.log.source_ip - - symantec_endpoint.log.submission_recommended - - symantec_endpoint.log.traffic_direction - - symantec_endpoint.log.user1 - - symantec_endpoint.log.user_name - -- remove: - description: Remove empty symantec_endpoint.log object. - if: ctx?.symantec_endpoint?.log != null && ctx.symantec_endpoint.log.isEmpty() - field: symantec_endpoint - ignore_missing: true - -# ECS Categorization -- set: - field: event.kind - value: event -- append: - description: Set event.type to allowed when activity is blocked. - if: ctx?.event?.action == 'blocked' || (ctx?.message != null && !ctx.message.contains('not blocked') && ctx.message.contains('blocked')) - field: event.type - value: denied - allow_duplicates: false -- append: - description: Set event.type to allowed when activity is not blocked. - if: ctx?.event?.action == 'not blocked' || (ctx?.message != null && ctx.message.contains('not blocked')) - field: event.type - value: allowed - allow_duplicates: false -- append: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on') - field: event.category - value: authentication -- append: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on') - field: event.type - value: info -- set: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on failed') - field: event.outcome - value: failure -- set: - if: ctx?.event?.provider == 'Administrative Log' && ctx.message.contains('log on succeeded') - field: event.outcome - value: success - -# Destination IP -- convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_missing: true - ignore_failure: true - -# Source IP -- convert: - field: source.address - target_field: source.ip - type: ip - ignore_missing: true - ignore_failure: true - -# Network Type -- set: - if: ctx?.source?.ip != null && !ctx.source.ip.contains(':') - field: network.type - value: ipv4 -- set: - if: ctx?.source?.ip != null && ctx.source.ip.contains(':') - field: network.type - value: ipv6 - -# Host IP -- append: - if: ctx?.source?.ip != null - field: host.ip - value: '{{{source.ip}}}' - allow_duplicates: false - -# Host MAC -- append: - if: ctx?.source?.mac != null - field: host.mac - value: '{{{source.mac}}}' - allow_duplicates: false - -# Host Hostname -- set: - field: host.hostname - copy_from: source.domain - override: false - ignore_failure: true - -# Host Name -- set: - field: host.name - copy_from: host.hostname - override: false - ignore_failure: true - -# Related IP -- append: - if: ctx?.source?.ip != null - field: related.ip - value: '{{{source.ip}}}' - allow_duplicates: false -- append: - if: ctx?.destination?.ip != null - field: related.ip - value: '{{{destination.ip}}}' - allow_duplicates: false - -# Related Hash -- append: - if: ctx?.file?.hash?.sha1 != null - field: related.hash - value: '{{{file.hash.sha1}}}' - allow_duplicates: true -- append: - if: ctx?.process?.hash?.md5 != null - field: related.hash - value: '{{{process.hash.md5}}}' - allow_duplicates: true -- append: - if: ctx?.process?.hash?.sha256 != null - field: related.hash - value: '{{{process.hash.sha256}}}' - allow_duplicates: true - -# Community ID -- community_id: - ignore_failure: true - -# IP Geolocation Lookup -- geoip: - if: ctx.source?.geo == null - field: source.ip - target_field: source.geo - ignore_missing: true -- geoip: - if: ctx.destination?.geo == null - field: destination.ip - target_field: destination.geo - ignore_missing: true - -# IP Autonomous System (AS) Lookup -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - -- script: - # Local was assumed to be source and remote was assumed to be destination. - # But if direction is ingress then swap the two around. - description: Swap source/destination for "ingress". - tag: swap-source-destination-on-ingress - if: ctx?.network?.direction == "ingress" && ctx?.source != null && ctx?.destination != null - lang: painless - source: | - def tmp = ctx.source; - ctx.source = ctx.destination; - ctx.destination = tmp; - -- remove: - description: Retain event.original when preserve_original_event tag exists. - if: ctx?.tags == null || !ctx.tags.contains('preserve_original_event') - field: event.original - ignore_missing: true - -- remove: - if: ctx?.tags == null || !ctx.tags.contains('debug') - ignore_missing: true - field: - - _conf - - _csv_array - - _fingerprint - -on_failure: -- set: - field: error.message - value: 'processor {{ _ingest.on_failure_processor_type }}: {{ _ingest.on_failure_message }}' - -- remove: - if: ctx?.tags == null || !ctx.tags.contains('debug') - ignore_missing: true - field: - - _conf - - _csv_array - - _csv_map - - _fingerprint diff --git a/packages/symantec_endpoint/1.0.0/data_stream/log/fields/agent.yml b/packages/symantec_endpoint/1.0.0/data_stream/log/fields/agent.yml deleted file mode 100755 index c2cceee2d3..0000000000 --- a/packages/symantec_endpoint/1.0.0/data_stream/log/fields/agent.yml +++ /dev/null @@ -1,210 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/symantec_endpoint/1.0.0/data_stream/log/fields/base-fields.yml b/packages/symantec_endpoint/1.0.0/data_stream/log/fields/base-fields.yml deleted file mode 100755 index d5fd358e28..0000000000 --- a/packages/symantec_endpoint/1.0.0/data_stream/log/fields/base-fields.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: symantec_endpoint -- name: event.dataset - type: constant_keyword - description: Event dataset - value: symantec_endpoint.log -- name: "@timestamp" - type: date - description: Event timestamp. -- name: observer.vendor - type: constant_keyword - description: Vendor name of the observer. - value: Symantec -- name: observer.product - type: constant_keyword - description: The product name of the observer. - value: Endpoint Protection -- name: observer.type - type: constant_keyword - description: The type of the observer the data is coming from. - value: edr diff --git a/packages/symantec_endpoint/1.0.0/data_stream/log/fields/ecs.yml b/packages/symantec_endpoint/1.0.0/data_stream/log/fields/ecs.yml deleted file mode 100755 index 852bacf52f..0000000000 --- a/packages/symantec_endpoint/1.0.0/data_stream/log/fields/ecs.yml +++ /dev/null @@ -1,321 +0,0 @@ -- description: Unique container id. - name: container.id - type: keyword -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: Destination domain. - name: destination.domain - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: destination.geo.name - type: keyword -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - MAC address of the destination. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: destination.mac - type: keyword -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Name of the dataset. - If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. - It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. - name: event.dataset - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - Name of the module this data is coming from. - If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - name: event.module - type: keyword -- description: event.start contains the date when the event started or when the activity was first observed. - name: event.start - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: SHA1 hash. - name: file.hash.sha1 - type: keyword -- description: Name of the file including the extension, without the directory. - name: file.name - type: keyword -- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. - multi_fields: - - name: text - type: match_only_text - name: file.path - type: keyword -- description: Internal company name of the file, provided at compile-time. - name: file.pe.company - type: keyword -- description: Internal version of the file, provided at compile-time. - name: file.pe.file_version - type: keyword -- description: Internal product name of the file, provided at compile-time. - name: file.pe.product - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: file.size - type: long -- description: List of common name (CN) of issuing certificate authority. - name: file.x509.issuer.common_name - type: keyword -- description: Time at which the certificate is first considered valid. - name: file.x509.not_before - type: date -- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - name: file.x509.serial_number - type: keyword -- description: |- - Original log level of the log event. - If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). - Some examples are `warn`, `err`, `i`, `informational`. - name: log.level - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - Direction of the network traffic. - Recommended values are: - * ingress - * egress - * inbound - * outbound - * internal - * external - * unknown - - When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". - When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". - Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. - name: network.direction - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - name: network.transport - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - name: network.type - type: keyword -- description: Absolute path to the process executable. - multi_fields: - - name: text - type: match_only_text - name: process.executable - type: keyword -- description: MD5 hash. - name: process.hash.md5 - type: keyword -- description: SHA256 hash. - name: process.hash.sha256 - type: keyword -- description: |- - Process name. - Sometimes called program name or similar. - multi_fields: - - name: text - type: match_only_text - name: process.name - type: keyword -- description: Process id. - name: process.pid - type: long -- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). - name: related.hash - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - name: rule.id - type: keyword -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: |- - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: source.address - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Source domain. - name: source.domain - type: keyword -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: |- - User-defined description of a location, at the level of granularity they care about. - Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. - Not typically used in automated geolocation. - name: source.geo.name - type: keyword -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - MAC address of the source. - The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. - name: source.mac - type: keyword -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: |- - Name of the directory the user is a member of. - For example, an LDAP or Active Directory domain name. - name: user.domain - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword diff --git a/packages/symantec_endpoint/1.0.0/data_stream/log/fields/fields.yml b/packages/symantec_endpoint/1.0.0/data_stream/log/fields/fields.yml deleted file mode 100755 index 2c2cef565a..0000000000 --- a/packages/symantec_endpoint/1.0.0/data_stream/log/fields/fields.yml +++ /dev/null @@ -1,333 +0,0 @@ -- name: symantec_endpoint.log - type: group - fields: - - name: action - type: keyword - description: > - The action taken on the traffic, e.g. "Blocked". - - - name: actual_action - type: keyword - description: Actual action from risk logs and proactive detection (SONAR) logs. - - name: admin - type: keyword - description: Name of the SEPM admin. - - name: api_name - type: keyword - description: API name that was blocked (agent behavior log). - - name: application - type: keyword - description: The full path name of the application involved. - - name: application_hash - type: keyword - description: The hash for this application. - - name: application_name - type: keyword - description: The application name. - - name: application_type - type: keyword - description: Application type (Trojan, key logger etc). - - name: application_version - type: keyword - description: The application version. - - name: begin - type: keyword - description: Start time of the event (also see event.start). - - name: caller_process_id - type: keyword - description: The ID of the process that triggers the logging. - - name: caller_process_name - type: keyword - description: > - The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says, "don't log application name in raw traffic log". - - - name: caller_return_address - type: keyword - description: > - The return address of the caller. This field allows the detection of the calling module that makes the API call. - - This is historically not used. You can expect Return Address to always be 0. - - - name: caller_return_module_name - description: > - The module name of the caller. See CallerReturnAddress for more information. - - Return Module name is historically unused. You can expect Return Module name to always be "No Module Name" except where you see Sysplant when sysplant has started. - - type: keyword - - name: category - type: keyword - description: Agent system log category (generally not populated by SEPM). - - name: category_set - type: keyword - description: Agent risk log category. - - name: category_type - type: keyword - description: Agent risk log category type. - - name: certificate_issuer - type: keyword - description: The certificate's issuer. - - name: certificate_serial_number - type: keyword - description: The certificate's serial number. - - name: certificate_signer - type: keyword - description: The certificate's signer. - - name: certificate_thumbprint - type: keyword - description: The certificate's thumbprint. - - name: cids_signature_id - type: keyword - description: The signature ID. - - name: cids_signature_string - type: keyword - description: The signature name. - - name: cids_signature_subid - type: keyword - description: The signature sub ID. - - name: coh_engine_version - type: keyword - description: TruScan engine version. - - name: command - type: keyword - description: Command sent from the SEPM. - - name: company_name - type: keyword - description: The company name from the application (used in agent risk logs). - - name: computer_name - type: keyword - description: Name of the host machine (used in agent risk/scan logs). - - name: confidence - type: keyword - description: > - The Confidence level that produced the conviction. Examples: High, low, bad, trustworthy etc. "Confidence: There is strong evidence that this file is untrustworthy." - - - name: description - type: keyword - description: Description of the virus file. - - name: detection_score - type: keyword - description: Score of detection. - - name: detection_source - type: keyword - description: Source of the detection. - - name: detection_type - type: keyword - description: Type of detection (e.g. heuristic). - - name: device_id - type: keyword - description: The GUID of an external device (floppy disk, DVD, USB device, etc.). - - name: disposition - type: keyword - description: Good / Bad / Unknown / Not available. - - name: domain_name - type: keyword - description: SEPM domain name. - - name: download_site - type: keyword - description: The URL determined from where the image was downloaded. - - name: downloaded_by - type: keyword - description: The creator process of the dropper threat. - - name: duration_seconds - type: keyword - description: The length of the scan, in seconds. - - name: end - type: keyword - description: Start time of the event (also see event.end). - - name: event_description - type: keyword - description: Description of the event. Usually, the first line of the description is treated as the summary. - - name: event_source - type: keyword - description: The data source. NETPORT, NATSRV, Network Intrusion Protection System, LiveUpdate Manager etc. - - name: event_time - type: date - description: Time of event occurrence. - - name: file_path - type: keyword - description: The file path of the attacked file. - - name: file_size_bytes - type: keyword - description: File size of application. - - name: first_seen - type: keyword - description: The first seen date for the convicted application. - - name: group - type: keyword - description: SEPM client group name. - - name: hash_type - type: keyword - description: Application hash type (MD5, SHA1, SHA256 etc). - - name: infected - type: long - description: The number of files that the scan found that were infected. - - name: inserted - type: date - description: The time that the event was inserted into the database. - - name: intensive_protection_level - type: keyword - description: The High Intensity Detection Level. - - name: intrusion_id - type: keyword - description: Intrusion ID. - - name: intrusion_payload_url - type: keyword - description: The URL that hosted the payload. - - name: intrusion_url - type: keyword - description: The URL from the detection. - - name: ip_address - type: keyword - description: IP Address of the machine. - - name: last_update_time - type: date - description: The time on the server when the event is logged into the system or updated in the system (GMT). - - name: local_host - type: keyword - description: The host name of the client computer. - - name: local_host_ip - type: keyword - description: The IP address of the local computer. - - name: local_host_mac - type: keyword - description: The MAC address of the local computer. - - name: local_host_name - type: keyword - description: The host name of the client computer. - - name: local_port - type: keyword - description: The TCP/UDP port of the local computer. - - name: location - type: keyword - description: The location used when the event occurred. - - name: md-5 - type: keyword - description: The MD5 hash value. - - name: network_protocol - type: keyword - description: Localized string for Others/ TCP/ UDP/ ICMP. - - name: occurrences - type: keyword - description: The number of attacks. Sometime, when a hacker launches a mass attack, it may be reduced to one event by the log system, depending on the damper period. - - name: omitted - type: long - description: The number of files that were omitted. - - name: parameters - type: keyword - description: > - Parameters is the name of the module, process, registry location or file that was used in the API call. Each parameter was converted to string format and separated by one space character. Double quotation mark characters within the string are escaped with a \ character. - - As an example, in the SEPM ADC policy you may have a rule with a condition which monitors for Load DLL Attempts with the rule being applied to mscoree.dll. In this case, in the parameters field you'd expect to see C:\Windows\SysWOW64\mscoree.dll. - - - name: permitted_application_reason - type: keyword - description: Reason for allow listing (e.g. Symantec permitted application list, Administrator permitted application list). - - name: policy_name - type: keyword - description: Name of the policy. - - name: prevalence - type: keyword - description: Number of users that have seen this. - - name: remote_host_ip - type: keyword - description: The IP address of the remote computer. - - name: remote_host_mac - type: keyword - description: The MAC address of the remote computer. - - name: remote_port - type: keyword - description: The TCP/UDP port of the remote computer. - - name: requested_action - type: keyword - description: Requested action by policy. - - name: risk_level - type: keyword - description: The risk level (high, med, low) for the convicted threat. - - name: risk_name - type: keyword - - name: risk_type - type: keyword - description: Localized strings for Heuristic / Cookie / Admin Black List / BPE / System Change / N/A. - - name: rule - type: keyword - description: > - The name of the rule that was triggered by the event. - - If the rule name is not specified in the security rule, then this field is empty. Having the rule name can be useful for troubleshooting. You may recognize a rule by the rule ID, but rule name can help you recognize it more quickly. - - - name: scan_complete - type: keyword - description: Scan message when scan ended. - - name: scan_id - type: keyword - description: The scan ID provided by the agent. - - name: secondary_action - type: keyword - description: Secondary action requested by policy - - name: sensitivity - type: long - description: Engine sensitivity that produced this detection - - name: server - type: keyword - description: Name of the server. - - name: server_name - type: keyword - description: Name of the server. - - name: sha-256 - type: keyword - description: The SHA-256 hash value. - - name: signing_timestamp - type: date - description: The certificate's signature timestamp. - - name: site - type: keyword - description: SEPM site name. - - name: source - type: keyword - description: Scan source (e.g. scheduled). - - name: source_computer - type: keyword - description: Computer name where this event occurred. - - name: source_ip - type: keyword - description: IP address of the machine on which the event occurred. - - name: submission_recommended - type: boolean - description: Recommendation on whether to submit this detection to Symantec. - - name: threats - type: long - description: The number of threats that the scan found. - - name: total_files - type: long - description: The number of files scanned. - - name: traffic_direction - type: keyword - description: Unknown / Inbound / Outbound - - name: url_tracking_status - type: keyword - description: Network intrusion prevention status - - name: user1 - type: keyword - description: User when scan started. - - name: user2 - type: keyword - description: User when scan ended. - - name: user_name - type: keyword - - name: web_domain - type: keyword - description: The web domain. -- name: log.syslog.hostname - type: keyword - description: Hostname parsed from syslog header. -- name: log.syslog.process.name - type: keyword -- name: log.syslog.process.pid - type: long -- name: log.syslog.priority - type: long -- name: log.syslog.version - type: long -- name: log.syslog.structured_data - type: flattened diff --git a/packages/symantec_endpoint/1.0.0/data_stream/log/manifest.yml b/packages/symantec_endpoint/1.0.0/data_stream/log/manifest.yml deleted file mode 100755 index e24087b13b..0000000000 --- a/packages/symantec_endpoint/1.0.0/data_stream/log/manifest.yml +++ /dev/null @@ -1,190 +0,0 @@ -title: Symantec Endpoint Protection (SEP) Logs -type: logs -release: beta -streams: - - input: udp - template_path: udp.yml.hbs - title: SEP logs (syslog over UDP) - description: Collect Symantec Endpoint Protection (SEP) logs over UDP. - enabled: true - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The UDP port number to listen on. - multi: false - required: true - show_user: true - default: 9008 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - symantec-endpoint-log - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: remove_mapped_fields - required: true - show_user: false - title: Remove fields mapped to ECS - description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. - type: bool - multi: false - default: false - - input: tcp - template_path: tcp.yml.hbs - title: SEP logs (syslog over TCP) - description: Collect Symantec Endpoint Protection (SEP) logs over TCP. - enabled: false - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9008 - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening TCP socket. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - symantec-endpoint-log - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - name: remove_mapped_fields - required: true - show_user: false - title: Remove fields mapped to ECS - description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. - type: bool - multi: false - default: false - - input: logfile - template_path: logfile.yml.hbs - title: SEP logs (from file) - description: Collect Symantec Endpoint Protection (SEP) logs from a file. - enabled: false - vars: - - name: paths - type: text - title: Paths - multi: true - required: false - show_user: true - default: - - 'C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\*.log' - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - symantec-endpoint-log - - forwarded - - name: tz_offset - type: text - title: Timezone - multi: false - required: false - show_user: false - default: UTC - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. - - name: remove_mapped_fields - required: true - show_user: false - title: Remove fields mapped to ECS - description: Remove symantec_endpoint.log fields that have been used to populate ECS fields. This reduces the size of events by removing duplicated data. - type: bool - multi: false - default: false diff --git a/packages/symantec_endpoint/1.0.0/data_stream/log/sample_event.json b/packages/symantec_endpoint/1.0.0/data_stream/log/sample_event.json deleted file mode 100755 index 080bd684ef..0000000000 --- a/packages/symantec_endpoint/1.0.0/data_stream/log/sample_event.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "process": { - "executable": "C:/WINDOWS/system32/NTOSKRNL.EXE", - "hash": { - "sha256": "5379732000000000000000000000000000000000000000000000000000000000", - "md5": "53797320000000000000000000000000" - } - }, - "log": { - "syslog": { - "process": { - "name": "myproc", - "pid": 8710 - }, - "hostname": "192.0.2.1", - "priority": 165, - "version": 1 - } - }, - "destination": { - "geo": { - "name": "Default" - }, - "address": "192.168.1.113", - "port": 80, - "mac": "CC-F9-E4-A9-12-26", - "ip": "192.168.1.113" - }, - "rule": { - "name": "Block Unapproved Incoming Ports" - }, - "source": { - "address": "192.168.1.1", - "port": 33424, - "mac": "2C-3A-FD-A7-9E-71", - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "preserve_original_event" - ], - "network": { - "community_id": "1:TbyoH4bYJO0/cP/YShIpq9J+Z3s=", - "transport": "tcp", - "type": "ipv4", - "direction": "ingress" - }, - "@timestamp": "2021-11-16T12:14:15.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "hash": [ - "53797320000000000000000000000000", - "5379732000000000000000000000000000000000000000000000000000000000" - ], - "ip": [ - "192.168.1.113", - "192.168.1.1" - ] - }, - "host": { - "name": "host-rfc5424", - "hostname": "host-rfc5424", - "mac": [ - "CC-F9-E4-A9-12-26" - ], - "ip": [ - "192.168.1.113" - ] - }, - "symantec_endpoint": { - "log": { - "occurrences": "4", - "sha-256": "5379732000000000000000000000000000000000000000000000000000000000", - "local_port": "80", - "user_name": "sampleuser4", - "remote_port": "33424", - "rule": "Block Unapproved Incoming Ports", - "md-5": "53797320000000000000000000000000", - "network_protocol": "TCP", - "traffic_direction": "Inbound", - "remote_host_ip": "192.168.1.1", - "remote_host_mac": "2C3AFDA79E71", - "domain_name": "SMPL", - "application": "C:/WINDOWS/system32/NTOSKRNL.EXE", - "local_host_ip": "192.168.1.113", - "action": "blocked", - "end": "2020-11-11 19:25:28", - "location": "Default", - "local_host_mac": "CCF9E4A91226", - "begin": "2020-11-11 19:25:21" - } - }, - "event": { - "original": "\u003c165\u003e1 2021-11-16T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - host-rfc5424,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", - "provider": "Agent Traffic Log", - "kind": "event", - "start": "2020-11-11T19:25:21.000Z", - "count": 4, - "action": "blocked", - "end": "2020-11-11T19:25:28.000Z", - "category": [ - "intrusion_detection", - "network", - "process" - ], - "type": [ - "connection", - "denied" - ] - }, - "user": { - "name": "sampleuser4", - "domain": "SMPL" - } -} \ No newline at end of file diff --git a/packages/symantec_endpoint/1.0.0/docs/README.md b/packages/symantec_endpoint/1.0.0/docs/README.md deleted file mode 100755 index b36bc33b35..0000000000 --- a/packages/symantec_endpoint/1.0.0/docs/README.md +++ /dev/null @@ -1,472 +0,0 @@ -# Symantec Endpoint Protection Integration - -This integration is for Symantec Endpoint Protection (SEP) logs. It can be used -to receive logs sent by SEP over syslog or read logs exported to a text file. - -The log message is expected to be in CSV format. Syslog RFC3164 and RCF5424 -headers are allowed and will be parsed if present. The data is mapped to -ECS fields where applicable and the remaining fields are written under -`symantec_endpoint.log.*`. - -If a specific SEP log type is detected then `event.provider` is set (e.g. -`Agent Traffic Log`). - -## Syslog setup steps - -1. Enable this integration with the UDP input. -2. If the Symantec management server and Elastic Agent are running on different -hosts then configure the integration to listen on 0.0.0.0 so that it will accept -UDP packets on all interfaces. This makes the listening port reachable by the -Symantec server. -3. Configure the Symantec management server to send syslog to the Elastic Agent -that is running this integration. See [_Exporting data to a Syslog server_]( -https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html) -in the SEP guide. Use the IP address or hostname of the Elastic Agent as the -syslog server address. And use the listen port as the destination port (default -is 9008). - -## Log file setup steps - -1. Configure the Symantec management server to export log data to a text file. -See [Exporting log data to a text file](https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-log-data-to-a-text-file-v8440135-d15e1197.html). -2. Enable this integration with the log file input. Configure the input to -read from the location where the log files are being written. The default is -`C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\*.log`. - -Logs exported to text file always begin with the event time and severity -columns (e.g. `2020-01-16 08:00:31,Critical,...`). - -## Log samples - -Below are samples of some different SEP log types. These examples have had their -syslog header removed, but when sent over syslog these lines typically -begin with an RFC3164 header like -`<51>Oct 3 10:38:14 symantec.endpointprotection.test SymantecServer: ` - -### Administrative Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=tech171741#Administrative - -`Site: SEPSite,Server: SEPServer,Domain: _domainOrigin,Admin: _originUser,Administrator log on succeeded` - -### Agent Activity Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Activity - -`Site: SEPSite,Server Name: exampleserver,Domain Name: Default,The management server received the client log successfully,TESTHOST01,sampleuser01,sample.example.com` - -### Agent Behavior Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Behavior - -`exampleserver,216.160.83.57,Blocked,[AC7-2.1] Block scripts - Caller MD5=d73b04b0e696b0945283defa3eee4538,File Write,Begin: 2019-09-06 15:18:56,End: 2019-09-06 15:18:56,Rule: Rule Name,9552,C:/ProgramData/bomgar-scc-0x5d4162a4/bomgar-scc.exe,0,No Module Name,C:/ProgramData/bomgar-scc-0x5d4162a4/start-cb-hook.bat,User: _originUser,Domain: _domainOrigin,Action Type: ,File size (bytes): 1403,Device ID: SCSI\Disk&Ven_WDC&Prod_WD10SPCX-75KHST0\4&1d8ead7a&0&000200` - -### Agent Packet Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=tech171741#Agent_Packet - -`exampleserver,Local Host: 81.2.69.143,Local Port: 138,Remote Host IP: 81.2.69.144.,Remote Host Name: ,Remote Port: 138,Outbound,Application: C:/windows/system32/NTOSKRNL.EXE,Action: Blocked` - -### Agent Proactive Detection Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Proactive_Detection - -`Potential risk found,Computer name: exampleComputer,Detection type: Heuristic,First Seen: Symantec has known about this file approximately 2 days.,Application name: Propsim,Application type: 127,"Application version: ""3",0,6,"0""",Hash type: SHA-256,Application hash: SHA#1234567890,Company name: Dummy Technologies,File size (bytes): 343040,Sensitivity: 2,Detection score: 3,COH Engine Version: 8.1.1.1,Detection Submissions No,Permitted application reason: MDS,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: c:/programdata/oracle/java/javapath_target_2151967445/Host126,Prevalence: Unknown,Confidence: There is not enough information about this file to recommend it.,URL Tracking Status: Off,Risk Level: High,Detection Source: N/A,Source: Heuristic Scan,Risk name: ,Occurrences: 1,f:\user\workspace\baseline package creator\release\Host214,'',Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2018-02-16 08:01:33,Inserted: 2018-02-16 08:02:52,End: 2018-02-16 08:01:33,Domain: Default,Group: My Company\SEPM Group Name,Server: SEPMServer,User: exampleUser,Source computer: ,Source IP:` - -### Agent Risk Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Risk - -`Security risk found,IP Address: 1.128.3.4,Computer name: exampleComputer,Source: Auto-Protect scan,Risk name: WS.Reputation.1,Occurrences: 1,e:\removablemediaaccessutility.exe,,Actual action: All actions failed,Requested action: Process terminate pending restart,Secondary action: Left alone,Event time: 2019-09-03 08:12:25,Inserted: 2019-09-03 08:14:03,End: 2019-09-03 08:12:25,Last update time: 2019-09-03 08:14:03,Domain: SEPMServerDoman,Group: My Company\GroupName,Server: SEPMServerName,User: exampleUser,Source computer: ,Source IP: ,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: e:/removablemediaaccessutility.exe,Prevalence: This file has been seen by fewer than 5 Symantec users.,Confidence: There is some evidence that this file is untrustworthy.,URL Tracking Status: On,First Seen: Symantec has known about this file approximately 2 days.,Sensitivity: ,Permitted application reason: Not on the permitted application list,Application hash: SHA#1234567890,Hash type: SHA2,Company name: Company Name,Application name: Client for Symantec Endpoint Encryption,Application version: 11.1.2 (Build 1248),Application type: 127,File size (bytes): 4193981,Category set: Malware,Category type: Insight Network Threat,Location: GD-OTS Unmanaged Client - Online,Intensive Protection Level: 0,Certificate issuer: Symantec Corporation,Certificate signer: VeriSign Class 3 Code Signing 2010 CA,Certificate thumbprint: AB6EF1497C6E1C8CCC12F06E945A4954FB41AD45,Signing timestamp: 1482491555,Certificate serial number: AB2D17E62E571F288ACB5666FD3C5230` - -### Agent Scan Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Scan - -`Scan ID: 123456789,Begin: 2020-01-31 11:35:28,End: 2020-01-31 11:45:28,Started,Duration (seconds): 600,User1: exampleUser,User2: SYSTEM,Scan started on selected drives and folders and all extensions.,Scan Complete: Risks: 0 Scanned: 916 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 0,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 916,Omitted: 0,Computer: _destinationHostname,IP Address: 1.128.3.4,Domain: exampleDomain,Group: Company\US\UserWS\Main Office,Server: SEPServer` - -### Agent Security Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Security - -`server03,Event Description: ARP Cache Poison,Local Host IP: 0.0.0.0,Local Host MAC: 2DFF88AABBDC,Remote Host Name: ,Remote Host IP: 0.0.0.0,Remote Host MAC: AABBCCDDEEFF,Inbound,Unknown,Intrusion ID: 0,Begin: 2020-11-23 13:56:35,End Time: 2020-11-23 13:56:35,Occurrences: 1,Application: ,Location: Remote,User Name: bobby,Domain Name: local,Local Port: 0,Remote Port: 0,CIDS Signature ID: 99990,CIDS Signature string: ARP Cache Poison,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL: ,SHA-256: ,MD-5:` - -### Agent System Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_System - -`exampleHostname,Category: 0,CVE,New content update failed to download from the management server. Remote file path: https://server:443/content/{02335EF8-ADE1-4DD8-9F0F-2A9662352E65}/190815061/xdelta190815061_To_190816061.dax,Event time: 2019-08-19 07:14:38` - -### Agent Traffic Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Traffic - -`host-plaintext,Local Host IP: 216.160.83.61,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 216.160.83.61,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000` - -### Policy Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Policy - -`Site: SEPSite,Server: exampleHostname,Domain: exampleDomain,Admin: exampleAdmin,Event Description: Policy has been edited: Edited shared Intrusion Prevention policy: SEPPolicyName,SEPPolicyName` - -### System Log - -Vendor documentation: https://knowledge.broadcom.com/external/article?legacyId=TECH171741#System - -`Site: SEPSite,Server: exampleHostname,Symantec Endpoint Protection Manager could not update Intrusion Prevention Signatures 14.0.` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.domain | Destination domain. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | -| event.start | event.start contains the date when the event started or when the activity was first observed. | date | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.name | Name of the file including the extension, without the directory. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.pe.company | Internal company name of the file, provided at compile-time. | keyword | -| file.pe.file_version | Internal version of the file, provided at compile-time. | keyword | -| file.pe.product | Internal product name of the file, provided at compile-time. | keyword | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| file.x509.not_before | Time at which the certificate is first considered valid. | date | -| file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.hostname | Hostname parsed from syslog header. | keyword | -| log.syslog.priority | | long | -| log.syslog.process.name | | keyword | -| log.syslog.process.pid | | long | -| log.syslog.structured_data | | flattened | -| log.syslog.version | | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| observer.product | The product name of the observer. | constant_keyword | -| observer.type | The type of the observer the data is coming from. | constant_keyword | -| observer.vendor | Vendor name of the observer. | constant_keyword | -| process.executable | Absolute path to the process executable. | keyword | -| process.executable.text | Multi-field of `process.executable`. | match_only_text | -| process.hash.md5 | MD5 hash. | keyword | -| process.hash.sha256 | SHA256 hash. | keyword | -| process.name | Process name. Sometimes called program name or similar. | keyword | -| process.name.text | Multi-field of `process.name`. | match_only_text | -| process.pid | Process id. | long | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.domain | Source domain. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | -| source.port | Port of the source. | long | -| symantec_endpoint.log.action | The action taken on the traffic, e.g. "Blocked". | keyword | -| symantec_endpoint.log.actual_action | Actual action from risk logs and proactive detection (SONAR) logs. | keyword | -| symantec_endpoint.log.admin | Name of the SEPM admin. | keyword | -| symantec_endpoint.log.api_name | API name that was blocked (agent behavior log). | keyword | -| symantec_endpoint.log.application | The full path name of the application involved. | keyword | -| symantec_endpoint.log.application_hash | The hash for this application. | keyword | -| symantec_endpoint.log.application_name | The application name. | keyword | -| symantec_endpoint.log.application_type | Application type (Trojan, key logger etc). | keyword | -| symantec_endpoint.log.application_version | The application version. | keyword | -| symantec_endpoint.log.begin | Start time of the event (also see event.start). | keyword | -| symantec_endpoint.log.caller_process_id | The ID of the process that triggers the logging. | keyword | -| symantec_endpoint.log.caller_process_name | The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says, "don't log application name in raw traffic log". | keyword | -| symantec_endpoint.log.caller_return_address | The return address of the caller. This field allows the detection of the calling module that makes the API call. This is historically not used. You can expect Return Address to always be 0. | keyword | -| symantec_endpoint.log.caller_return_module_name | The module name of the caller. See CallerReturnAddress for more information. Return Module name is historically unused. You can expect Return Module name to always be "No Module Name" except where you see Sysplant when sysplant has started. | keyword | -| symantec_endpoint.log.category | Agent system log category (generally not populated by SEPM). | keyword | -| symantec_endpoint.log.category_set | Agent risk log category. | keyword | -| symantec_endpoint.log.category_type | Agent risk log category type. | keyword | -| symantec_endpoint.log.certificate_issuer | The certificate's issuer. | keyword | -| symantec_endpoint.log.certificate_serial_number | The certificate's serial number. | keyword | -| symantec_endpoint.log.certificate_signer | The certificate's signer. | keyword | -| symantec_endpoint.log.certificate_thumbprint | The certificate's thumbprint. | keyword | -| symantec_endpoint.log.cids_signature_id | The signature ID. | keyword | -| symantec_endpoint.log.cids_signature_string | The signature name. | keyword | -| symantec_endpoint.log.cids_signature_subid | The signature sub ID. | keyword | -| symantec_endpoint.log.coh_engine_version | TruScan engine version. | keyword | -| symantec_endpoint.log.command | Command sent from the SEPM. | keyword | -| symantec_endpoint.log.company_name | The company name from the application (used in agent risk logs). | keyword | -| symantec_endpoint.log.computer_name | Name of the host machine (used in agent risk/scan logs). | keyword | -| symantec_endpoint.log.confidence | The Confidence level that produced the conviction. Examples: High, low, bad, trustworthy etc. "Confidence: There is strong evidence that this file is untrustworthy." | keyword | -| symantec_endpoint.log.description | Description of the virus file. | keyword | -| symantec_endpoint.log.detection_score | Score of detection. | keyword | -| symantec_endpoint.log.detection_source | Source of the detection. | keyword | -| symantec_endpoint.log.detection_type | Type of detection (e.g. heuristic). | keyword | -| symantec_endpoint.log.device_id | The GUID of an external device (floppy disk, DVD, USB device, etc.). | keyword | -| symantec_endpoint.log.disposition | Good / Bad / Unknown / Not available. | keyword | -| symantec_endpoint.log.domain_name | SEPM domain name. | keyword | -| symantec_endpoint.log.download_site | The URL determined from where the image was downloaded. | keyword | -| symantec_endpoint.log.downloaded_by | The creator process of the dropper threat. | keyword | -| symantec_endpoint.log.duration_seconds | The length of the scan, in seconds. | keyword | -| symantec_endpoint.log.end | Start time of the event (also see event.end). | keyword | -| symantec_endpoint.log.event_description | Description of the event. Usually, the first line of the description is treated as the summary. | keyword | -| symantec_endpoint.log.event_source | The data source. NETPORT, NATSRV, Network Intrusion Protection System, LiveUpdate Manager etc. | keyword | -| symantec_endpoint.log.event_time | Time of event occurrence. | date | -| symantec_endpoint.log.file_path | The file path of the attacked file. | keyword | -| symantec_endpoint.log.file_size_bytes | File size of application. | keyword | -| symantec_endpoint.log.first_seen | The first seen date for the convicted application. | keyword | -| symantec_endpoint.log.group | SEPM client group name. | keyword | -| symantec_endpoint.log.hash_type | Application hash type (MD5, SHA1, SHA256 etc). | keyword | -| symantec_endpoint.log.infected | The number of files that the scan found that were infected. | long | -| symantec_endpoint.log.inserted | The time that the event was inserted into the database. | date | -| symantec_endpoint.log.intensive_protection_level | The High Intensity Detection Level. | keyword | -| symantec_endpoint.log.intrusion_id | Intrusion ID. | keyword | -| symantec_endpoint.log.intrusion_payload_url | The URL that hosted the payload. | keyword | -| symantec_endpoint.log.intrusion_url | The URL from the detection. | keyword | -| symantec_endpoint.log.ip_address | IP Address of the machine. | keyword | -| symantec_endpoint.log.last_update_time | The time on the server when the event is logged into the system or updated in the system (GMT). | date | -| symantec_endpoint.log.local_host | The host name of the client computer. | keyword | -| symantec_endpoint.log.local_host_ip | The IP address of the local computer. | keyword | -| symantec_endpoint.log.local_host_mac | The MAC address of the local computer. | keyword | -| symantec_endpoint.log.local_host_name | The host name of the client computer. | keyword | -| symantec_endpoint.log.local_port | The TCP/UDP port of the local computer. | keyword | -| symantec_endpoint.log.location | The location used when the event occurred. | keyword | -| symantec_endpoint.log.md-5 | The MD5 hash value. | keyword | -| symantec_endpoint.log.network_protocol | Localized string for Others/ TCP/ UDP/ ICMP. | keyword | -| symantec_endpoint.log.occurrences | The number of attacks. Sometime, when a hacker launches a mass attack, it may be reduced to one event by the log system, depending on the damper period. | keyword | -| symantec_endpoint.log.omitted | The number of files that were omitted. | long | -| symantec_endpoint.log.parameters | Parameters is the name of the module, process, registry location or file that was used in the API call. Each parameter was converted to string format and separated by one space character. Double quotation mark characters within the string are escaped with a \ character. As an example, in the SEPM ADC policy you may have a rule with a condition which monitors for Load DLL Attempts with the rule being applied to mscoree.dll. In this case, in the parameters field you'd expect to see C:\Windows\SysWOW64\mscoree.dll. | keyword | -| symantec_endpoint.log.permitted_application_reason | Reason for allow listing (e.g. Symantec permitted application list, Administrator permitted application list). | keyword | -| symantec_endpoint.log.policy_name | Name of the policy. | keyword | -| symantec_endpoint.log.prevalence | Number of users that have seen this. | keyword | -| symantec_endpoint.log.remote_host_ip | The IP address of the remote computer. | keyword | -| symantec_endpoint.log.remote_host_mac | The MAC address of the remote computer. | keyword | -| symantec_endpoint.log.remote_port | The TCP/UDP port of the remote computer. | keyword | -| symantec_endpoint.log.requested_action | Requested action by policy. | keyword | -| symantec_endpoint.log.risk_level | The risk level (high, med, low) for the convicted threat. | keyword | -| symantec_endpoint.log.risk_name | | keyword | -| symantec_endpoint.log.risk_type | Localized strings for Heuristic / Cookie / Admin Black List / BPE / System Change / N/A. | keyword | -| symantec_endpoint.log.rule | The name of the rule that was triggered by the event. If the rule name is not specified in the security rule, then this field is empty. Having the rule name can be useful for troubleshooting. You may recognize a rule by the rule ID, but rule name can help you recognize it more quickly. | keyword | -| symantec_endpoint.log.scan_complete | Scan message when scan ended. | keyword | -| symantec_endpoint.log.scan_id | The scan ID provided by the agent. | keyword | -| symantec_endpoint.log.secondary_action | Secondary action requested by policy | keyword | -| symantec_endpoint.log.sensitivity | Engine sensitivity that produced this detection | long | -| symantec_endpoint.log.server | Name of the server. | keyword | -| symantec_endpoint.log.server_name | Name of the server. | keyword | -| symantec_endpoint.log.sha-256 | The SHA-256 hash value. | keyword | -| symantec_endpoint.log.signing_timestamp | The certificate's signature timestamp. | date | -| symantec_endpoint.log.site | SEPM site name. | keyword | -| symantec_endpoint.log.source | Scan source (e.g. scheduled). | keyword | -| symantec_endpoint.log.source_computer | Computer name where this event occurred. | keyword | -| symantec_endpoint.log.source_ip | IP address of the machine on which the event occurred. | keyword | -| symantec_endpoint.log.submission_recommended | Recommendation on whether to submit this detection to Symantec. | boolean | -| symantec_endpoint.log.threats | The number of threats that the scan found. | long | -| symantec_endpoint.log.total_files | The number of files scanned. | long | -| symantec_endpoint.log.traffic_direction | Unknown / Inbound / Outbound | keyword | -| symantec_endpoint.log.url_tracking_status | Network intrusion prevention status | keyword | -| symantec_endpoint.log.user1 | User when scan started. | keyword | -| symantec_endpoint.log.user2 | User when scan ended. | keyword | -| symantec_endpoint.log.user_name | | keyword | -| symantec_endpoint.log.web_domain | The web domain. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | - - -An example event for `log` looks as following: - -```json -{ - "process": { - "executable": "C:/WINDOWS/system32/NTOSKRNL.EXE", - "hash": { - "sha256": "5379732000000000000000000000000000000000000000000000000000000000", - "md5": "53797320000000000000000000000000" - } - }, - "log": { - "syslog": { - "process": { - "name": "myproc", - "pid": 8710 - }, - "hostname": "192.0.2.1", - "priority": 165, - "version": 1 - } - }, - "destination": { - "geo": { - "name": "Default" - }, - "address": "192.168.1.113", - "port": 80, - "mac": "CC-F9-E4-A9-12-26", - "ip": "192.168.1.113" - }, - "rule": { - "name": "Block Unapproved Incoming Ports" - }, - "source": { - "address": "192.168.1.1", - "port": 33424, - "mac": "2C-3A-FD-A7-9E-71", - "ip": "192.168.1.1" - }, - "tags": [ - "forwarded", - "preserve_original_event" - ], - "network": { - "community_id": "1:TbyoH4bYJO0/cP/YShIpq9J+Z3s=", - "transport": "tcp", - "type": "ipv4", - "direction": "ingress" - }, - "@timestamp": "2021-11-16T12:14:15.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "hash": [ - "53797320000000000000000000000000", - "5379732000000000000000000000000000000000000000000000000000000000" - ], - "ip": [ - "192.168.1.113", - "192.168.1.1" - ] - }, - "host": { - "name": "host-rfc5424", - "hostname": "host-rfc5424", - "mac": [ - "CC-F9-E4-A9-12-26" - ], - "ip": [ - "192.168.1.113" - ] - }, - "symantec_endpoint": { - "log": { - "occurrences": "4", - "sha-256": "5379732000000000000000000000000000000000000000000000000000000000", - "local_port": "80", - "user_name": "sampleuser4", - "remote_port": "33424", - "rule": "Block Unapproved Incoming Ports", - "md-5": "53797320000000000000000000000000", - "network_protocol": "TCP", - "traffic_direction": "Inbound", - "remote_host_ip": "192.168.1.1", - "remote_host_mac": "2C3AFDA79E71", - "domain_name": "SMPL", - "application": "C:/WINDOWS/system32/NTOSKRNL.EXE", - "local_host_ip": "192.168.1.113", - "action": "blocked", - "end": "2020-11-11 19:25:28", - "location": "Default", - "local_host_mac": "CCF9E4A91226", - "begin": "2020-11-11 19:25:21" - } - }, - "event": { - "original": "\u003c165\u003e1 2021-11-16T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - host-rfc5424,Local Host IP: 192.168.1.113,Local Port: 80,Local Host MAC: CCF9E4A91226,Remote Host IP: 192.168.1.1,Remote Host Name: ,Remote Port: 33424,Remote Host MAC: 2C3AFDA79E71,TCP,Inbound,Begin: 2020-11-11 19:25:21,End Time: 2020-11-11 19:25:28,Occurrences: 4,Application: C:/WINDOWS/system32/NTOSKRNL.EXE,Rule: Block Unapproved Incoming Ports,Location: Default,User Name: sampleuser4,Domain Name: SMPL,Action: Blocked,SHA-256: 5379732000000000000000000000000000000000000000000000000000000000,MD-5: 53797320000000000000000000000000", - "provider": "Agent Traffic Log", - "kind": "event", - "start": "2020-11-11T19:25:21.000Z", - "count": 4, - "action": "blocked", - "end": "2020-11-11T19:25:28.000Z", - "category": [ - "intrusion_detection", - "network", - "process" - ], - "type": [ - "connection", - "denied" - ] - }, - "user": { - "name": "sampleuser4", - "domain": "SMPL" - } -} -``` diff --git a/packages/symantec_endpoint/1.0.0/img/logo.svg b/packages/symantec_endpoint/1.0.0/img/logo.svg deleted file mode 100755 index 1b87d1e578..0000000000 --- a/packages/symantec_endpoint/1.0.0/img/logo.svg +++ /dev/null @@ -1,35 +0,0 @@ - - - -image/svg+xml diff --git a/packages/symantec_endpoint/1.0.0/img/symantec-endpoint-logs-overview.png b/packages/symantec_endpoint/1.0.0/img/symantec-endpoint-logs-overview.png deleted file mode 100755 index e2c8f8f867..0000000000 Binary files a/packages/symantec_endpoint/1.0.0/img/symantec-endpoint-logs-overview.png and /dev/null differ diff --git a/packages/symantec_endpoint/1.0.0/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json b/packages/symantec_endpoint/1.0.0/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json deleted file mode 100755 index 89e8d78857..0000000000 --- a/packages/symantec_endpoint/1.0.0/kibana/dashboard/symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"symantec_endpoint.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"symantec_endpoint.log\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c971e3e3-37d5-4171-93af-956925edabb1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c971e3e3-37d5-4171-93af-956925edabb1\":{\"columnOrder\":[\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\",\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\",\"5a933de5-3586-4844-88e8-4860130de30b\"],\"columns\":{\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"5a933de5-3586-4844-88e8-4860130de30b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Log Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5a933de5-3586-4844-88e8-4860130de30b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"5a933de5-3586-4844-88e8-4860130de30b\"],\"layerId\":\"c971e3e3-37d5-4171-93af-956925edabb1\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"9a35327d-0a3f-43e9-8ef1-a7589a20c23d\",\"xAccessor\":\"1c38d61b-9801-43fd-a8d0-fdafc89b1826\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"47f211da-7063-45c2-9be8-488f5e90cbf8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"47f211da-7063-45c2-9be8-488f5e90cbf8\",\"title\":\"Log Types over Time\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-eac3c835-8b5e-4f3c-a023-81f830cd6a4a\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"eac3c835-8b5e-4f3c-a023-81f830cd6a4a\":{\"columnOrder\":[\"21fba635-b5ea-4d84-af67-d710ec8ad164\",\"5564c2e5-debb-45e0-a159-0e7f229b2b94\",\"d2354973-ded4-4075-8afd-ae1835d1ea18\"],\"columns\":{\"21fba635-b5ea-4d84-af67-d710ec8ad164\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.category\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":6},\"scale\":\"ordinal\",\"sourceField\":\"event.category\"},\"5564c2e5-debb-45e0-a159-0e7f229b2b94\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":6},\"scale\":\"ordinal\",\"sourceField\":\"event.type\"},\"d2354973-ded4-4075-8afd-ae1835d1ea18\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"eac3c835-8b5e-4f3c-a023-81f830cd6a4a\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"position\":\"right\",\"type\":\"lens_heatmap_legendConfig\"},\"shape\":\"heatmap\",\"valueAccessor\":\"d2354973-ded4-4075-8afd-ae1835d1ea18\",\"xAccessor\":\"21fba635-b5ea-4d84-af67-d710ec8ad164\",\"yAccessor\":\"5564c2e5-debb-45e0-a159-0e7f229b2b94\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"107c480c-8ee8-48ea-9e3a-7addcc0bad09\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"107c480c-8ee8-48ea-9e3a-7addcc0bad09\",\"title\":\"Event Category/Type Matrix\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\":{\"columnOrder\":[\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\"],\"columns\":{\"4bbe5fec-050a-426e-aa8e-1d839d13b009\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of process.executable\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"process.executable\"},\"b9a29e43-f628-447c-8225-1db604dff2e7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"},\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"isTransposed\":false},{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"isTransposed\":false},{\"columnId\":\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"isTransposed\":false}],\"layerId\":\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"8fd69bce-37ba-4338-bbe0-9bb0bae7ceee\",\"w\":20,\"x\":0,\"y\":15},\"panelIndex\":\"8fd69bce-37ba-4338-bbe0-9bb0bae7ceee\",\"title\":\"Process Executables\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\":{\"columnOrder\":[\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\"],\"columns\":{\"4bbe5fec-050a-426e-aa8e-1d839d13b009\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of file.path\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"file.path\"},\"b9a29e43-f628-447c-8225-1db604dff2e7\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"event.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.provider\"},\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"4bbe5fec-050a-426e-aa8e-1d839d13b009\",\"isTransposed\":false,\"width\":654},{\"columnId\":\"ba004b9c-050e-47ea-a5fe-5808be9fc79f\",\"isTransposed\":false},{\"columnId\":\"b9a29e43-f628-447c-8225-1db604dff2e7\",\"isTransposed\":false}],\"layerId\":\"bf9e979f-85fd-4ba9-86b5-7df1b94347e2\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"c1d7b91d-0c0f-4c72-939d-18220e449e1a\",\"w\":20,\"x\":20,\"y\":15},\"panelIndex\":\"c1d7b91d-0c0f-4c72-939d-18220e449e1a\",\"title\":\"File Paths\",\"type\":\"lens\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-028dd220-5ea4-4938-a753-3a833f191e13\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"028dd220-5ea4-4938-a753-3a833f191e13\":{\"columnOrder\":[\"c10eaf4e-5353-41d6-937d-c45050d15294\",\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\"],\"columns\":{\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"c10eaf4e-5353-41d6-937d-c45050d15294\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of host.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":100},\"scale\":\"ordinal\",\"sourceField\":\"host.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"c10eaf4e-5353-41d6-937d-c45050d15294\",\"isTransposed\":false},{\"columnId\":\"b2d572aa-bf40-4b3c-b7a7-9857719f294c\",\"isTransposed\":false}],\"layerId\":\"028dd220-5ea4-4938-a753-3a833f191e13\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"cfc78bcd-47bc-4a32-8d25-6e4967461d03\",\"w\":8,\"x\":40,\"y\":15},\"panelIndex\":\"cfc78bcd-47bc-4a32-8d25-6e4967461d03\",\"title\":\"Hosts\",\"type\":\"lens\",\"version\":\"7.16.0\"}]", - "timeRestore": false, - "title": "[Symantec Endpoint Log] Overview", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "symantec_endpoint-3ac0a690-5f71-11ec-85e4-338fc80d8393", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "47f211da-7063-45c2-9be8-488f5e90cbf8:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "47f211da-7063-45c2-9be8-488f5e90cbf8:indexpattern-datasource-layer-c971e3e3-37d5-4171-93af-956925edabb1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "107c480c-8ee8-48ea-9e3a-7addcc0bad09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "107c480c-8ee8-48ea-9e3a-7addcc0bad09:indexpattern-datasource-layer-eac3c835-8b5e-4f3c-a023-81f830cd6a4a", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd69bce-37ba-4338-bbe0-9bb0bae7ceee:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd69bce-37ba-4338-bbe0-9bb0bae7ceee:indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1d7b91d-0c0f-4c72-939d-18220e449e1a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c1d7b91d-0c0f-4c72-939d-18220e449e1a:indexpattern-datasource-layer-bf9e979f-85fd-4ba9-86b5-7df1b94347e2", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cfc78bcd-47bc-4a32-8d25-6e4967461d03:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cfc78bcd-47bc-4a32-8d25-6e4967461d03:indexpattern-datasource-layer-028dd220-5ea4-4938-a753-3a833f191e13", - "type": "index-pattern" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/symantec_endpoint/1.0.0/manifest.yml b/packages/symantec_endpoint/1.0.0/manifest.yml deleted file mode 100755 index 823d4bcd40..0000000000 --- a/packages/symantec_endpoint/1.0.0/manifest.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: symantec_endpoint -title: Symantec Endpoint Protection -version: 1.0.0 -release: ga -description: Collect logs from Symantec Endpoint Protection with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: ["security"] -conditions: - kibana.version: "^7.16.0 || ^8.0.0" -icons: - - src: /img/logo.svg - title: Symantec - size: 216x216 - type: image/svg+xml -screenshots: - - src: /img/symantec-endpoint-logs-overview.png - title: Symantec Endpoint Logs Overview Dashboard - size: 2970x2234 - type: image/png -policy_templates: - - name: symantec - title: Symantec Endpoint Protection logs - description: Collect Symantec Endpoint Protection logs from file or over syslog. - inputs: - - type: logfile - title: Collect logs from file - description: Collect Symantec Endpoint Protection logs from file. - - type: tcp - title: Collect logs over TCP - description: Collect Symantec Endpoint Protection logs over TCP. - - type: udp - title: Collect logs over UDP - description: Collect Symantec Endpoint Protection logs over UDP. -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_anomali/1.3.1/changelog.yml b/packages/ti_anomali/1.3.1/changelog.yml deleted file mode 100755 index e0240f00e2..0000000000 --- a/packages/ti_anomali/1.3.1/changelog.yml +++ /dev/null @@ -1,66 +0,0 @@ -# newer versions go on top -- version: "1.3.1" - changes: - - description: Update package descriptions - type: enhancement - link: https://github.com/elastic/integrations/pull/3398 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.2.3" - changes: - - description: Add mapping for event.created - type: enhancement - link: https://github.com/elastic/integrations/pull/3042 -- version: "1.2.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.1" - changes: - - description: Adding first interval to Anomali Limo policy UI - type: bugfix - link: https://github.com/elastic/integrations/pull/2677 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2446 -- version: "1.1.3" - changes: - - description: Regenerate test files using the new GeoIP database - type: bugfix - link: https://github.com/elastic/integrations/pull/2339 -- version: "1.1.2" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.1.1" - changes: - - description: Fixing typo in base-fields.yml - type: enhancement - link: https://github.com/elastic/integrations/pull/2330 -- version: "1.1.0" - changes: - - description: Adding dashboards and threat.feed ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2292 -- version: "1.0.2" - changes: - - description: Bump minimum version - type: enhancement - link: https://github.com/elastic/integrations/pull/2063 -- version: "1.0.1" - changes: - - description: Update title and description. - type: enhancement - link: https://github.com/elastic/integrations/pull/1997 -- version: "1.0.0" - changes: - - description: Initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/1911 diff --git a/packages/ti_anomali/1.3.1/data_stream/limo/agent/stream/httpjson.yml.hbs b/packages/ti_anomali/1.3.1/data_stream/limo/agent/stream/httpjson.yml.hbs deleted file mode 100755 index eabe1ecfca..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/limo/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,60 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -auth.basic.user: guest -auth.basic.password: guest - -{{#if url}} -request.url: {{url}} -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -request.redirect.forward_headers: true - -request.transforms: - - set: - target: header.Content-Type - value: application/vnd.oasis.taxii+json - - set: - target: header.Accept - value: application/vnd.oasis.taxii+json - - set: - target: header.Range - value: items 0-10000 - - set: - target: url.params.match[type] - value: indicator - - set: - target: url.params.added_after - value: '[[.cursor.timestamp]]' - default: '[[ formatDate (now (parseDuration "-{{first_interval}}")) "2006-01-02T15:04:05.000Z" ]]' - -response.split: - target: body.objects - -cursor: - timestamp: - value: '[[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]]' - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_anomali/1.3.1/data_stream/limo/elasticsearch/ingest_pipeline/default.yml b/packages/ti_anomali/1.3.1/data_stream/limo/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index fb63658f31..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/limo/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,177 +0,0 @@ ---- -description: Pipeline for parsing Anomali Limo indicators -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.2.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: anomali.limo - - fingerprint: - fields: - - anomali.limo.id - target_field: "_id" - ignore_missing: true - - ##################### - # Threat ECS Fields # - ##################### - ## File indicator operations - - date: - field: anomali.limo.created - formats: - - "yyyy-MM-dd'T'HH:mm:ssz" - - "yyyy-MM-dd'T'HH:mm:ssZ" - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx.anomali?.limo?.created != null" - - date: - field: anomali.limo.modified - target_field: anomali.limo.modified - formats: - - "yyyy-MM-dd'T'HH:mm:ssz" - - "yyyy-MM-dd'T'HH:mm:ssZ" - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx.anomali?.limo?.modified != null" - - date: - field: anomali.limo.valid_from - target_field: threat.indicator.first_seen - formats: - - "yyyy-MM-dd'T'HH:mm:ssz" - - "yyyy-MM-dd'T'HH:mm:ssZ" - - "yyyy-MM-dd'T'HH:mm:ss.Sz" - - "yyyy-MM-dd'T'HH:mm:ss.SZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSZ" - - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" - if: "ctx.anomali?.limo?.valid_from != null" - - grok: - field: anomali.limo.pattern - patterns: - - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]" - if: ctx.anomali?.limo?.pattern != null - - rename: - field: _tmp.threattype - target_field: threat.indicator.type - ignore_missing: true - - rename: - field: _tmp.threatvalue - target_field: threat.indicator.ip - ignore_missing: true - if: "['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - - uri_parts: - field: _tmp.threatvalue - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: ctx.threat?.indicator?.type == 'url' - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - - rename: - field: _tmp.threatvalue - target_field: threat.indicator.email.address - ignore_missing: true - if: ctx.threat?.indicator?.type == 'email-addr' - - rename: - field: _tmp.threatvalue - target_field: threat.indicator.url.domain - ignore_missing: true - if: ctx.threat?.indicator?.type == 'domain-name' - - set: - field: threat.indicator.type - value: unknown - if: ctx.threat?.indicator?.type == null - - foreach: - field: anomali.limo.labels - ignore_missing: true - processor: - append: - field: tags - value: "{{_ingest._value}}" - allow_duplicates: false - - grok: - field: anomali.limo.description - patterns: - - "^%{GREEDYDATA}Source: %{GREEDYDATA:threat.indicator.provider}" - ignore_missing: true - ignore_failure: true - ###################### - # Cleanup processors # - ###################### - - script: - lang: painless - if: ctx?.threatintel != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - anomali.limo.pattern - ignore_missing: true - if: ctx.threat?.indicator?.pattern != null && ctx.threat?.indicator?.pattern != 'unknown' - - remove: - field: - - anomali.limo.created - - anomali.limo.pattern - - message - - _tmp - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_anomali/1.3.1/data_stream/limo/fields/agent.yml b/packages/ti_anomali/1.3.1/data_stream/limo/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/limo/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_anomali/1.3.1/data_stream/limo/fields/base-fields.yml b/packages/ti_anomali/1.3.1/data_stream/limo/fields/base-fields.yml deleted file mode 100755 index 126260c5af..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/limo/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_anomali -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_anomali.limo -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: Anomali Limo -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_anomali/1.3.1/data_stream/limo/fields/beats.yml b/packages/ti_anomali/1.3.1/data_stream/limo/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/limo/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_anomali/1.3.1/data_stream/limo/fields/ecs.yml b/packages/ti_anomali/1.3.1/data_stream/limo/fields/ecs.yml deleted file mode 100755 index 339e97eba8..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/limo/fields/ecs.yml +++ /dev/null @@ -1,133 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword diff --git a/packages/ti_anomali/1.3.1/data_stream/limo/fields/fields.yml b/packages/ti_anomali/1.3.1/data_stream/limo/fields/fields.yml deleted file mode 100755 index 1b2ca9057f..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/limo/fields/fields.yml +++ /dev/null @@ -1,73 +0,0 @@ -- name: anomali.limo - type: group - description: > - Fields for Anomali Threat Intel - - fields: - - name: id - type: keyword - description: > - The ID of the indicator. - - - name: name - type: keyword - description: > - The name of the indicator. - - - name: pattern - type: keyword - description: > - The pattern ID of the indicator. - - - name: valid_from - type: date - description: > - When the indicator was first found or is considered valid. - - - name: modified - type: date - description: > - When the indicator was last modified - - - name: labels - type: keyword - description: > - The labels related to the indicator - - - name: indicator - type: keyword - description: > - The value of the indicator, for example if the type is domain, this would be the value. - - - name: description - type: keyword - description: > - A description of the indicator. - - - name: title - type: keyword - description: > - Title describing the indicator. - - - name: content - type: keyword - description: > - Extra text or descriptive content related to the indicator. - - - name: type - type: keyword - description: > - The indicator type, can for example be "domain, email, FileHash-SHA256". - - - name: object_marking_refs - type: keyword - description: >- - The STIX reference object. - - name: definition_type - type: keyword - description: >- - Indicator tlp/definition type - - name: definition.tlp - type: keyword - description: >- - Indicator tlp/definition value diff --git a/packages/ti_anomali/1.3.1/data_stream/limo/manifest.yml b/packages/ti_anomali/1.3.1/data_stream/limo/manifest.yml deleted file mode 100755 index 278b84f0e7..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/limo/manifest.yml +++ /dev/null @@ -1,76 +0,0 @@ -type: logs -title: Anomali Limo -streams: - - input: httpjson - vars: - - name: url - type: text - title: Anomali Limo API URL - multi: false - required: true - show_user: false - default: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 30s - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 10m - - name: initial_interval - type: text - title: Initial Interval - multi: false - required: true - show_user: true - default: 120h - description: How far back to look for indicators the first time the agent is started. - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - anomali-limo - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: Anomali Limo API - description: Collect indicators from the Anomali Limo API diff --git a/packages/ti_anomali/1.3.1/data_stream/limo/sample_event.json b/packages/ti_anomali/1.3.1/data_stream/limo/sample_event.json deleted file mode 100755 index 2043f8e5c8..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/limo/sample_event.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "@timestamp": "2017-01-20T00:00:00.000Z", - "agent": { - "ephemeral_id": "29217578-e780-4c3e-912d-0f35ce981fb4", - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "anomali": { - "limo": { - "definition": { - "tlp": "green" - }, - "definition_type": "tlp", - "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", - "type": "marking-definition" - } - }, - "data_stream": { - "dataset": "ti_anomali.limo", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T08:51:02.140Z", - "dataset": "ti_anomali.limo", - "ingested": "2022-04-11T08:51:03Z", - "kind": "enrichment", - "original": "{\"created\":\"2017-01-20T00:00:00.000Z\",\"definition\":{\"tlp\":\"green\"},\"definition_type\":\"tlp\",\"id\":\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\",\"type\":\"marking-definition\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "anomali-limo" - ], - "threat": { - "indicator": { - "type": "unknown" - } - } -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.1/data_stream/threatstream/agent/stream/http_endpoint.yml.hbs b/packages/ti_anomali/1.3.1/data_stream/threatstream/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index a38e42a199..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/threatstream/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,47 +0,0 @@ -type: http_endpoint -enabled: true - -{{#if listen_address}} -listen_address: {{listen_address}} -{{/if}} -{{#if listen_port}} -listen_port: {{listen_port}} -{{/if}} -{{#if url}} -url: {{url}} -{{/if}} -prefix: json -{{#if content_type}} -content_type: {{content_type}} -{{/if}} - -{{#if secret}} -hmac: - header: X-Filebeat-Signature - key: {{secret}} - type: sha256 - prefix: sha256= -{{/if}} - -{{#if ssl}} -ssl: {{ssl}} -{{/if}} - -{{#if preserve_original_event}} -preserve_original_event: true -{{/if}} - -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_anomali/1.3.1/data_stream/threatstream/elasticsearch/ingest_pipeline/default.yml b/packages/ti_anomali/1.3.1/data_stream/threatstream/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3a65647332..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/threatstream/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,428 +0,0 @@ ---- -description: Pipeline for parsing Anomali ThreatStream -processors: - # - # Set basic ECS fields. - # - - set: - field: ecs.version - value: "8.2.0" - - fingerprint: - fields: - - event.dataset - - json.id - target_field: "_id" - ignore_missing: true - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - # - # Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). - # - - script: - lang: painless - if: "ctx.json.itype != null" - description: > - Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type). - params: - actor_ip: ipv4-addr - adware_domain: domain-name - anon_proxy: ipv4-addr - anon_vpn: ipv4-addr - apt_domain: domain-name - apt_email: email-addr - apt_ip: ipv4-addr - apt_md5: file - apt_subject: email - apt_ua: url - apt_url: url - bot_ip: ipv4-addr - brute_ip: ipv4-addr - c2_domain: domain-name - c2_ip: ipv4-addr - c2_url: url - comm_proxy_domain: domain-name - comm_proxy_ip: ipv4-addr - compromised_domain: domain-name - compromised_ip: ipv4-addr - compromised_url: url - crypto_hash: file - crypto_ip: ipv4-addr - crypto_pool: domain - crypto_url: url - crypto_wallet: file - ddos_ip: ipv4-addr - disposable_email_domain: domain-name - dyn_dns: domain-name - exfil_domain: domain-name - exfil_ip: ipv4-addr - exfil_url: url - exploit_domain: domain-name - exploit_ip: ipv4-addr - exploit_url: url - free_email_domain: domain-name - geolocation_url: url - hack_tool: file - i2p_ip: ipv4-addr - ipcheck_url: url - mal_domain: domain-name - mal_email: email-addr - mal_ip: ipv4-addr - mal_md5: file - mal_sslcert_sh1: x509-certificate - mal_sslcert_sha1: x509-certificate - mal_ua: url - mal_url: url - p2pcnc: ipv4-addr - parked_domain: domain-name - parked_ip: ipv4-addr - parked_url: url - pastesite_url: url - phish_domain: domain-name - phish_email: email-addr - phish_ip: ipv4-addr - phish_url: url - proxy_ip: ipv4-addr - scan_ip: ipv4-addr - sinkhole_domain: domain-name - sinkhole_ip: ipv4-addr - spam_domain: domain-name - spam_email: email-addr - spam_ip: ipv4-addr - spam_url: url - speedtest_url: url - ssh_ip: ipv4-addr - suppress: suppress - suspicious_domain: domain-name - suspicious_email: email-addr - suspicious_ip: ipv4-addr - suspicious_reg_email: email-addr - suspicious_url: url - tor_ip: ipv4-addr - torrent_tracker_url: url - vpn_domain: domain-name - vps_ip: ipv4-addr - whois_bulk_reg_email: email-addr - whois_privacy_domain: domain-name - whois_privacy_email: email-addr - source: > - String mapping = params[ctx.json.itype]; - if (mapping != null) { - ctx["threatintel_indicator_type"] = mapping; - } - on_failure: - - append: - field: error.message - value: 'Unable to determine indicator type from "{{{ json.itype }}}": {{{ _ingest.on_failure_message }}}' - - - rename: - field: threatintel_indicator_type - target_field: threat.indicator.type - ignore_missing: true - - # - # Detect ipv6 for ipv4-addr types. - # - - set: - field: threat.indicator.type - value: ipv6-addr - if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json?.srcip != null && ctx.json.srcip.contains(":")' - - # - # Map first and last seen dates. - # - - date: - field: json.date_first - target_field: threat.indicator.first_seen - formats: - - ISO8601 - if: "ctx.json?.date_first != null" - on_failure: - - append: - field: error.message - value: 'Error parsing date_first field value "{{{ json.date_first }}}": {{{ _ingest.on_failure_message }}}' - - - date: - field: json.date_last - target_field: threat.indicator.last_seen - formats: - - ISO8601 - if: "ctx.json?.date_last != null" - on_failure: - - append: - field: error.message - value: 'Error parsing date_last field value "{{{ json.date_last }}}": {{{ _ingest.on_failure_message }}}' - - # - # Map IP geolocation fields. - # - - convert: - field: json.lat - target_field: threat.indicator.geo.location.lat - type: double - if: "ctx.json?.lat != null && ctx.json?.lon != null" - on_failure: - - append: - field: error.message - value: 'Cannot convert lat field "{{{ json.lat }}}" to double: {{{ _ingest.on_failure_message }}}' - - convert: - field: json.lon - target_field: threat.indicator.geo.location.lon - type: double - if: "ctx.json?.lat != null && ctx.json?.lon != null" - on_failure: - - append: - field: error.message - value: 'Cannot convert lon field "{{{ json.lon }}}" to double: {{{ _ingest.on_failure_message }}}' - - # - # Map classification field to Traffic Light Protocol (TLP). - # Currently: - # public => White ("Disclosure is not limited.") - # private => Amber ("Limited disclosure, restricted to participants’ organizations."). - # - - append: - field: threat.indicator.marking.tlp - value: Amber - if: 'ctx.json?.classification == "private"' - - append: - field: threat.indicator.marking.tlp - value: White - if: 'ctx.json?.classification == "public"' - - # - # Convert confidence field (-1..100) to ECS confidence (0..10). - # - - script: - lang: painless - if: ctx.json?.confidence != null - description: > - Normalize confidence level. - source: > - def value = ctx.json.confidence; - if (value <= 0.0 || value > 100.0) { - ctx["threatintel_indicator_confidence"] = "None"; - return; - } - if (value >= 1.0 && value <= 29.0) { - ctx["threatintel_indicator_confidence"] = "Low"; - return; - } - if (value >= 30.0 && value <= 69.0) { - ctx["threatintel_indicator_confidence"] = "Med"; - return; - } - if (value >= 70 && value <= 100) { - ctx["threatintel_indicator_confidence"] = "High"; - return; - } - on_failure: - - append: - field: error.message - value: "failed to normalize confidence value `{{{ json.confidence }}}`: {{{ _ingest.on_failure_message }}}" - - - rename: - field: threatintel_indicator_confidence - target_field: threat.indicator.confidence - ignore_missing: true - - # - # Convert asn field. - # - - convert: - field: json.asn - target_field: threat.indicator.as.number - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: "Cannot convert asn field `{{{ json.asn }}}` to long: {{{ _ingest.on_failure_message }}}" - - - rename: - field: json.org - target_field: threat.indicator.as.organization.name - ignore_missing: true - - - rename: - field: json.email - target_field: threat.indicator.email.address - ignore_missing: true - - - rename: - field: json.srcip - target_field: threat.indicator.ip - ignore_missing: true - - - uri_parts: - field: json.url - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: "ctx.json?.url != null" - on_failure: - - append: - field: error.message - value: "Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}" - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - - rename: - field: json.domain - target_field: threat.indicator.url.domain - ignore_missing: true - if: ctx.threat?.indicator?.url?.domain == null - - rename: - field: json.country - target_field: threat.indicator.geo.country_iso_code - ignore_missing: true - - # - # md5 field can actually contain different kinds of hash. - # Map to file.hash.* depending on hash length. - # - - rename: - field: json.md5 - target_field: threat.indicator.file.hash.md5 - if: "ctx.json?.md5 != null && ctx.json.md5.length() == 32" - - - rename: - field: json.md5 - target_field: threat.indicator.file.hash.sha1 - if: "ctx.json?.md5 != null && ctx.json.md5.length() == 40" - - - rename: - field: json.md5 - target_field: threat.indicator.file.hash.sha256 - if: "ctx.json?.md5 != null && ctx.json.md5.length() == 64" - - - rename: - field: json.md5 - target_field: threat.indicator.file.hash.sha512 - if: "ctx.json?.md5 != null && ctx.json.md5.length() == 128" - - - rename: - field: json.source - target_field: threat.indicator.provider - ignore_missing: true - - # - # Map field severity to event severity as follows: - # low => 3 - # medium => 5 - # high => 7 - # very-high => 9 - # - - set: - field: event.severity - value: 3 - if: 'ctx.json?.severity == "low"' - - - set: - field: event.severity - value: 5 - if: 'ctx.json?.severity == "medium"' - - - set: - field: event.severity - value: 7 - if: 'ctx.json?.severity == "high"' - - - set: - field: event.severity - value: 9 - if: 'ctx.json?.severity == "very-high"' - - # - # Field trusted_circles_ids is a comma-separated string - # that can contain leading and trailing separators (i.e. ",123,"). - # Need a script processor as split processor doesn't support - # removing non-trailing separators. - # - - script: - lang: painless - if: "ctx.json?.trusted_circle_ids != null && ctx.json?.trusted_circle_ids instanceof String" - description: > - Convert trusted_circles_ids from CSV to an array. - source: > - def lst = Stream.of(ctx.json.trusted_circle_ids.splitOnToken(',')).filter(s -> !s.isEmpty()).collect(Collectors.toList()); - if (lst.size() > 0) { - ctx.json.trusted_circle_ids = lst; - } else { - ctx.json.remove('trusted_circle_ids'); - } - # - # Split detail field and append each component to ECS tags field. - # - - split: - field: json.detail - separator: '(? - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/base-fields.yml b/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/base-fields.yml deleted file mode 100755 index 378e9e1a15..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_anomali -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_anomali.threatstream -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: Anomali ThreatStream -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/beats.yml b/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/ecs.yml b/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/ecs.yml deleted file mode 100755 index a2ee1797df..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/ecs.yml +++ /dev/null @@ -1,191 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: threat.indicator.file.hash.sha512 - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: |- - Traffic Light Protocol sharing markings. - Recommended values are: - * WHITE - * GREEN - * AMBER - * RED - name: threat.indicator.marking.tlp - type: keyword -- description: |- - Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. - Expected values are: - * Not Specified - * None - * Low - * Medium - * High - name: threat.indicator.confidence - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: threat.indicator.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.as.organization.name - type: keyword -- description: Longitude and latitude. - name: threat.indicator.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: threat.indicator.geo.location.lon - type: geo_point -- description: Country ISO code. - name: threat.indicator.geo.country_iso_code - type: keyword diff --git a/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/fields.yml b/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/fields.yml deleted file mode 100755 index 5d8e4e57d9..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/threatstream/fields/fields.yml +++ /dev/null @@ -1,94 +0,0 @@ -- name: anomali.threatstream - type: group - description: > - Fields for Anomali Threatstream - - fields: - - name: classification - type: keyword - description: > - Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public. - - example: private - - name: confidence - type: short - description: > - The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators. - - - name: detail2 - type: text - description: > - Detail text for indicator. - - example: Imported by user 42. - - name: id - type: keyword - description: > - The ID of the indicator. - - - name: import_session_id - type: keyword - description: > - ID of the import session that created the indicator on ThreatStream. - - - name: itype - type: keyword - description: > - Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url". - - - name: maltype - type: wildcard - description: > - Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator. - - - name: md5 - type: keyword - description: > - Hash for the indicator. - - - name: resource_uri - type: keyword - description: > - Relative URI for the indicator details. - - - name: severity - type: keyword - description: > - Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high. - - - name: source - type: keyword - description: > - Source for the indicator. - - example: Analyst - - name: source_feed_id - type: keyword - description: > - ID for the integrator source. - - - name: state - type: keyword - description: > - State for this indicator. - - example: active - - name: trusted_circle_ids - type: keyword - description: > - ID of the trusted circle that imported the indicator. - - - name: update_id - type: keyword - description: > - Update ID. - - - name: url - type: keyword - description: > - URL for the indicator. - - - name: value_type - type: keyword - description: >- - Data type of the indicator. Possible values: ip, domain, url, email, md5. diff --git a/packages/ti_anomali/1.3.1/data_stream/threatstream/manifest.yml b/packages/ti_anomali/1.3.1/data_stream/threatstream/manifest.yml deleted file mode 100755 index 7bffc33668..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/threatstream/manifest.yml +++ /dev/null @@ -1,83 +0,0 @@ -type: logs -title: Anomali Threatstream -streams: - - input: http_endpoint - vars: - - name: listen_address - type: text - title: Listen Address - description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: listen_port - type: integer - title: Listen Port - multi: false - required: true - show_user: true - default: 8181 - - name: url - type: text - title: Webhook path - description: URL path where the webhook will accept requests. - multi: false - required: true - show_user: false - default: /threatstream - - name: content_type - type: text - title: Webhook path - description: URL path where the webhook will accept requests. - multi: false - required: true - show_user: false - default: application/x-ndjson - - name: secret - type: text - title: HMAC secret key - description: Secret key to authenticate requests from the SDK. - multi: false - required: false - show_user: true - - name: ssl - type: yaml - title: TLS - description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. - multi: false - required: false - show_user: false - default: | - enabled: false - certificate: "/etc/pki/client/cert.pem" - key: "/etc/pki/client/cert.key" - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - anomali-threatstream - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: http_endpoint.yml.hbs - title: Anomali Threatstream - description: Receives indicators from Anomali Threatstream diff --git a/packages/ti_anomali/1.3.1/data_stream/threatstream/sample_event.json b/packages/ti_anomali/1.3.1/data_stream/threatstream/sample_event.json deleted file mode 100755 index 98ed754e7f..0000000000 --- a/packages/ti_anomali/1.3.1/data_stream/threatstream/sample_event.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "@timestamp": "2022-04-11T08:52:31.294Z", - "agent": { - "ephemeral_id": "b49fcac4-6f07-4c25-8505-3306c6f56ca0", - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "anomali": { - "threatstream": { - "classification": "public", - "confidence": 56, - "detail2": "imported by user 723", - "id": "1785659799", - "import_session_id": "244", - "itype": "mal_md5", - "md5": "6466e2", - "resource_uri": "/api/v1/intelligence/P44706407813/", - "severity": "very-high", - "source_feed_id": "3759", - "state": "active", - "trusted_circle_ids": [ - "439", - "942", - "801" - ], - "update_id": "3898969521", - "value_type": "md5" - } - }, - "data_stream": { - "dataset": "ti_anomali.threatstream", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "dataset": "ti_anomali.threatstream", - "ingested": "2022-04-11T08:52:32Z", - "kind": "enrichment", - "original": "{\"classification\":\"public\",\"confidence\":56,\"date_first\":\"2020-10-08T12:22:16\",\"date_last\":\"2020-10-08T12:24:42\",\"detail2\":\"imported by user 723\",\"id\":1785659799,\"import_session_id\":244,\"itype\":\"mal_md5\",\"md5\":\"6466e2\",\"resource_uri\":\"/api/v1/intelligence/P44706407813/\",\"severity\":\"very-high\",\"source\":\"Default Organization\",\"source_feed_id\":3759,\"state\":\"active\",\"trusted_circle_ids\":\"439,942,801\",\"update_id\":3898969521,\"value_type\":\"md5\"}", - "severity": 9, - "type": "indicator" - }, - "input": { - "type": "http_endpoint" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "anomali-threatstream" - ], - "threat": { - "indicator": { - "confidence": "Med", - "first_seen": "2020-10-08T12:22:16.000Z", - "last_seen": "2020-10-08T12:24:42.000Z", - "marking": { - "tlp": [ - "White" - ] - }, - "provider": "Default Organization", - "type": "file" - } - } -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.1/docs/README.md b/packages/ti_anomali/1.3.1/docs/README.md deleted file mode 100755 index d828e74b6f..0000000000 --- a/packages/ti_anomali/1.3.1/docs/README.md +++ /dev/null @@ -1,369 +0,0 @@ -# Anomali Integration - -The Anomali integration supports the following datasets. - -- `limo` dataset: Support for Anomali Limo, a freely available Threat Intelligence service -- `threatstream` dataset: Support for Anomali ThreatStream, a commercial Threat Intelligence service. - -## Logs - -### Anomali Limo - -Anomali Limo offers multiple sources called collections. Each collection has a specific ID, which -then fits into the url used in this configuration. A list of different -collections can be found using the default guest/guest credentials at https://limo.anomali.com/api/v1/taxii2/feeds/collections/[Limo Collections]. - -An example if you want to use the feed with ID 42, the URL to configure would end up like this: -`https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects` - -An example event for `limo` looks as following: - -```json -{ - "@timestamp": "2017-01-20T00:00:00.000Z", - "agent": { - "ephemeral_id": "29217578-e780-4c3e-912d-0f35ce981fb4", - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "anomali": { - "limo": { - "definition": { - "tlp": "green" - }, - "definition_type": "tlp", - "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da", - "type": "marking-definition" - } - }, - "data_stream": { - "dataset": "ti_anomali.limo", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T08:51:02.140Z", - "dataset": "ti_anomali.limo", - "ingested": "2022-04-11T08:51:03Z", - "kind": "enrichment", - "original": "{\"created\":\"2017-01-20T00:00:00.000Z\",\"definition\":{\"tlp\":\"green\"},\"definition_type\":\"tlp\",\"id\":\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\",\"type\":\"marking-definition\"}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "anomali-limo" - ], - "threat": { - "indicator": { - "type": "unknown" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| anomali.limo.content | Extra text or descriptive content related to the indicator. | keyword | -| anomali.limo.definition.tlp | Indicator tlp/definition value | keyword | -| anomali.limo.definition_type | Indicator tlp/definition type | keyword | -| anomali.limo.description | A description of the indicator. | keyword | -| anomali.limo.id | The ID of the indicator. | keyword | -| anomali.limo.indicator | The value of the indicator, for example if the type is domain, this would be the value. | keyword | -| anomali.limo.labels | The labels related to the indicator | keyword | -| anomali.limo.modified | When the indicator was last modified | date | -| anomali.limo.name | The name of the indicator. | keyword | -| anomali.limo.object_marking_refs | The STIX reference object. | keyword | -| anomali.limo.pattern | The pattern ID of the indicator. | keyword | -| anomali.limo.title | Title describing the indicator. | keyword | -| anomali.limo.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword | -| anomali.limo.valid_from | When the indicator was first found or is considered valid. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | - - -### Anomali Threatstream - -To configure the ThreatStream integration you first need to define an output -in the Anomali ThreatStream Integrator using the Elastic SDK provided by Anomali. -It will deliver indicators via HTTP or HTTPS to a elastic-agent instance running this integration. - -Configure an Integrator output with the following settings: - -* Indicator Filter: `*` (or use any desired filter). -* SDK Executable Command: `/path/to/python /path/to/anomali-sdk/main.py`. - Adjust the paths to the python executable and the directory where the Elastic SDK - has been unpacked. -* Metadata in JSON Format: `{"url": "https://elastic-agent:8080/", "server_certificate": "/path/to/cert.pem", "secret": "my secret"}`. - - `url`: Use the host and port where the integration will be running, and `http` or `https` accordingly. - - `server_certificate`: If using HTTPS, absolute path to the server certificate. Otherwise don't set - this field. - - `secret`: A shared secret string to authenticate messages between the SDK and the integration. - - -An example event for `threatstream` looks as following: - -```json -{ - "@timestamp": "2022-04-11T08:52:31.294Z", - "agent": { - "ephemeral_id": "b49fcac4-6f07-4c25-8505-3306c6f56ca0", - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "anomali": { - "threatstream": { - "classification": "public", - "confidence": 56, - "detail2": "imported by user 723", - "id": "1785659799", - "import_session_id": "244", - "itype": "mal_md5", - "md5": "6466e2", - "resource_uri": "/api/v1/intelligence/P44706407813/", - "severity": "very-high", - "source_feed_id": "3759", - "state": "active", - "trusted_circle_ids": [ - "439", - "942", - "801" - ], - "update_id": "3898969521", - "value_type": "md5" - } - }, - "data_stream": { - "dataset": "ti_anomali.threatstream", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "6b916c32-9ec1-4b93-a910-81540b3df79b", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "dataset": "ti_anomali.threatstream", - "ingested": "2022-04-11T08:52:32Z", - "kind": "enrichment", - "original": "{\"classification\":\"public\",\"confidence\":56,\"date_first\":\"2020-10-08T12:22:16\",\"date_last\":\"2020-10-08T12:24:42\",\"detail2\":\"imported by user 723\",\"id\":1785659799,\"import_session_id\":244,\"itype\":\"mal_md5\",\"md5\":\"6466e2\",\"resource_uri\":\"/api/v1/intelligence/P44706407813/\",\"severity\":\"very-high\",\"source\":\"Default Organization\",\"source_feed_id\":3759,\"state\":\"active\",\"trusted_circle_ids\":\"439,942,801\",\"update_id\":3898969521,\"value_type\":\"md5\"}", - "severity": 9, - "type": "indicator" - }, - "input": { - "type": "http_endpoint" - }, - "tags": [ - "preserve_original_event", - "forwarded", - "anomali-threatstream" - ], - "threat": { - "indicator": { - "confidence": "Med", - "first_seen": "2020-10-08T12:22:16.000Z", - "last_seen": "2020-10-08T12:24:42.000Z", - "marking": { - "tlp": [ - "White" - ] - }, - "provider": "Default Organization", - "type": "file" - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| anomali.threatstream.classification | Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public. | keyword | -| anomali.threatstream.confidence | The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators. | short | -| anomali.threatstream.detail2 | Detail text for indicator. | text | -| anomali.threatstream.id | The ID of the indicator. | keyword | -| anomali.threatstream.import_session_id | ID of the import session that created the indicator on ThreatStream. | keyword | -| anomali.threatstream.itype | Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url". | keyword | -| anomali.threatstream.maltype | Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator. | wildcard | -| anomali.threatstream.md5 | Hash for the indicator. | keyword | -| anomali.threatstream.resource_uri | Relative URI for the indicator details. | keyword | -| anomali.threatstream.severity | Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high. | keyword | -| anomali.threatstream.source | Source for the indicator. | keyword | -| anomali.threatstream.source_feed_id | ID for the integrator source. | keyword | -| anomali.threatstream.state | State for this indicator. | keyword | -| anomali.threatstream.trusted_circle_ids | ID of the trusted circle that imported the indicator. | keyword | -| anomali.threatstream.update_id | Update ID. | keyword | -| anomali.threatstream.url | URL for the indicator. | keyword | -| anomali.threatstream.value_type | Data type of the indicator. Possible values: ip, domain, url, email, md5. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.location.lat | Longitude and latitude. | geo_point | -| threat.indicator.geo.location.lon | Longitude and latitude. | geo_point | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | diff --git a/packages/ti_anomali/1.3.1/img/anomali.svg b/packages/ti_anomali/1.3.1/img/anomali.svg deleted file mode 100755 index e9cade7e61..0000000000 --- a/packages/ti_anomali/1.3.1/img/anomali.svg +++ /dev/null @@ -1,4950 +0,0 @@ - - - - - - - - - - -]> - - - - - - - - - - - - - - - - - KLUv/QBYXLED3pfECAouwBJtEAMqCRKl1LDjOBKj/J0501ZeRf1779cPGkmZnTJLqVG5ZocJgiCA -AACcB9QLFAr5COXYIpM8JEXyOPDAKpiovaqiSorLItMAUX+ItI5IR02zrWKdYuKRic6n9jxkMhHp -7HQXjUh4Do2t9tgOmT3K3dTvmn40NN3CzV1COntvrrNlqHrIYOXdqkb0kyKdqf76oaHRZdMh3czs -mBk0LuVQ5EiSunrhuoLP55EkXIeHi1h8aNL3tApihxVHlhSihwcdVgWTS46SqGRLEyM2fCB6OhJJ -wqCj0JFIjMNADOMo0tCbUcywUYmCjKRIFEiBFEWRR4zcLJsoEmsUWyQoZNgoZYepW45TLAUWaBwW -SKKcUY5i3MSSYdkqSt0KZmrZokAQOo6jmJGtJBOJpJFGVhKCiGLR5ElB97P87s4JJG9oVpU4io8j -x0FHYiRY9tAthYGUpMolRnnC7ka5ccyiIAaSHBZIknB5liIxEgNJ+DKxxUEu03sxDkSThO202Epx -FEiiENNSJFcghmHsFlt0b6aytVj4Ov7OSlUlnEC25MsuyWEo0iUKkoiRRRabmplnRQliFIrHM6wE -crwcN554NyPFLR5eoUtYkkXNoEIpy6bBnQ+ZOmSeRlv0q7WSldpYimtaXzKj1X/IpL2W1Hbek5Dy -Dpk8vB0aUV1F69LCNdvbTbKtyy6zItWd6ZJZM/OUGtUX3qlMWJu2aYm+cQ8ZuzPMvENNPBrZMfGu -dslUKKB72M8qkUjcxepmIsEiAXIYheLZ6RoJJIstjORIjBRZLmGJ2sKQKkfJcsLEkyM/Fv8XOhar -LFpSWEG2CiaMUkdxFIpXLig5SrGrm4vfq3UCMVY1FW9L4q8kkGIUq1l+Vi6lILtAnJREJWqtQCyp -s+8VxThyRAkP0pJQWheIj6JHchBixJDLg56gE5W4xBNHhxRqYsTX2sSwaJGwhC9PjSOxvdjvx6vx -I/HkZGiIqbhHApPirKy8tExNzUUycanp9YqqhaGIJjRRWlqvyVRHOiGmbkkUl125z8cXXiK0Q+Z1 -yOx/LxHe+CJKLVveeU2t28lpzdw8trOwlGzq4y35W5hG/5lald2JNhWXaGtPmTtk0EfUtPV0hi4l -QzQ9Ujzb0TX0QsW1GZoOb6wrQjLb7ES7l56MRPE8vJ9dnYkS68IKLLQ4jOMoEpgBCiYWpZg8gSRI -ORADMRbRvCHmxJE4kgM5Ci1XhBjHGorGjRtnWJFxW9C4kX0VLqhIbFGJFkQPNbTQVb2eWmJkYr4S -mCCCh1Y5PVES5DAuQeSEEpQk5TgMo0AkNJOLiFynLOighBJkl813uqgLH05M5bJ64WE07LDE6Hym -V/j2O15fvBAW3iZI6cxNpLX0CjW8tl88NlkqqtjvFxc3C6Mgi2yyiaXCXqAWWxRHgZBhw0Y5XfJR -P/AMmdLABoK5wGFCw8PDA77OPJvGCPXYDJpf+Xjs7k7ebCUdNMYYY2xHh0pZpEPlNn1co57R9FDx -72SpdhEeHiqKrlxTNTRaPB9e+V5WMmNTGjhERDg8QIgAAaOBBw0SDBNxAQgLDAUHDDKwwGgplW91 -d14dT3Hr1NDMjLZKR4sOGVS8azex0ArJDFH3v2rSGuL5RrtaRIhJa9eDWL4fMqp7Sqi3aae609Mn -ahXuUv6W8qp2mEd1b3XIlCbdIbNV/no1lQ7Xzmpl+CyfHjJa5TK7tablIWOFrzxKf9WUd62RLv2y -6pCxXR0ymoRr2nuleQ8Z1LQj9cmIiA4Zs/7QV4g2PWReN1T785u0h8zNZNI1u13RoUKBoyDkMp/P -91GtXq8LFzZ8uBxGjDihonJVVVkdVm4VRyGVVKLIbLYys7MbWpraWmGGpR5FtzAOMmJDrKCBGAiS -UOLESV3yBJPcpEiM5EiQREIJJyphiVI2sZuaSLzEJSiRJEZS6BNL6kAKRJG8lZ+VJRKkjGIrS19W -qihheJ1XJieEEEIGFbSkpDfZyh2TlHQTlhhihxlWpKHdzszKio0sUUkhdZRRRW1pZWFhva6sqlxU -CSdGfNhw4bU6jb7vs7lskxOUEEIH0XprbW+/uLm6u8UaeyyyyZbEUuGiCiuueIFFFlpsURRGgRRJ -kSjIsFGGGWfcQCMNNdYoDMM4DMRIjIRBh4867LjjBx552BVM3cIoEhQqDgRBEogvwSSTTDApmWxi -JEiSJJSghBP2xBOYyMQmDCNJIAeSOBJGwkgcCS21kiYSySOL3NTEvLR0UpYEImhggYuJiIeGhcbE -kRsvrs//d3vdT1xyyBlXnF7e787OR5cYYoatqaWVMqsDSRQXCzTwQAQTTCCls9Ly8omZqblZpJFI -JplIUmup6ekVNVV1tVBDD0U00YTSIkkiIZcligTFAImkIlogxSZmHoZhFIYaaaBxhhllkJEokuIo -jKIotMgCiyusoCJZZI81dlcX93tr66VNKKKGrqainv6uyMjoqEhggFJYYaUwDkssYYXOV2d398PL -09srzrjjkEsucXS/fv/xef2+uPHjyJMnTmgsNDw8IiYqbrJJ2cI4kIQOOaRc2R2RRDTJpGDy5BJL -KqnECSUJJEEQ5EAMZBFFEkHkyCGFGCGEkORAjuMwjuLQIw88fthRhw86EkZiIMZhFAmKAQoSUkFK -QsKjO56KBDdkSgMOQEiQ4DABMwAHCA8NFBpwwUOCGKWCYciuYBiGhWKBwbBgiGzoBg2ZMsYYCgbD -grlyW3mobP1QuZXqKQ/TPh8qVKjkVZ7pdvevHSpVuUpU60PdPFQoUC4wTBkypYEHNGCBgfAQ4YKG -BAQmgogHhwgXNFA4wINhqBw4uOAhYbjDBiIooMIFDw4SDIMBC0wDBwwaMGCBueAhAwgMJkAcDhER -MrDAUHC44CHCBTAQ0UCBBCIcHhokUBDxEKFBARQaHhokUACBaYABhASHDTwkEyhAXMAB2UCEiAcO -GFSg4EABBKYBhIcIDxooOMBAYBpEPHDIgAUaYC5w+EAEChARDxwg8CACBjBooAAhggQJDYcDhQYJ -iQcTHCIqeMACBwkPIkRQaKBgQoUIEiAsMMEDFlSwQAQFYOBBRAMHLDAUICIiXJCYCApFAwwiNBwJ -EBAOiKBQQGAamAYSICAcYDBQIQMKhsFARAMFDw14oOAQEdFAAQQF4gIPE2CQAQSFAzxEgJCBBAoY -lAEFwkOEiIcIFCh4gGAAAwYZRDhYAAFCAgQFCh4iQHAwFhZKhYgHhwkTII4LHpKFhWLBAg7RAg6G -8oNDRESDhESd9cbcraVam/SoqbwgAoUDMGSdA2MtBxE8RIAQgUIDHCA0ULCwUJIDDhEg8OCAQQOc -Z1ZtfDVaZ6PmyhgdQADCAQ8OGDSgAgUHDzQoYEIGDNCIDCRAVHCoIMIBAoUGB9iQIdMgIRFBoWC4 -BIcLIBawExQLxSYCBwkNDyxwgEChQQEMVyaCChERHh5AwUFCBhUQ3VkQQaFweIBggImAAw4RNuBg -N2M2YzUHxrAcSIjgAAfm5w4RDRIwmODgAAYzdEN3YMhEUEEDFBomYABBoUEFHiAiRIDgUAEFIDBk -bnp1Wnd4l3XI/NLsRnh55zpkrqqeaPSs8yGXXe9IUQ81D5laM9o2b4u/Q4ZMBMYBKsB7CmBhoTQ4 -zInMJAxogAMYUFAAgYmgwgSIiAoZHGQiqADhIUJEhIMFDhAaJkzAkBMUC8VE4AChocIDbIJioeCe -iYCCgwUmZMCACyREyMBgKE9Q2EQ0TKAAkXCQECHB8AmKhRJBhQoVHB5AUKAg4sFhQgYPIJCFhVJX -iL9e635HHRjTO7oWfY9OnjE6u/M5fz8+BwaT/j3nHn1PBYcKIiBgYaGoA6Nn6hyYMhF0AMKA8BDh -gocMIIyFhWJqaBOBwwciVKjQsIGHhmNhoSyAAmMVwRkyAZIIQEVlInCIaEAeICI0iNBwyElUVAzG -ASpgoAAhAeJg0ACFhgVEkNAwAeKhYHiAeDABBCYCBwkRERywsFAaQGAaUHCQcMFDAwYO8wBRoSEB -EJgIKEAkFhaKT50rE8EDRIQKFBwgwKATFAsLhc6VaVABBBQgIhooRFTIQIKECYyJgAJERIMDhWNh -oRg65sDBAhAXFA4soAAACwGJaeyeqD6aeGhNUvm29Jx1nmisrLRyafMnyab0jmZ6zDt6PEVS514R -HtsGzUs+pTU6W8iwUCAgxngzLJQMAhABCZgGEBisCyRgzOAgwQMRO0HBUIAGEyhAXMABExQHBIZh -oXQgAoWIhgVIaHCogAAXOFxAAeKBQwUREAwggCGAYVxAL+25R6tHjdSYzuTNSjyamA4MSrQmHTtS -Y+RSTSW1g4jpQE1fxFSfc2C+ubUur7dO2QHDQnlgGFO1KnPasZ/K+PCVVYXnTlt79tu2DvllB6au -5tuIjivRHDAslAkSMGbpul1rzx2pOcq18Xt7CDEdmDzpYd36Dsyt3dEuoR7P2jzxjLi7lLYnHRj8 -+niZl1vHygHDQoFgGBv73cE6u0H9D2GtGTtQ+zJJa7+J6mO0IVOkPjrkwDS4WcBgWChHolkWbp7M -Uq/+Md2gC/Pu2NnUX5SpapsHzWqHesowzyT58nCr8mfN5pR+uUfzjC3aDe9s0pJMU3Gdx89KTL3l -ntQzesYXronq6NnoUmYtOU3Xd5VbpJp1eizP525TpnpWXTxTiZvG9W3OsFZTb7HO5hlNVxGuGu/k -bZxr0jylt3pFuHe3kyetTEzbMzFTtVzn9Mwl6n2dx6NpY7VPtd7He7unc9qapmqmHeuZK7u6r2b5 -+EfPc3vGSF/6tVudo00R4p9azp/aU8Tbr+l3CG0sFct0ds+kGiu/qOmzaKNXpZf688/3jN4t3TfR -eaw2pYZbqVSppyhtqw4+tSjpeM9g5vPK9VtLrdQ9umcU7XdfVZvDXKw9Rmf7xDyJNpaar1zLIsLV -29imXqXqn+foRu9ujfs6PHQbPKx16mnuQbqTDVfxCBH3MHeJZre46XOVdirV9yzd3BHVb9NqD7oM -knlR9UdHvWt0vEXDPHYZxdwz+9mft0ll0Iyr1ySyo7+pp3lvVc2OqUw9z2FZpdIXnXdubUr3h1cy -qqN4c8UjxXMqg5hfvFpZHcSbXKX9La19zmWSrqw3nmGhPDBlt7t4XGW0qsyo9O/Ru1E8vm7PbqlK -aaiZ9LOZ51sTolmZ2s3W9nQ+dGWMEuuouTd2P7cya7se9dZ0rHrUKtpDpKZ1a886WGXW1n5UNNYp -u7ntGfmYDBHV7PZk3Tzrim5T7wdLqxLVmD/PJS21vbOduzJmJkqsm9/m2trKNp+beMp83z79YytF -tSU8Lpu07NZeP1dl/h+VnaubyzOsWyKlk1Wm0rWoZJQnfXO2Nt9Sap2yMn7RKdU3nvJtXVv966iV -USMrpX1lWCgXYFgoEzCWP7MvkuI5tdEtq6MaBMyuE++LZHc2bXZP71Dvdk6f7Vuqdw== - - - rjalWJVHT39UbfZKVqhJp/O70bX9ft5QKY0O3c2/Z9dzmXaGhXIYKzyHNqildqi5pntm/ZfKey5t -XKQ/1OvpoN2kutS++s1TaoPeQ5Z2Um0ULStRD9fO6wwLpUECNjXj6Ra3zJxlpjOqQpPh2q0NYFgo -BWBYKAOogAHCQwQNPGgwGBgmKCAwEiAgDAIYMyyUCIwHKDQ8QESIeBABiaBQEIBhoTwwLBQFKEAB -hmGhTDAMC6UCCVxgqAIUMAswZMMBY5MBQyYBHpCAIVOhMMewUDJgWCgOBQckUBhiWCiGtne0Z6Sj -aQbzZ7pWro/tTaYetc0d5hbu8z94NqWBA4SGCBIgEhCYCB4iQHAwzORD+btatFvcOqEaHt1S1/Au -sZRSSqGGloIYxg1DiqLQKqhAkjYpqdfMJxbTxx1WDNvCrDAXSDHkSpVWQgUxFi2K6TAK46hQsbXS -YAAOEREwEAEfMvhFU6VeEnr3lya8KlW9pzfPGRoWKR3aETkPafGI1qn6fVJRUikFyok0QkhSl0bd -D022TE1zyw6VwTod543nzNj2MRo0x6NLx69cwpvKarVSbYpWq6drP2WLYhwIWepfjqSsbFLHbfKC -FHK5Y74U5ZBEwZJatjiQJJEYR+ohd0tKYhxGJUYhRqkkS5JIrrfY0e1xO4qiWG5VkqPISMTXLYGQ -UQVCqld1iO5sC19Wr1rmrmJarRLtIZ3m6n0vrWyXzlglkYmL0+UKLUZ8NZKSbCm7Y+oW5UCSRFHq -ytdAinEchOSRPnzkGSnylpQtmsVshXEnWEUeGVmSFFoSXY7VJ4qWe5rRsVTF1dtVCY+LRj/77g6Z -xKvLq5JpPZ11dofM7y+jNRfq+Zqp+L/oFUdS7rhjallki+K6o9hKHi5M3cJAkOSl3FGQJFHljqlb -lAM5KyrFXvIjpBhViUKQoihaeFWUQIqyLhJ/pTKBxSUIVpFnZDZKSlFGFZlOSuLDyHEYxZbUzCyL -t6USh5a1NX1BK4n7vjz4X9n2Tnmqv1Wr7qpdr1TzKlOrTmit1NfxuHRruukhc5f9IkXSq2nukdBV -h0zVmeKu6uvgT8mualllS3eXe0b0VDNSokCdC22WxMtZESLIQQkVSYEUmxSrbYLFyowiQdk79EQJ -alOr9FBSneoyC3HvPB8q1tLvQ0aPftxbuWiyRyYlDyPxWmikGEW5Op+PvMgW5JBcLnGpW5zKHWWN -K7YYW5T0ZatQLFVmH4q/oyQlbdFiVXW3ZTtWPoR1znKT6sq4ezLd9c8tFQy0pIOZeK+zUdc21fbI -UK+ofmRaShMllFQiQQ4DSZIkcUleqW63qqo1qkNmz3rfTdXUMjzTu1GtPOYfnrvUMvPmEV0R2vZO -n6p0okN90ZqP4nGJ4gcmlyhyHKUoB1LumKVYI1HOio+yiVdHURTFHkWxUiQomFicLgpaIsmrQ7G2 -HMhRtNTaWEXFcr1pJZhAygQiZY18PjHDCjvQTxhlqjuWBNlm04StYGFpogqk/LBADqkXiUOnZdk8 -MsnD9jaxVZBRmzBsHCWhKk+yoZaEbI0tZktEXa48ZEoPmcOnEhoZie7OdrrKu/OvZapmSkayk/dD -Jo/X9DCV1me0ls/WKrL7oUKBcqUgxGV3LLqFcSBJIZddYRTbHVO3QEqC5LI7FgkKKVK+IuEsiCXM -ZwcaiZTnM1OPRK4H2dpugRhbLDmynNDQgr8q3ga7Z/uQ+THJpfembzONdb9c9X1rxk1EXSUrWzvX -77mVLAnDhwtiCFLu/29V2LHFFZp6LaWkSR5ZJHhgcYkhd2BZS0NbAssqsiUTh5Y9ztiXo4oqyjDQ -OIojUYxUGTFzAinGceyhxY2ORDkvnouiFKKaec6YDZpSwUD/hXsvFxpW1moebTpkbhOzCLPW0DDx -9Bte2deFSimFStkVTF2j2K6kbmEk1iOBUFIvWXRLYSSObC9IoqQxy1Fw89BjF6k8MKFbiiqMglAp -O9OyxVjlDhuVRlF6kTiMiCJFInHCEkfKlZW5kBWZCmLB01mVlyuEkJJIkGKTvBkpkqNkkcWNNRJN -9ChoiUxkkofZMPJy/DCuSGxaSVRi7/KRTkuoVXFJkMPQxOLFOIq8Inqmw/1hHtutnMe9rDw3X56m -nW4ZKikulksPs2y07iOyM2PiUlFduRQPyVbK5+VmKb5sNG2Gp0po1pmoVjTmQcJFl80d7ZUtyam4 -VjaIP8zMpSxrnTDV9Mc6aljmk/Ye5+6xBw/o9qDhMTv+aN3PPLV3akqXemp3dE/JUk3XTlEdtZyK -9s/Sn6SLakQ791W9qXbWWLh1acS6W6rCQ6W1d5lUf/c0D7eSiPDW/CDP1PYU00XPNVHd6e1t7lKZ -fdLS9VYfgvDjItU5TYt7PzxVZuVc3NvqWVs0lViW1/yeVFKqLCXcPaZFJ9rSLNWDiUbRtZRrSD63 -zcuJ5ltalJtneNI2iLtn05ygdMQyvVs7hQ1MMWBcYAI261oaolLpN0+2aKW5tk0sVdz66a9LZ9NE -tF076UrpfAcXv2TyUUpbC48uvjSfPrTosiUtUtybku3MdI8bMLVd27Qi2+2rbumoTtlbtHr7xDpF -dS3CtZn/TJ/ZybWpS2ve3uEPUl3W2q2r7tS/RRvmLZW/ZPSxdVJembouZqIP76y9C5GWvnqzc+vE -6/c21XyTir43+eTaRzWrPNFzXaa3dvw5qjzh2TWW9fZUSXpVeWvyHqWbLupZMnh7rsI8vLWN5ZJ9 -T1Hh0iWdXV9rcW/Xu3aia29NhaevKuL52hwdWhcd1fd6elad3qX6rhrXdSyyb93tuXrt1bX6otYd -VZvu1hd/OqguvK8h4dn0nf8+jbdp+15t6vQyOlfn7V9MH+V576tpl5ZfM8ujmJlGuHinB++f6n71 -NhZunvX2q5p2KJfI9ODpq/JbLjuLxjJS/NLtHkqbpbONa7emj7i09lN2flbvoZvIuHe/Ul24t+LZ -s+H9jtZWpZOMWmKt1palou2WjHu3ruGeCXHtvXOmezTcq+uxs9GIe19Nn+mxtbF65t7eWY+uU1XR -jq7ra5d1cG32qudvrb337119ML2U52hj3J/t+X109kx+7ReP7BhtCvdbeS59TrLvEfNc/bv/e55W -Onr7ERpuOenc+W6XhXubd/JcxqX6HbtLV/VrU55CW21q4VrdHjwb/G0fMj2bFdd8Hyxj/hT3Squo -DpdOeXymPTrcs+3U2V/DLVw8dTZWikZcrdpjtmr0xMUbHq0rrURcQspjM+c6PFw13LPmRR/RD1aW -E9GWRE6yvdtLXC1TS4tO1dPhwTvzG9om/bpN1dt6LmnS6R5T7fSO6m2p3Xqte5aa+DxEN8ZXWW6h -7gvvKFXT9JSPuOpcyqtju4z26zrnTy7LxSpMNeue1cu12mektalW1JN5BokyLZdseoz0mPmT3eHV -wT26O1+D13WlmmnPjw6u+eZN1dZz7r16yjZJqIhaNjpZirveq+ULDdG+0u0XUqpu+ZR/u+PRdt2b -Kap5fVw/OS+vrrqUarZ4yLcvmrpeiOhFLaM96V8xF9V8NW9Sqn20ulNt+aP0smGlnqrP0c8oi07u -6VOvbsd7iuqtNPoZKmrdrrTMR+tHSXeodJcH7d+iJaT/q2WG6rvZCu/c/l0yVF3v8X3tqap5Vbyf -wh/1i5q7iVfLrzpTv/+uGRL6xzojvfG+zfz1cPVQHtN51+/SeV5x62ovOqUnJNQ8a4S5ebWpTuFx -DfXqy5/980eyGq9HsrP4P594vbU9iK9VNaqS8+Bd0+7ODuGv8GqIdBZ//5pX3MRT+LPRqEfWk3fv -M22ohXq/nrqbHq1QfaXn7gwLZQNLZiVUpNxD/6Ie7fNHpMsr/XcOb5Zm+/twsVB//9j9Xia0Q/Yz -ferP+oaopzrlOxVx6Szd0IeUeod0ys9cF6XaWR7z8Rb1rzzom+/k1NvukH9HVXpOP9HTeJL+qzor -Xa8O+rciMzpkr6t0oebqz++bmb6jn3pVMp/9yxS39uQdCZHsdycv6vlp9d2f1/89GSpp0qm7lhKh -llGP3errXf57iL7e1CdVt5Lqev0d0hWr6nh/w1OWkf2VdxUu3pg/2qw8pU61X713pxIPvXQ93Sv0 -NX12Uk9GV1P8qb3eL+taSHtKj3m692Rj1zrac/vXXe/cjBHe87RUT7+Hzqii7p4aS4/t0eARsU67 -vkNnXgf3NpNqtHdaeXvs3AgNIuahMq9DpvT+nO6dGc1h/eSNT2m1DhlNGtmhNLZ4uKfq9Pne1iCp -S4nQLKkdTYNYqKdKrrN7k75jd79jb1p9c9GurdLuDKKi2afMvI6eDp05k3nXV/UxM1bkVNM8vKP2 -81EzqGv3ZeEpM1dGRad4/ynbModqq+mR9NBpnR4to6jqMy1DS9WTZTCRkuxQotHfsTKmiqp3kur4 -7lSrnpfZRCUtveal1ZZq4Z4nJh41c2cpmSqisTKmk8i0Es2W66iZMkOsPGjGdle1NHXrSqfOIB7l -lpbZa+fJM2qz25SeehDttCfP7GnWUaL56BnDI91vHjpT+rOFuKTHN2unWqfm2+NCg4UHr3x6a3e0 -Xnb2zG3mrVkuHt84X5umRfnjQ3M8H73x/djd7xQa8/dppw7NfaduDDdRTfX6o4bGbvHUzRra1Vnh -GR2jse7RnZKWnXXP3WDmqU/1jg4WGiOts0c1nUVD2kNqzIpOTW+KZw2N0+TPNPOsmuP1zOfso5PG -tNpDibazRfu0MM1HH9ZtdVpfnys0us+DaNBsdadoNFalx9QUWVmektPOEZ7qXOdkU2v5n9podtNO -rfm50WRhHlSjia86zdedK6S1Y2rweVzTPOc5Q2OVdFTNvb5P8Wcnc02m9+yU0n7WuWqVSzaIPlRo -Es/OrSktutNjhQbXmKssD55Pj6IpqnXaHRrj5TE13kS80fFr9oWLv6N5LRcL6xjZmFVtb2hOV4+t -cT3pTK+sB/c8jX+qNzU6nj2kvbM39lKa6dHseo8d2jTLXG2PmjmttCxTVDtrXzTPvOMz5etLnWhn -FU268vxMUp1SRPwxmtKTicaOTqVZI/qWqmvPJZpL67EadO6WHk/Hcs1qRTLTRDSWdwfTJF7Zpq69 -o4jmrugYGt+laXbXPb7ZOrQeo9Fda5mWNY8RzS7i2cRSPLZmnZr6c0ezBv+v7YhGTXZOzZaiYZ0L -VWf7VTuEhaeuiGdbZzx6W1XfOaptS+Y7lfYstS2arVnLx7N9KR79JtquTX2dstlpc33ShuQyl23k -KiUrG5Iq0Qm9dtsps9pDddmRDqn2ZpWbriVz8AARIaIhAqKCCRk8eFAYBgQGwkMEChEWEMA0MHMA -QdVV/nw1F8tK9+zykGqa3Ui7q6XnvEfTeQ7ykH5j297nUjeNfD+bei4aFf7Gp72ZraZvU59n/7KT -+MO0s7MvS9Lb/ZVodLO83RZT9fxZmXW2ZOhDaKtodg4xL33D0/6Gty3NPHct07P8yw== - - - 1MyWivIYFm2pbdEw68zWsH4M636Oq3q2tWp325rpHsqbbWstj7NoTanItmiHZmhb9W01Nw9eD6+m -WdpaUh3TbEt0d+q8d3U+287a1qEP15ZeNcPLNDvjz5vndOGe8a6a/1E+rXj14X9JuL/3hN/KzHPo -s6K0r0nPaGe6k+bPq+gQy2zaRLTZ+XKPFhmi2e/ks2b776CV+Yj0eDuq2VpnpfV57bJDnw+RDBfP -LkPj+i5bjXdeme2++7bsUoswb7V1oY/H/Y1eLPQaTfTvl9A31xEevI+ZJp/Vx2vc3Dz+8+Arj2Il -w0KZsLeTeUprnp81S7Ps5FntXIXrsy9trXQPXq2tr3DViG7vt5MPfOu6OmRlt1d1Mrtbqtr73cWw -UCbwfa1tbR1t/WJYKBvQxaKro6pNWrSzV6g+VD3GujqrU1u/yldLV5Sv/VWecm3gWNIzLJQJTOAB -nR4fw0LZgH3uPnjYqVQ6O3bPqmMrH3vzJwnrrN3PJenJqJJs65XeudPVO8cr/ecSL/dk0jlU37l0 -ZuniQbRNz2HZHuPm/aQd+l2R76Czau9Yb+RDe1aztDSyd9U263zvRcc2Kff2V3Nx10YydB0q6+HZ -yemj0l1GRsUr4+apnZuSVxWtcJGUco/w5z7lzbC+Trvq7liKr0Uql6nycom8lLS4VYg2q1v0MSWa -+ugyLJQNHJqdI9t+WlGmr7y66cNzNNadY2JuHrM6e7RTeEl4FrH29uim2rQv01b5Ltdk0z36cW7a -nW+aqeokXZZiZu2p3d1tJe5W3el8ddqqStwyw0I5XJqKeyU9L+Pqf4d0ttWen3HRfElneOdF/KHh -LaZ+01q4d+flnvXsSKcyI8x7UxF1EdWaR/RRfwx9mnmFq+fVI+Neav6MW7eZstRrd6uF+XwhJpru -ZKS8s1T23V+vSX2fkf3qW+ftUuHq6ceq0Gd1rjTfWmXqMSvbqrKzVUh6tFurSizaur01HayykV7d -mveULH1kZa87WWUf2t1S1ZLzlgp/06V9S11PY1rS5XGpGp/0W2vqi75GdIR1diffe7zGeqaTVPF7 -qXgojVpHtvbWGdouFXPpFr+UfhHRfUtdevdVMyyUB96f/810FVL+LHrtJty8626vs1Q0ZqZP9err -sx2p1Z5p++0t1Vp1E/UYlW1d0rrqai+57k69zSU6RmWiKzx23bqWjPQqbavojl75WHnqqtYQC3Vd -VlpVtbTWn6vq6nnq+pq56GyVl46/u0iTKg817/YKf9SVVYZ039rqqm6VSvXGsFAmbFWtfU39rcVj -SnlIp2aXdra85sDgWqWRmrTI6Ivr0zyVnqvrVk/Tult3X/VS2ZbhK+215r+UdmX11R5+f1Wn0vZZ -mdreNpcZ1+4b2p7QinSaWGu9c7TWz7LojEupeereOxXZ3fXsGZ2ZaMzDxK/Taq7/a4p0MG2bR9cM -C2XCmkpvsUjPVrnqeYV7Z9f3Jfsdq4nO01iI+HX6a1Y/lt7cvWs6/c01UdlpzKRiWCgH+uyOtVh5 -q+m1Sn3eJpX3yoi2eheV0Vw3nn+LWki1erd3VYf53971Oq3dVhXeGiurrLQKb8taB6ly0VBvjape -tptZ6bfeyvvernXJtGcqW/qut5WLx6hsu8pbpcrU05+r7LtMy7R/zJu3O1XTO9LvVUZnzFqrC83f -VTta+7LMwj1WR5hWtnPVtAOjvmthLh3dq5vIMA9N1XrcOrZNB8Zod8VarURVQifdgUFVPN+XVbh3 -qbq5dawOrZu4hPYyw7LLZ0tYpmc9W9/o6Gvx1tD2VeX7bKkQD2HZvbTsWFl4KMvw67Mt1DuEtVfk -2+LLT0rbq7/udp22+P3RK339Sm3zymfqusvdujp3laY33Vql01avdjG9RlfWvVWl3en2Vrfa/dpl -dZNa3WoqHa3KYCkUDBc4RDQ4YOBQAUOFCb56pWPayj1DOkmmd6tnKdeKhrenbHh6zLt65yrhnfLR -53Ous8yidCbl3qZcdelp7s9aol037TCtfvrTtK+25LN6TKMmnp/qK5H+oF4J945qki2R/nQ1Et7S -qY6uaUtmerqIa9a925sTZWLZHu5pcTXvp8yITI/Q9lZ1UfdYWU9ztwwt0XrWkoxnpXp636TdiPb4 -dd0y4pf2Ze8ppZbhUiYZz7tFp+zUiKdJvmOj64p01Ttrmz9zOTVt577p/Qnt0Lb0nB0YE9Eq1vfO -Pplk+J+uEDdPlX8H5mn20jWtUeoh3DQ3pdVjtqj7OzCKtpuZpkg+Wg5M7TnF34Gx3e+i1WEsjexL -pGdhmilR+ZBoj319u1UmrVV6442i82oRzfRlmbaZeAevfPLapk/HdJbXQ9OtPXP1WVm++xbitWw/ -iTdFqrX256+2hVbHrsx6Le2Kdb8IferKGBKpb7dwbX+5d/o0I1I7q+Od5/M83flGvqXyHbMyZ3e0 -65XM7O6+PVxzrtPXRNyDutb1Watb9dYt/XtrLn31mXYqaTFvhLe+s9s81WNVJsmEeb0rHsMb9NaR -zVD1Jly16PqAAJSSEdnJyifvuodZpKfy6eCFh3bHzH5wLu1411znNo1kuUhEdmkyWf/ZTd3zxX3V -5RoWnSJzdJrdOen66ty0umObWVUunfcsmbWXVW7u/Sz9enTurfqUTdlYzmP+2ZJyba/n1meVc++r -x3xk/6lo9f+l2tZ5u27erpo/09+fN8qz6zGfWtfT2in9khbVlfDyXG960/opvb+49VK1df3q3PRR -9aTmb0WqX93UU3hFhos/0S0Ny6R6qoupiGmkq7c3tzQ8LppNqi1anl2lo5pNnxuoRDGNEmoWZhky -yBCVSZIEAzMSwDAoGA6IReOREXlqfhSABIJqQGpIMJEGJJGQeCQEGUOEAAIAAEAGAABkBiQUAAAU -zwSAMh82shkSoMqktk12QtGCafDa6sGEI0CvRTVwigB1seKv9dOjpicCdK8zc2OBaIgkGbPK/f+n -lqcIVvH/5zL9Q9v4f+69/2e/yJOL8v1zBYP1Rtw/D71iogusAaBdnJm9he6foKTobYfdPwEUgQm5 -fxZRlYhRrvO1ex+WjuuyUh8KLU84+ZwpcCl8M0QlYH8edw4D35tK50bGioz6lQegxZtm4TtI/d6b -2EwU76XjaQ4Te0k75jKwG+Vi069HIXfPk9Ovlu71JfYKY/otond5JaPwWop8pn6RpygE1dVZ/QrF -tdmr3+S8ZFS/BNd6hrQaQOJWk/rVYepT4OXXdaekFX4D3MG3jaKQDtW8Ffg19/umXIJcg9hRefx9 -ZbX+9u8r1QKofdvItuGcd7D/vqN6XDTI2P2+40bLKu4Lz1vbV/b7tjr5npgUwZ8Df98NMBUlre/L -fEe1v4CUYoIvt7WvwXiH2V/78g/AjrWv838dfrhkBYoihogbCSZpgthNPaiF9y3WrtOWSBq3r26H -GHnRCN4DuKGFz8qdlBqr7RdXKx4h4WusG75XrsOFqBuofGlW9IrowMfA8XAvcKif4Ug5tbkKgV5F -9SH01EG2zODC1dgKwdUbofSAm54Q6X+bMmAj+y2dqKr2PYlnY/K5MN52WJ1SB3OYc+ZAOC2qwCkO -F0XrQkWkyTnJL1XEoJcAm4oYf/gI7dr6jQRca0qhBZdAVG5PR6qbllD6hJ0NZ0AuQ+eDhNB2qcZb -BgdcioiP329aArxoSg71cKaINbT/qUYjZfGmazBFhJrEUHezYhWx34BjKCAuT0XEfJhbunBR9w+D -a/0EoMAZka2D0kJbNFuQj7OVTseMGB9khSAyB484/R2uzBizI4+4Gehxg+569Q2P6I4iSjD3RUGD -WNOXJGqNv2S5XxI9MyL0WhuyqMaPTBtAFp0bR6LCOxi034wWPqENPzgRtiNIoBolIfApELjj0MGH -Yif2as84e3zTEPNaO6j2yL+pviykZAGxml7wTuRNdXfj0gxqiaVCCjERSAQ25GH0qyagI8qtLSYu -1AcI6DtQrmNPrT5BRjY2T29XU3Y792IkfDlHjFbOboIId6bUhKhEXysq6WC/xHwA9aSXMWNGw1qU -gETKUiWJAJIVSjJyPcPkDsw8Nd/4CvD6xszuTUn2kAbqrtJmV/RIZiXi2JIWED9s6F3s1XQERGWR -u53BeqGN4rX3To7C0ZWcd/E+k7KEnwq+yqnVTL2iOsyZ8yAWrceuJ+VMb6B3mb31LoCMGqpo2atF -amII2UqHB3g4oE0h+iNFDlJxL9tSrd0XK4dfw9aiqPK0GCSfiZK7woEyE1VqOmQUOpxMwk4qyBPJ -VCaKr5npXJCJVstkpGMeTz9xruSl09GTJxYMJwrgD8WF2ExhudOpSO+gTrdVMtETqpkBLL+suIg4 -NrZltC12+v1Hyd9KYY95sRVM6QwAuvkSRQWammuuWkkpBKeoThlpqIDhdi1TYM659ZdcwQuitLij -WNAOQGYu5W4q9gm6EMdUY3xD3Koo7hc3i957AhItX4BXJYBUE54JSQEqMjhQjMZyw/3TsVCRW+qD -UecBugQnOc3qXw6LwR82rYqs5ai78BU2BjEXCUxrb4/GS/B8+AiYX/PzLd4bxXTYrCcF6gX4pHHO -0uZZpY2P1Mjjk8dw7dgYf4vlYKBAAzgNjZj0i7adKZggrYVllBWTGqqBUtOSXF65uCCx5ComXQJa -o5s3Tc/8rLRr4s2M6NQgjUthg3IXLAlP6lGINCoQZF6SIVVMkOw+PiEA00ldZncYwJnUVQ9PJCOY -swkTJGDHK4/NSSSLo5mJc6drekThVVJdiKSwSnrQiIv/M7RWDMhwd5aJEqmSRutOHQOwloTj9K+k -4LswEKj9Ps8b0Nn5bKS5EGkG5smI8tjzxdO/yWTSPaqoYnR11knvBNVELk/12ftpZoxsH9sSYkr7 -9yQEKy3EsPhVhaErHSsIlE9TyZ0wbgFI5oWI2w6/K6Xt/vSQgpiEPUPTW1rxKzoCT+3soE2EGefM -0p9gslhWLGOL3XLAXuW5W2kKZxRXCGTyIFQh3GpW0QsjNs0JY9hB2iCRICOudpJ+EhjN8aoXk822 -1w46ynQbQEg6jQxjy9J8/sU/aTjBS01UdiG44hbW7dA63y4OhAXltOim1aNcCTuVbVJl6NQGFAV1 -o/St6S5+Ct2k3n3Tl13ENDDhfBB/KN21j3hEshx3MqbRfnBQdyJxqTlNhsJdmKYl6JRZKHgfpEmh -Kj3HpxKZt+PcQ1JzzkY7oA6OQNL4vG3imkWH7u3ASFDKMojcBnoa5jsJMraLKxYkTS0DEwFYtSKr -9sNFyp+pw3OCCIrmsgCVNDI4SWoEw2E/Yfn2ngPlpTn6QIRfkHhDhbAVrjNgorVpX8TnlCbPzXXO -LFHowFKylEKkHWP4CBe6kPt/wNR838ChWXSMheH3sv1CCsVOlikhYGRXizMINaWmGnsEoGcqlgVy -TRxFuxsAJj2V5S+Cm2jVJ55ebrL9llGocD5GRaL6fUHWuP31DRT8iY7PDTpOviYYXA== - - - Pvg6+dlCt/DbRZ4dOMWD4/rLVUOcaW41xsrnMdrWvS5zK7Vp5EF1FufiTXWRZsKC3xOG34C0xdbu -Z7cLfbeoYCluMThbwR/D/cpIttT/q6O+0QrUJT0QH6XC9v/1hFoReBvq5NV3u2aKBc4TV9ojr79H -8g9rqRzVcwPy/dcUDyjCUjWsQ8fMQcTR6B+W5e4pOtK0Ldbl6n/gdP8u2987KViMFqjSaFPZMyYm -kd5YKos6C7etWMXVSZlJqhXs3LgTs+REmCUhzM0xdeS8qtlAh2LlTEwAcmUxMxAP6XnZfDjUpGWw -avYoKyE+Jn9SkuSluQQswEzp7gxBqS0jw5lkkQqJaF3E+7GbH/3cEZ05VL8xQzMIshlrt4LruxjR -I7ZyVc0eLAGKmMnQGCQyOKHAQNylA3p0CCoFks1w3AQMwMIy/2MSCRdNX4kcPJ+etgsuH76NQpCX -1q+MQNCWryrA58NZHfzr7EZS9FvEZPS+swHpnJ3vJMocfq/4DSM0iej1Zv1u7c7jWu2jyIMV7McD -7+CqXJW7cpEyDbvV6DTYp7ulktuem8yxVw2kSXFEHh4ST7+h5iSuzaub5EpDvTxMMVcr26hKFMe1 -nVfgTW2VmR6cBq7IWx2hF332+CZnalsDL8x25KJiT/ZshpDIBAyCv8a2WYbcR+yZEaxH2IgT4gkw -phR4d74A9F7l8dphuXrpgiBbVoZr6WZ9swV+YZFJa/m4iqksGF2V3GBtwum5K+hQanBa7ZTok6uA -A1QCqjaxs16hAq4mx0yt90uqScFWpTcXtSElyQkFWZCsPXXZjVfwBH8X3cZp4xG71ATlGRJSTJt3 -kK+WIA6ojVWX4KK0SSCEixOrYiwv6aMn2/qojY4DemwXUZ+ovBOJVHeDH3rDKmVa6AQ2Vx5EYod+ -dyDxByf+56X4tfBzXxfbBQD0QtzRA/aJh+EB5MGbX2dHLh1fSEeS33gHU45kCUyiVe7kNa13UcoF -qWhlK/3QEkPdVmrQkVaAydDUFxCWaGaadq4RqhwZtJL8kFyRowqhLUzVjuHm565rxXFXb3fwiifK -qwe90uhZOXK519KNOsW9Yo/SgiEi7jrqDzqmyegQoQZwjOZeUL4pfh/AKppJlE2wOEG+xMkMLBKW -7r10XO7ATzjQvmFnAWL5/knsfk+f1WKXMhBC/v2kEz5HSr2+jsWJBiwS+V2FQvaGgCeYr9iXnD+q -/91GVu2JYg0uhBgDbp597HoL7SwX4Nhu2CuTcMHqPSP6x1DZDLslRKE78yT6TJJfJansyxcfi1T2 -+n7hVFH04evB1FTWsughy71eNWuJwbrpCxzHh4WNbnAUKhyNLEsD8Exlv3UL4/++koRpK4hsFMZI -tQuY+hD6txMtYdo6YqDAh3vx7QVlty4R7ArKVgUyWp/tZWg5dXrtFD4WhBzQlHtIHQPG1UL1JKG+ -GTSD4dYOZ/SgFrQa2INz+JidkrnUzxLOxjHbDbdg/pXb+QylopQFAdqgieCJZgNQYTxdMgDisYL9 -fSpd/PSzZ0vX4+LHtBHkuCW0gQrSmOYtncya5mqk+zKLWKtZe5pZEGQ4raTiaJmSWxXUnu1nmnoy -0Vxq10xrwMIutbDBcPUO0SCFfsoBEVwtkpzCyayV17e2g9/2oGL1q+ABKGUxyOf78oPUQtOrLwbk -wRkzcZK/HRbBmxko7w1nTL4TQqYegEpjt+Dirk+6n/oMUS43n/o6BLaTTrjeefl2zdSF/nmBLauW -wMKovEk30OYX+lciRsWCZwW7NoycgmSI3QK2wgHACRZgK0V35QJXhdoB2xADVzv7Uc72ln20PKhM -GuVhGXmdoSgWz7rg/9w2WAI3z9GuvWhH2OvV29VynFVmt7bWBkWOU6sm7z6eqIz5buix4qp6sLRa -4rgQhQVKoVu1Wnr9Jp1aq+2YuqFVUqFtYHVoqI1K/Z0slVYLFDACmmKr1abAvtnvl/bETNuRipQa -jz6uftucSLuccA4U1RbWsVZHtYn7HAo/dPrFC9NqO6vjPmPtPaqeJv63O9ZOp8dZ5cZaB9z4pXwr -tBvPloaihhprC2Br/bq+2u7jfFM0oQs0FDpba55RUW2ZzTNoZWJi8+ibzA4g9eUlVE6Jv+V+WojW -Fct0qL0gWbs61VgNr23sVmuOSenW70vaSVJAyoCvA5dcV3CmjQTfapfSnlFMaHnhVtulIzVdg0yW -4lJp6IBUmz1vSUm1QQeoqPHLieHPKdVqhEf9ajH6/izTRaqHxivSdFVy2lp9A6EMhV2iPCCItuzq -sTYc5AwgEMyLHSYKYC0nzP1jVwg5C+SwIQm/f9OaDgprYVx+0/xq9fPZ/r7a0XB6d/PI/S0QtXKR -War2k0YcsvKpDVUrUdJU7Y2sY0Kg26lajrr+q5g+1/epKphaAda2VbWNX//ONYPtcj3Sdp3ee7Uz -OGZ9bXm95x57QFISHx7OQQ2HXy2/jUOIJlEuX21nNtilXnB8KV+tRUudsnDaV4vAh710PYdXvqW+ -2itZrhJJ5ABXrZByXl3+LrZMXJmMNyXIhFMbqYG7gvOpdGqPEBpKyN26IikCtGrD+9ZqjZkUtZ0c -g7xUx1aVVp+da8f3RETU+dy2aiND0JUxk5aCVftfaEEkLfP81VYJ5OhfrSouYsl0JX61Mktcv+yL -DukcHNhBaD7pq+0T1y1AR7M/AavDXjhsPyBNMX/eo5o5TSzwxH2ipk3CdEpNDadLeO64gv+vK8aa -tHd0LKDTW7xZWTNmrQmyC3EXrmVzzV7u/aFHm9dUszUxcm6l72sejqSIyF+zcU5TFK859uIW6GvC -6Tcd7L6mSdSs1cZ19tdETGjOa1Z6IuMdEp8YCaPXPHRk0WGR1+zKLQRWrymVODSv11TbylUGbGqm -lZitVrEZbWspPjZpB9VqXVuhILRcbDLqUYzP3hCbJW0uQXpiQi4YSnQqNVVDXpIGhZ6a5ftid7Pu -jNONskUsIpefuGCF1Xrb/swE5/m2wVtmZiXKhZwviNJ8u4stMOZbphqTXjdG32rwfFH1LYuqHXsi -05RR33KVxBTSv60A95LO/REoPAU7EOmWkCe5yFx7B8uZgesbE0uVVsZk4AqFsk3x9TbmBm6R1atZ -DVxW25zZNT5UfAOXk0dADFzisGAmFUJxZuBKeLsdTgN3qADJxwK3cXvzYoHr0mfMfmtKEmlDwgvc -veHndHu6wFU0X6uxwAUKHnMqJ3B7QVpQP4FrShktFARu4JUAKPdbijKrPTRiApdJnNHG/bb2FM7y -t9/GXBbfTTD7AWOa5cYasF/tFQT1ARBdxKETfF0JVWBuIy/D4arASxj1vV7JX94Lh5pqb5YmHLIJ -c1Aq4azYjWOGt2OXBr0VQTic3sisc/AMCIelBJwQvbf+w+FYgb6Jn9+tVTdctHwCUShJNwyW143d -DQ+oqnNDLViwbNgeKMkSyolnQ5c6M3VVUpQNdWPTBSwbgjrO4t3QIx2rj7vh863HZ0MjPtz04w37 -qhuqPv9w+I6EFMscjmgOQ1QLeskcNkBuh/vNHCKG0B4sc6hQXhIMc5iDArQ3aGE+c6jNgFgHmcOs -hpaxp6QXZA5bB6SZModlnR0qEXI1OWWHVdChMsla/4DB+fPhjIAk91o55o5RcLBDBRo/LAvLYWsP -0cFonnFoJ7jwuN2D3NRMX9FXbP446P9RUgsl8or8934fa6BWy6WwsuS3FguF6lhHKBtskPSGSuJ4 -PL1ATZPc2jmMBYYXlU7zeMq0R6mVAU9oNmEzwE0XwC9iO8ZqOaQhG57laX6P/VaujcaArzn8CyuI -FKK6UImlKmVheQJ2IJvUYRoYmgzSpxMAFD3f968ABRfQdxrUUZIQ2qdwqkGJXwHLhQI2O0ZY6r4W -XLAtAa1zmdqWkBCVFDKpbkQokGg7vnwgeZ4BKC634PhGiRDSg7twI/baLgOKhI9AqW7bKiKlHvGp -whTeCLEsXF/0iEq6Trv71M4s0x/LAyqIYF3MtkdyeugkOxkNscIe8DxHXue3m/kccM4UsPZuUi94 -07io1PNcfCrr4toN+mOCQt8Yb9EnjnJCxTzjDqJcaVZ2HZd/I6KWcpvJTiIA5OsU1ylvjgOap6P3 -idMnxiEpMTHHW2ab8iSyYg3f5cYuyUKlbLZ+T7hlPG3hLP+Qxx9MnYrF3UlK1Ld17z2Q3Hvx5EmN -jfYvqVE/TO5svS+L9KRngn2ycG0pQ2qDzC3d1vnLZkgo0a4+ZYDkXXOg3SCcUMZkoifwe8V9baLr -ihNfz7/NGzFM7nS1TKF/LvzziCMsVEQcGc5oTRl72ZoslyJRwhwPKm6X1eSz6fVwKlue95dxQcAK -gEuyrrTrhNR+DqfFHgf+hY3id9A6gBc9cuGvhh3YJrzdSsBuh1cvARMV8E0z5H7ZCuTdeSVgA+iB -ksOJ33HrKJhFYr1YXHoPI0j+ww1akdZ5SAuSsKCFL9x8IBSsd320auRWMGzMhFSrvAyTCa15RuLP -kAkcYloYE8Uyw8cBGznreQjbrk31q7i/KH4rJMlC0kg12N/enSYc4xq+8fTMjl+AWiPJRZ6GuB0A -OECV+MJ5KVE8pfe2BKOzOhTlScikm2HpIJbmqFu96xpvafvLdyVcZhCEJkraVpmRzj1w+66cQb0J -FtRVMjGIWxTk/3PdM0T+4upOPtOj43Oo+IKnhFLQFFeBeMoiI/3FffQUpQfftjrh2GAAxrBuDCIu -q68eZHME8AEkeb5dK3SGHrqsmY+A6pb03yu1oKmftOhR7cLDzB8mu5GQXtqg6b/vg3vVn1u97/VW -18cCK90whqZruRdXIR7NaQ8TJMdj1G5KtkCfUEV8tTN2w3Vh6smJ3yQT5lHN8jIKpVb/B0FDeqx6 -WFbEPTwnNtyLxdi+xeIkv7XkzFXTMWL3kdnFv+GHC42OhfYIHzhe8UhLX/3DShXhW1wbAdqcKmpe -n4V1X5csSv6C39Xxf5G2SzAL9P1Ok70JlhnJj4fOVwam7MtnUST/Ifrm5JvEZPNskdGxAlEaAF+7 -9UQIzg9/f7DXGKBRSe5pqP5Wy8Z3ao1GaI/sz0742D/Kkc/yV6mGRuat/GAFPLXTmI7Kn/b9WZsB -vZHE4oODdMMHL6YqZ2Dt81rtZgq0wnJIT3j3q7Al9MiHXkzlmPNn0k0yg/1siBYfNXkAsGYIfXKw -VvvTA2k+/yMmBtQDrih0bX7/V+hwWv8BvW3XAzXKRepIrMgX+5D2tKy3TXBX9BguZzedQeIvhcUM -Z+zAil1eQSMBD1SP1LAqd5ryCr+0JkB1BdoSIaNMQKDWfbAFo/9HBswU1yo+vKWXXSxneLjyJFEv -FaG6cgXqzWpULpMGKfKFu7DcvXozBLyTEOtxiHZRtfH+9LB3FQFwYAjusq88Tb3qvsetIyHcwLCT -nStBiq9jlafqKO6YrfIkz7fL80Vj2ds2kS76U8iP1go0UA7Azp/xSNPsFe8r0wnN9A== - - - fzW8RMAWbP7vwgoL8PsNMqBHa6keJD8YlsVSVjz7IvPIxTRBjfQUiMho4RJElKYlnGVZOWAbSzCh -MYVrCQdX8fm4Vdu+SjBNdNQ4wKnWLipo8DH9cuAxOCoPKCnUgQBwzwsB3d/7Ql65R070buenSNPN -Lr/5+/xSkG0dRYUpz1TcXATx+YkfcU9yvJ2Q35I2GqlG9VYLa916yDUTn5nezbCrGwv0On8W7HBC -KYtNdUajwYvVnZskC1YjsvUZ6EjmaulV2xiXOBlQvotoO/lteg/YFsBeer/mKm39B3zilI9gfomL -0jWfpcaeEOap8TRa9szEX3E0lhAbUXEkecMNs7mxRSd8hIksFbQJhbMRuI1AvPanZ32/si9NkNdy -7t0hHRuaB05wnHx31djkiJ0jogUydAMnw6lyqomwNwwXrVwd8Xb7WHRiG8yQisTX7hNKzqi5Q1M0 -RdsgSVDWTJ+KzkFZ9hHqfca+6x5SKAy0cijA1yNqBEyXLRMm8mzNKQtalCV+KJ/tKiqStAdWJwmh -DlQIzkFgpP5lGOIHysEnApHT7EBAoUm1Z7jelqIPoX9Jeje9UUcQpQL/eK0VQdc+FRwyUe+EemFh -5z7fZfz2FOOad8CD1XM+MzrNLGaJOH/I97TSkqu1gCI4VreYJvijGSfGitekRS+4H3mZWhqWyMCt -3JKAbzGltHeJfQIruLqTSUL75NbZXUVS3hdPVOQ1AjSvLi0Ia5/06QNlSV23I+UD0os3TovDODRC -LyYRYRhiKGRlgUGQ907RLQ1ea+KiirhlEbWFENkeMPbfSTb0/jsXX0gN4Ch8AuJF+yMILe2XcTFI -4SuKR4AhoYZVoF97JLcAKdQHcP1sy4aBifMrZ61TtPfTJVisM1+xOr/47s2iQOb6uBZu9Zzpg0qU -fDDCRzN4NJnNNrd3q2STPTSIoVUd82WOIe3nSQT8vNV3vN0ANAuLYcLJdrtFOhYrqFV/uH4wyACM -IseYpzlTdb2M6vvzW+9SeEOsI3mT1G8D5IzKH7DtAWWGqqlGRKc6NfWyuZueuWusbCHPLlvWUNbf -7dTU6N3KXSZnXkscwZo01cfY/W0wXt7PvLhEfroQiHpqaafuaa0aCZMb84sHMjkvAwLrtoE0tQPn -k3A18jt5kUMQUJIVqlviXDJ4XNCMYJpxy01Ikm/lAFNqefG1HMJua2bSrRjA/CXkdDUKMWivxrcU -4Ndiwc//qqv5JRwWdqxpU4dJui35FgGfPvdhbcaEGRxTsOaQJtqwK0YRBbrMadPoPigOJufEu3pU -H27Ods69oXLW+Rc2JUTcmIT6MfnXRS4zI+uksfOC+KxiCxZgjVxp3KYmKKvCmXQ/JMkm5EVy5JOh -Dr+SC1gZLPyLylgwLtL4IIklr8l0dwCVoWAdFqzvV1yJA5e1FjgbGJjs2pNB+hr+Wa1J58o9wttr -jX/v2eydduauBbo+mVDu6+lOwP9cW5FX89W02QSyCA3Sv8nMkRFL2sHMDivFzAD4uexXJEHWk5jG -ynyiW8vYGMoFXjCov9NUalo9ObKcwqnk6GPFOzqwa4NU1wDuzafDYDvXmpsLK6oGsRkJDil6JPC7 -kQUi1zc5U3Ss/wObqr9UyWbpnHZCzLwvg0XoOJV0vZ9Rva1vmDY/j+L84aZlhiEF4AvpZvulIFHI -Mz3rDjlFY+FG8Y2KE/kSC7CkRtYgsniDC/ynMjIvqxKU+B3qOMvFAnwHVDRYNIrcWcKDMGlOu2xC -JJYy/QGjEGQSbVJVO5UIBj7yQ73GlF/UgFoTUklUGVw34RZVvryeOsVVJf+8CsxPfk+UU0j3ejr4 -GU+8OREu9fkt4ddOv09Q89MpF52FdQep9/CIMCn8PzO/mR5Aza/Mb0pVpkND0NWGIqN6CQl9fRAe -qnlv9PQazJFJ9L3o6J2LEZsnQPpy6oUdBe3WV8wRFw/YLwIcFMjPsnV/4ZPSy0BGXYmcsMreXgOh -mEglGeZbjdxsC+IHKNaOkUxCXHJ8SlIT7PV2ZmN18N2qdwdmEOQ2Bo0Zo288uSBulFCYcuDGu9v3 -AvFBDpRkhFwPxxI71hvOScKIId8mzynZC6GJQMxLZPFXW5jyH0tAKiFUTi7JaCGSR/oKgqxo2Ycy -6xhFoDFU2XgBfS2GpDXG3faUTqzm1Vnaglhas2FkqDDTXh/T94D5Sv3Fi2DBStWCCXDXTtWF+T76 -ev5Q2Kk+lvc3jzcCMfQHKcMvG3y9f4OdqjZWXs7Iuj4tl+Z3D5oKQIYCWjAJj5BTEuaYe4ZKixLR -bGwueAYm67+LV4lLXdkE0uagFykh089EIocOEI9kwyXu2AzIXWrfdndnMxsdZ90Sv6w0gc8kKewH -EwT06QjXrVitFfOq3BaIqpNbOfjRhrkowDaIGgc1lOskUGXZAkIz4sLldHYyvDfnQOCQADfc4HCZ -YkPjcBfMNpumUfFgDn3Aw+A5V7rXH3c6Vu1fxjvuT5StugfaSGfJ08KFRLENb8n01H9Y/c7OGxMm -+4AEJDro9EdhSrMrQqoDdZQ2PplIrekacB2F7B4WtC5F1PnfzGX2bgpKBYvPARr2B2o1gmgrBlOz -W/DYEhcEftUQS4SG69tLeAmVoVlRhiifeJTtRhIHGp1OrVcdkKRC/MOPGXMxtaDQ5PIW3aG9iM3T -zoNhyLw41hCQ0g9otYGuF5nkvkPeis+Yi4I5WvRN97uiaDO5rjgsdX+vvmOTYlPeI9QlFg2gXDHZ -apPYOezrplz9NOF+sE4CFO/ao5iZMBA9h+Xvxm0NAFGCIzZ9VV4USB+THtKrkK0JTUjrKCIv43sA -A4RmCg3MPTYlhQx0Jq4b2uNRwki1teq1eZnvFlJ0SlywsUThb2gAgQ79lQSbV2LonikbQSEX65v1 -rSPPLOKHud4Si7wmTVeFPSWOmDIZ1aH8QCEZw1e7hxUvKjeXleuJjQ2TDPm2n2ek4W0VJjoKwo3B -8vahSUHyDz/VRm/5P8BhAPTn8Pl1KlwJlm6BGT6sEz7ypHnql4mw3B4YIxXO/GcnGNDcikicCpnm -cQlKxQwIRoVoFryuyiu7weuQUwa1y2FEiY2D8P/4/0lC1+e+RaPx6cdf3ZPAzBgZxKWuzVRpPo43 -ao+XenyDXCY9RRHbyHd6MbBbU3Kjbe9ljIGU+tibRs6a3bk76P1XQiRoj7MKGauH3Mx3elybAJBL -7T+aSAo9cpvOuGhDR1Vu8uDw170ZLceYNy2oKjquGVL+E6yEjneViYCasK7/DmpT3ee3U45S4peJ -ptA2awLlwFbGvao9SE5BJOpWc1EVM/07v6KHe5xYRbP+wc/T5jCLm8Pt7TJlbjgEdmt1XxqEa6Rm -rIZgVN/UvaqxpdcVN7x309J4bsa5NwcfAgVJKGdtxG0jAjmsxU03CsdgsCm4dNI5JDQ/YB5wk4Z5 -JX303klWIE080viJYXs54OrsK26G+md0YEUAIQgBzfJD9NnOWP7BmfFHefCiXb2Mx7aVul5blHIK -B0a97GqBrdtRNPAfmac40X0OdECitPpRKbvLSgBTaUupICcu/MmuNe5s7GR7OWR4Mm5V0hn/OyPm -3uL4R29RSQPef1zZ/+u/wn+CoD6oVHHpgQIOrNjZSkPMr0E8kvRNhB5U1lynKxXv14TW+6O0syrb -bhiIZYXGPHrQbIs42sBcrOxHqPuKvHeT2EmcejW3JcIavBa3MRPmNBhQ25pX8jdkUK95EHf4tIk2 -pu3fB7ZBwYpN/EaWOf8AvstKifvVXSh6UC0eCZSYMoHnPkjaiGC9rnVroCDdnfxj3JAjXT13is6V -LDlT7jwAJWgwoO3D8tYuIUsz6rnRWW01cdA8xoRO6OpD2tZGF97hQfDRWzx2IBJd5FCujsV/tP4j -F/4NqMqL2SDf+zntlxOP053Dzh0dwt62JQowLKDB9bZdO8DM0ZWrXhq1ZcyJmOwrqMO3U//odxb4 -YYLoy+KjpPgquKzqFi0uzNUdLjO1vtqgC2zPz9Uy1fL0sTGVb+gx7LM+oStpqCyL+8FdHPTDVKMH -3IXlrbmL9hlKt2lMb9Nz2y4Ml0dKBTH2W5uaUZu2ey9Rzh2hjDU6ryOB3OS8xE0EuWyuUF6mRiL4 -/2G8HO/qN0uS9zOlz0Iz3ip4+9C8y6PlYKDFf2T65CXjDOe0IcHExUL1HAiLrwRmRVm7XJ56CwtB -WLKbglA0fF8fiBrKgrh54vgZ67aC7Jhf16RMxEAOYTH4X1bOivI9Qr5f48+Qud1QGZXf0C311tp8 -VvNcNhlEK95lHdWdBLzhlmr7DkQxKaP13PgCIRC7a3HP77vxFXs9dydG/ixIlnlbc6+7Ig/5juxi -8jXeof2j4dApZ0pvkrsCjV6vdUqobka3b/25RlYXMnbPgm0XmrEunHrnnrgulFcTmva3UhfEVsjS -Oe95Fr9Kn++lrQwJ6qJvng9A9XR+2OG95UssnetuDM8BK1eW5Yq2+vbeVttHa6T323TOpq6iH9/T -3Z7YEYG/2eS2M4GK3rqVzKvaRU4f7Dpu7zw6NSTSTXRX7IcNnqAmv4UKxBPu3jbHeG0d9h/f2yHH -Ns+fR5ESfDhz5Pd5ed6V6H5TWHK9JK2T36gqHi9FcPluWVH7Dp+B4rO+DZLshGCLF6NyLge0PIxo -YUA3Or/7UX6vPi877dnWF8L+1ZXcsDSfwH6F7CgIfBiWekHF26t8xshI4FfIfCKF/1XlZWr+GVjt -26iSnwZ3Xz96JnCM4zCwgpvEm9wSPMj0+UKVqeqp3F5+lYhVYnNzuzyHgSg9XTU84Mga/n+gOevE -HFvnLkxwSDTYImHXUPo65//fq1XhgxgA9WI4xLkQLLjrb5Xg5Wes0iduAguguCVCxPpXFctnJ0cY -Rn/EXNi3cBy+SeP/jHTTfn4AbGBv+dhxu6GfyyIBfEBkwlimOGdKubTqbKwtpOxed+H3gvR/Um6z -yV66D5vc9JfBEJlGpxVXm1PGTNggSBB0+TnzsZah42UigV6UbikowzccmPkNP0NR3pPEhe2LmfM1 -cRCQsVqYijZAA/UfRTXdFaMC8hZTBSgFSUeBODJHwPpN1kY8EZUYdg8gZPXVCQhQ7FWxoYNqrqSP -Sj0Q5VcBrUt9mFYotyxdPTLZlWrife0v9ZxVlAQkQu5QFJaBlqN7Y0uJ8vasFtZ0sTo65CrA25Bb -j/aBqN0suJyCMAow1e+o+quqZyiQ5siq08CZYFPtzFmdqbhfG4gBmjhMSiCJQF4A7ftSoT8X4ABD -5WWIxSSs2owVPhiq7jX77igZwRHhqzmq6EEm9UKdxTGirVKKeir4EEAEjpv408hEzmfXQ5/V99ht -OZTCY+WuqUBPl3zck+4GwTNIzjzHVkfYe9XT1K0X3ktS9mQC38TnGfX5ExxM0DG6WnS85ROQ2AkJ -0/F+5ESzEOqGEJVjfIlI7/KXTc3sSopbWUGVZOW55LYqi/Rxyf4tSTZdjOS+I5tcHQ== - - - lXwLgm0AMU0KThlpUDWmbG0ntMjHgrj48x07S7op3xgxjIP7umfzBLESOGJUysxjAB9Q3ZBcvSoB -PB2MozL3yyfN3O+E8/wH3TK4EGVwkrWJ7udwIi3R3iet6pma0Gq2epZV93ZDTXK1bLfvc5HKf/x/ -naQWdEh4aiWcSVaqagq1WmGpV9g7WxhH9p3Esws6YAyqcga9IEND+Eoka7mPKxA7SjmS0oW0QN9z -HKjAt1CCPuwKW7jlBNeNMKHnzYHVg+cKNkOOyO2NLUqlSAzxniulFz4FVFJ9+ye7UAqV+g3wQ0JO -fNdFZe2EyGYjK5Ayin2eI1yzdfTFJlIjfyh3JvaAbqdy9q3jrVc37ajOO/qca3447Cf6fl2+1KLt -u1Wl/f2Nrt+/mdUhXnpxp+A0QbAE8FhPo0Cf6kxzZqvlD3fJEsWajyjyZf2SAc+/TjDcyJY9sK3s -R9RyccB3mL9WLk3vUrPanz/nTlXnxlW9JXqReEVb1TE09jOj4FdfY1/kLuLlYHbKm45eP8QaKrqt -P4ii3fflAKFqO01roYz8jw4QFrhYPyqebLHHnDXA+KVUv7IxqtZ9TVxZ+RTKdqiFW5DS3slfs5h6 -yFMMQrw3JRp9zxaeA3v06dPjhKVLb/El5yHXvrjOjWD9WT4GFwbsCngAHgB/IOwwwECi1WDouEOW -asfHPoH//uT65kx24bogAyFTXIyGy1WWUuwucDyWOA0onH5VBs07iTwAydoaPF6Ys6A1Cz7flD3z -sHSPl6o049Qz/vJPyK5YoK4+WVkeuH1PEFaihDwWhUbAIMR6wi4QKxZqSEqv/6ch+Hd40xhM9vT9 -D9j7JVoSdOWaVQMU2u8jl4wvkHaHttEE7awI7fHmLTrR9dzxKZcznTzTZ6Zt22ZLJBZTBHUsWfGy -PjrS4g4TidH9OQq9798mD0iCx0Dmru8pXfV9mTYT8pCLFIP/XFw50FChxazDzueFNfcLWO/pGPSf -9zixDHoNUY8Mxw5G0Pveb0BJtNWpSGd25j8kFq/pPScbTKYHfS0kQs1um57S03l4THo7nZ7u6Uea -UEjAN/VIgjgQ48VBp0tGOXU2hWe3GY7tVtjQ5HmcKEmyjpk19PKHmTkUVUFS0N323NT2fEZAln06 -do75tlBysnZ3PIXRATXnS785wlpVVK2f5rcgcPNKdZw5zXbYcJ6Uc9Y8ScrcCinxqeObVleajTzH -+AudRo1x1CdgpxMmHpHM90i0JeOV557yUQHTDI3A4Z5pfPKKFkp/CpUcl5ekmeQNzpVCNEMAiCBc -Q50ygKmIkU3EVBjI82/In92ykfeQyF8q2pLnd2AadtgCgrZbLpmwnV+vGoyM7TIohg87q/L6JKIS -7SulqswIpWCxwSos9dJs1yCPBOJTvkJpo6XPAaEoUNTRThq0SxiyVxLoEMJ8SI07asEiBubFRHEt -wbHslYBiB5mos+t6ZD/+ewuQHZjttextb3gn70Yq+nqnPHez8f1vbMhtxnv25KXiGDV665Dz1rzY -nsEyaw4YOoTDdkT+p/gCVQRdMKjRhSunYPc7VpKCpk/ng6XpprB2w8uPcT5Du37M3BsqdUll4Zt1 -z9KO0K7oI6Cl/gteqW523hazd4KeZrN7n27vvQ1/NBICNq9Hwy+bGO1K6A/ArwgRdBSf4uNqqf9j -DU2Wq98yAnMUrWTbTmaBK9aRn2OBMV9OMAtWrehxosu5WQdgW07+aY8KHDTzIIpH1H11x0xIh8u+ -IxnEr9YF97iu9jgr0N0BnbYrqd4106BDeIWGjtc4AT2k63xAPnPWu1poaDkVT6BpRXV2eaeTSSQR -lUjyiCxgXVVSuBhEqgZYAVrqbsKrV5q5RkH/G1JfffRItzs5mEGRDJuHvhbmNtcq1uSNLvQMNdcT -ri61rdQwC4iJ3yHZqjLy2BKQ4ewHWmCPR91kBFrh6z13e5zRtoEbVPeg00vr9sHZzylUuXUqaOr6 -W8wRhJv9lPsXkd7mtG7mRiBnp1OBtg6QAybPTZlXdMe2kRuZyQmh64PjIP2XIAz5R7G98L4TNKK2 -4BK1YZUTYhD5Z9WCWk79hjS7hxwIgO3Ht+76Chbmg0jhDyB0URQ4Rtz9tMHBXXIufoZJHc3YgrBV -xLhASF1uRWAlhOzCKK1NOBVF0YZsEKLgvOYdzRoqbwmqk7lC8MG7UDTmIgnnQUjMwgZJ3RsZ3dP1 -ubeqNvcWYGP3JGWyxAzsKFSWnyjzEoQy2o+yRPcN5HKy6LYzWc7mBhYdA1KI1QItp59QlG8pp4+1 -KJ+OwA0BVCOl2gOoKRvhzSSzlvbk0oVbk4lmbdSTD2AFhXZcikC3A/PoIcF0uYBKDYR4t8DU5SE8 -JLZMPQCLJUx0AzChh4ZRiGjicK3pRwG5EwYBAIIRKhJqIop4anwqGLbESCaY2RmxLoPAkkEwJZdI -KD8OiBhPVHgD1GTEhJ0Fr/81EO3AFACwrDnlZ3PB8tHxoAnQ7BD2niaH4Pi5kmxydRrlVPKnnSAH -flBiHHebY2QMOO4+QFPImprB45amMpByVkWfq1HELcU0XGYy2Gjnykum/5vesWTu5P2bXRbHse8Q -XNdE2hnP1vyXQb2e/fSXiX7uqUpgJtJFYW2GqvUSG1BKv8RT65U2UbJlAF48ohSadI1CwO0q4NVh -7MOPl5GYkwfx6aeAcz7HaGh1ZS4rYBmJ5CIxLgcD4cfKvcac77q6IBytwcTR8CoKrwhK5itMJ5Zc -JLH0nV+LZ+3jabj81J+aKrDjGa/ozufn2QMXf2z9usMilgFe/BSSX3DaWBILBmLcVYRwa8E2TneV -lPspRBnD2gskbDl9oIyHrlC/ceuiDpD1ANZ7JVvQ+JeJnlEg4YG0xZqo0J+N8veu122KjzXirRZW -puB+YWWTz4GCL7PbCEZMQoLECMwnPx/EZ9YRiaL0gCNhjV3oL7hXIAXDwNEKeAmpZ6dL4ArqbjMQ -jjndZheRF9TDaJ4a6tx/pvlcLxOePCvxaWVbXWvqnZRR7Nz4Z71ldjINRWev+ej/QJF7zDB2EP1k -Htn4q6GhTI4PJ8ExjjLJpZ7HJRXqW05jrp/B0eUE5QeG424hGv4x5n/sqHHF21YK0r2l5BPOV/hx -r+D14y7A5LVEnhxEKU5xN9Dr3BjaBCt4fzi04BY51er9TDVxttR4FNNG6l+s2QujtcS6CcyqNtBZ -Navh2IWJnZkGRlhpFdLavrLW0kqjWrWuYjReFCe1ffiL1qo8A3lnHQlU7Kqz+PqzWG9/m1MkWnJR -NBerEknMMWc7sFQcJKHkMIormho/INg2CXa5KNjsJlICJGZYhArZC1iD5T/s2wPQYN9oRF4e4L4J -kD4Sob9Pgy/FQ9aJEB/iYQKtKA8iJJlZ1WvoJc3uxwwSZlWp3BAjNgsGSI4BoM261JLcraSzGckm -fl8gYaaREN4ht3LDM8jaiu2N3oOPhXyoBSZLArXm3hhZPjVDzIqv3bJjzGyU412Kublmu5y3Ax45 -SKAwvW9rd6EMsCsTrivD1SWTUcaN0ZJy42aLdUDFLe1WxSbu4o+bDbmtoS5ntmVJhAuEYxnKTWap -3Gus8wE1Q68ycnsYQPImyl9yYwiLK3E/l4SsmApPKVKetx0I6hyo55ZHAnY/4C1ybzrKQOcG8TZL -vNG/x8BavGQJ491/Gm/wgFmyrAyGskbDJelmzACi58FCkzxlZZDpmuFjWT52Fgzcd0GR05ZNeKKz -A1YmsX5A6TIJNRc/S2SqySxqSVARGDQRyxd52wJI6V4SC0qt8AAnksKGSb3Ltlr2F4mTFIdSQp96 -JrRSyKNmw1LOZlQ6GaDnqm2SFToL17Gcedgj+l3t5KO79nzC3Uq3Kg/lKl7f7ORg1aWXOUMGlJSk -FUdJshkfI+tmCzeVK1JxZ9jKx1s7WFcPeE0nXjIxhjE7tK+7pTPa9cKVFhtKz6oeAjWMDbUQgIKy -2lDfZ5qle/lVRA9+a9jn1Pk4AElgWibfug4ycDAYYTuyI2l6FRRTk42kSDbBEgCl35w97IEuofVq -fJis6z+CvaTcIlqj15m69lGLsedvHF1P21vRnNRhYm3+GupvwY8+evbNL9yfPRqRzftGazt+eaXA -v6x/phPx4T0GXx17SLncNBcwr4TaG1A+8YFWCyJtVKjA6WCaWhYZ9x2RKlEi7cDhYlHkMUR0NIBP -DDoniNLAINPy56+LQOqHLHQ8eLEpeeUVww4l5o2MmWH4NjGuhijFC350FhT6i/PvHxBErGxFo+9v -7S5z3U3dODkDhzEQd3/gbr63W+bGHDaeTNRY3Muu2fD5wzKWD2EtvffO+0J5f7nB4uF9991PRf3p -Or1C2n2NANka3Wmoqq/gxP2+gkC3uu5ap4ISjBmr+Hv6+LrZvEuVwSzFVU+oBq5a2QKi0LAs5csw -JTFHsFEEm2+/V8rEhwEFgntmfFDfGwcGxL0lN/URj/1eagU9FLrJL7B1gY1bB/rABfrzVoGehVTi -VSoE4UvFoHooFWU8tnd+glak3XYF6yqp8xMMNyC/jTXgTsWxLJgQaZY95uewcj4efAV0BUGrXrjz -dDQXRf6EpShyi0ANUaLa1bNoTIqy1aHrS9xuk9gTiwH5OMqgHYtxX7LcIUx31vCu0u4ux9iH7hyI -/e5veRcm0SZZfZ5xUDS8yLbyTigBD2IWlvJuUETXMHgcJC0sGpR95jZBb2iD3hyHxYXCxdMbuunR -0DDNmb9bcAucXwSfrNCR3kZ4v4s//sFgxuj24cPyyWqAFMRIPtCtpB/ZvdgpWylZX8QMEXyuXZKI -9tyQFTrsc3UGuMQD9CIgH6N+c841dGdA2ipSHynpNA4AfOtcO9dtaHMY37AhKgi2x79Z+LbuvlpQ -OCs2WHN9E6YdCWqZMCBTox2o70T0h0LddFl0WvXXfrEpuab/LUsfVFbZVj1zq4iCktadNaWBpvyZ -qcr4b+qeY8mlHrglxQINBa6tmk3+mUYpQUjU24hrLi31JFr0GirDuaFh+LpeioumtOVx4RaDKjfN -RrRGTwRV/K0ItawKIDiYUQAaJQSyIl8G/u2meLH62EalJ8inOz6qlu9i8AEupFlCnpUfTP0b2p2J -d18nSOrNV6MHHo7/wyRc5ACDXsLDPVyeX26NA2NDA1B9rgJsvoo+c4APIBzXkQl9xgRGlWD4JdAg -SmNeCwxrSKDR0LjWZxxbCCxuxkVzYrBOjEEBpifKPxAJnyhVZ+jlQ8DcBHCSvgYnEI/4hN5AeLyE -dAl3wI9Jb14w4o88KdX6oI22S+Heewrd0rKVkolWh6X5+bYYWDrnM6beBetF/OMBVCulWVRS3pfm -o8rfAB8boKoX1nOGHAdvG2Yp+tKOghYy1ikKByp6GeM8xRi/jrHPLFbZGMerHmrFntVnUjCN6U0N -DApOOERFpfavsDhr7NQ1LFecq16O5GpVIX54xc8qEakNMYW9jJ1WkDpM329cePPsSw== - - - QXsGwJ8i5DRPdp2aTtMYIhd0IQVCs1T+AZvyg1iv5nmiC6xbTyeqzQgELyF86yomTyYce2WeEl2a -NsE05uouKmLgZCP2HntWJBQEQDxqBZW0PU74DSx84HVmRwxguwehq/kecCZ53mFYxJVlAJS5K1ah -wQ3rJoXK2cghdb5+gJ30Lbf053b23jJipPzjwOaUXObrfPufI6onUL0c626HOASadR8vYAn2al3k -JupuWpFmza1/bbaH3i6vOxYcEtCT7qSzj4B0evvdDkZsEAaJhGl8u3oz37QHA0UPcc7tYaWHabh9 -qCjzbwfWZOOLyaOSXSjkNCM7gMQ8LxZixiFHHDt/eU68/lxHWlYw4lFar6V1zEDlOW1E06z/eDUS -xP8i/+MpUJv/A3AbAW4ReRvo6CRkdSAJk2aIZHovZlHOTkO/S4uG+iG5HZ+GYum41vMyRB+HsuEn -OfpWQ1ZLykORJ9qTBM8CRdJri0eCSdc88S7qq9aklZ+YrOyl9yi5zEAJertn8CiKtFY9rhZUcwmO -hYHcc8siRQHR13sgTi5e6RfgkGYo6SYk/cYmZyXmROwYXSeKvBZ5bmklrOiS5U8yHDqbyxQv7NNP -qaD5pI1lon9PnAY3yIJT0QygULYpx/d04d/+25Md59xEgzzcCR20T9ZLKFtRBcI4wwqYQfwKsMgH -EWfFiN2dF42oQh1LPw+wRykFjxaP98ZujblUJCzCIYr0CF081fdgObeotkyH7b8ePpeqkXskHCw3 -M7rtOTYKn92migCnZgkBki5Cx9JFUz+UkqN/zH8mEwPmDWQQ9mbGJKkylEyepiToiEjWEHUJxp9H -bZgf3dRwlDnsrAX1v4TMQv08KVzc5i0WXMlw2WvILTjq8uTWNOD8BbmTZyaGW4Pyer04CnaiChap -KdVofwEpUKobqX5EIfou9C7xtL51kF4QH9wZBfhZGcOTC1ixPwZVY6XWviwILfes6yvonhgdnIfe -b7qRXUFYgJYZum5H6WvsKo8hMcNRLs8UrZiB8p3SWfu4cvGWZ8CRHNgBaHgG7biwnZE6B19E9SBl -K4uXYsaiZbAwS5COMjGNiabFNIUAgQFKsfeCkrELmfT0kg3eDlkBItTYgKhiicX0W2PEQ4iIj1xS -jKFZfGzYkgzUEfhuHvcg/lijazWdOlpVvjPlBY/ag6NfPgbopq0ybcG0geUtrRRqr04LgjEyLd7S -HsSGcQ2P5N5Od3K1J65QbQ7WRq9jlpZRHIxZFxt+1CuOWShkpnaChu9mrJ83Dmz03bgj5epnaSOQ -0jY0e0OxAUgxB6ZTkrzDUApKdRNytWdgKAUShX4ZB9b73lPfPKIwG1XacDTZNoGEmxb5QSGK3JLw -yW2GGflvnMh7U34FwaRgoY8tYEFR+Ds/gA698wPdFWidSQWeAt3P3BoJvM8bxQiuhBHkMoLSCKoR -nDPnmQt6BFGxUfWh1Re2wR5408NqZWE/16tp5POXraq4VeL+8OcqSF3lv6toZfRY9VX8u161YUVA -CowaPl8wVt5XUfCFn4AFAMISkxg2I5SqN+X6PkDLyWpSc1vKSZoE/JDb8/EqyLws5tV6C95k6b4B -hTVpQO2ImbLiYxnN+gbgaxjHsaXRBoU5YPyhvdCyc+ZDcXiNeT5h/k7aiyXAphn5daf/Q5iYY9e0 -r/sGMRvd7D6SaeYFSzBiUbjQr5E+OrFNVHkEC7x282fBKzpzdYz0o+X9YQwj4FdAKemZIbBlSoAy -T9D/v24HLStFm4xrEy7gk8+Vm6ahREz1vYdzoQMqo5iowB3tErftybepmmwOSsYsJ458P0H1yR0+ -lbI53HVk6qtFl10ZtUeq0yuQ3V2VdZWsuT70VgPfEj/m/8u12BjWKMkK8dyMMXjIQ/h4yvwRYjFT -/WBiPMCLwXmfMbKapHyThHBS+MRO3T7J8DMzy8M5UTp0mNjcjBYLC57q6lQNIGP80wiEsxIu28Ko -iLhMWVFVCaXSQ0H0HRT5HI3CLpZ2JCz8yakeT7Q3suRtci+eSvEBZYXkKm8pMhlSLAhPfs6nS4oo -9oIok+a/XsX+xjXfPBZyXw3g1xH4oHxvhPqrTDwCJX6DPV2CBipxJRosEyHLyWPshA2crENSdoiY -ohFXCK9QYJXaLDgFcmWhdBSVK+mi3KWk7iQj0CCEpmmc6C9Q/w9cqago+E81zRC2FrvQcAGEg0uK -K0CWGiGusQwEcVYCcjIIAxm29T2UnI58Fe+576CDSLy+iQH88A8RkH5Ajtd7cDH8Rd80f/8HTdXC -a10n6Bh02af7ohxAE6L+2IZg/Z6ckRRXBtWGyILjgKE+X9bPvmG/g1keNZG7Q/ntHtHUDk7ZlgYz -2pHAv+HVERonCdARQ+WItHVABw8EAFHjnU8MntXOuuNzb0jCBR+a3yMjRjrXkiow74p7urNHstij -BjQUOHKEfUAb2bVKHRABbjuPtc9rXAyJ9wPQMGwTpSGd7pHlITdPTJfxQFSw/8HGI5oOPglDpDmH -4UOGaGxdLglASK+INwiBPBCZQ+KID8pF4byKm48wAhKylK33IAYhYT4NFEJSONCY3aewHxiEYYra -S9nxTfZbY9L243HKlrRs9Btmy5u8d5xZxnMQJ6C5TqB4mgUowPshxyAA5hOEGEPxcuARWH6U3o1L -MhztPhEWNNyAZjmdP636+8xX8bxdUAhJtqEapAHF53+LQNJe4JHxOEJwtxbyrhxGBvQtVMOt7J/H -fQmSWiX9FtzHV0oeRLJPy+wS9PChHQ5y+JDxgUI91Mf0rXRSIcNlLacKfHDNqBkaJg5Zd+8vRg/j -9MAQHwL48fZr+rz6G/jHRK3JBQj9ZvL54+2NH7VUoYLsE0beGx+sAGgV2HEFgFvUup0R7EtrAVup -6AVmA1AwtSRg5gSRpylYjZTX/Gkzj21uuHGrmwG8eanZ6tybYOKbgx286ehmnw4RGC9GIxwF1s/4 -uza/h5Yv030Jl2cD7sBYPsJYLh4kCiwS5EZIaI9yfijkT9Cnk6iVix6K0YOBLQAcv0lwAbduyGvg -IMRQyNmgk4t8OBwPi00m5EDk5JH9hSpP8SIQkcSCJDXaJSJdL1skhmmJXfABwNZvHexh9BES8Sg2 -ir+v+KzhoRX7foVlsIdhHm039k5JHFzacc+S2xkJKDjHULpl6i5yur3VYbNvmxFOnQm8pRAhxQJB -6jYMBsgzxwtd6qf73TczKQn+AQI4HiQDZGSv4cSnRuemEgZXVIGKXtQhaHhljVkqW468xGquvNKZ -PiW0xmr5Z3KDhnEtCp0uD6djq5YOFqEF0z2vZTHSCpPmVUsLDBqaJ0Vi/BsCsTA7Z6RhPWJBL3vo -butdWLH7QZ3gU+bWClQFX2Qav/0JA6izSbU1+UBNZ9Dk3UykZfKFTMs8i2FTBBZOr7y6YulLFHV4 -Wpa04gVqGerbVFTSlwJADMt0hnfZ5Pe+p4Kjju+ZpqQpARlNVREwmqdExn8ixJS9x5mdNiOM7Tya -2DZmxvgyMnUIyrFlubgYv/cU3DpWN7hCDBcbMacdZh/m+F4mfyRz1cf8xdIWNw4ChRhLBL01auGz -AnBi8PWNmqBcSvsIZ1HZGM0YbsEKmIFpGjHDdhgAulyIZUubLmz5DgWjJK9qrWUSqsjHjYyTtnd8 -N6s9Yjkk9SQrfrQt30NnX/KxP3xoVT6Srw+vvI/XqKhx+rGsAHL/kF6iMEm0e0TN7WaBaha8lFhk -lhmYRbB2J88+gbdPZu6DDHdfV5LaWpSHS/Ho+jwJpbzl20sxihkgO58Qyy4UM60Q7wwC1WGqnb+f -Zxd5sbrAcVlgBm1iRleGq8LofVC8WCMOFKNxLOpVBTFITWVYOcAsoXmH6wAtQ9ne7AIiwPfqrzMq -OzMNfHiA3ocGYMAANBXZ9RfLvn+/+E/S+vhYHHuEFpWO3Y3sU8mv1+aCt6L1DcagZm07e7cgI1YA -tx8iHrh7TDmtfzzs3RUCdx50WBCHNkmINsS9xYuOPxaTY4JCcCe2ECblNny4fOxk5lTTYV/Jq0U1 -qdRdNkr0ikKSJ9EX9ibg0L2t4nE4DrKdpTv0KahZbqlVxFxpzrecGxoJ4xElmIZd45yVAy3OhUmx -AMYPsILgACz1V8LY0hgDOCFnPi8T4n7/FyNapgLPQUSkKj9KMeC/E7USFNiCZPXTeCgI+yhEdf2x -O7dNPp0TUCilb+JlF4X9mw6aFPTbVTFx3rdEfI2EV31zyLe3ALOIIquSbyIS35/9kEeXrw1LJAqm -HuvI2AQVMcJEdwlaAUPpkIgT7+Wm8EJ3jAnQeUoxSocn90mCIS7uJMjZQuHZy+NVgCbWhaY8dPlY -Kb+vh8j8kpaW3lho1iP5MPmu9mFU0OFhO/ZjIvgPSHUFnHq+y1EF8H50oXbzw1HHlMARkA69Bj9t -LcEM81OGOvZkiCMSkEhmjXUHsJABDJn/qyMke6AwIyh6AiU5QHH9yZkNSH0S1/HBiYNwP3ew1GJT -RCJyUOyRimoXx8Bq6dWnbWd+LS2Sk5BeHlIwke4XwsKR9XE+mKuSNH5OgG6SxXjNqwyN/u0v5raY -l0atubsftdjgcZ0MszsiwP6VC4DBZV84sFplKakJgTZ/WfFmA1UUE4lNHUr9wRwIlHmv0G/eU0Wu -5q91RxYsk7mLFaUIgVzk4uVJkDxCOKj/CCYqoER26i6Olei7zDCRcGjAB9j6g8QWESTAoN8Bpx0o -HgRiGyRZtVYeBIK52dCuiVUvQO007eNnyoDsGYgZOIM2rwdZXrA98EUflv9hlJtJr2hGV3wbYhAQ -yxW2oreC5Q0v+O1ChOwyzrpoRF2kpQt26SA6F8VctL0cqWYOI83xmn3PlXVScj8nZKoU7LvCHxzT -SSbOx7EAQBoOfHCfDBL16RGBXwx8tzosYsFnz50j+PvWp+jACu7Vm1ibB7ciXMRab9M6NRQYnphf -5hIs2XSdPyrnbe8mJD/lQQaaasaMGlmdeMiHfx4rwm8fIPwowTeuCvv7ZLYz5vdjOn48+gHGhS2/ -EhxYmL6K0YNvElB/GD8vmAeByh89SfrwFn2+h0f5iahLN0l4NiaMyKaJG50cVO+BxYRUcPI7IFwF -Uyalvn2w88ycCCg4oCK/vA/+TdxEMdTjdT5GJGaTvuXcUbTbrKyOW851gstoulwEeBn70wPgXAtn -UOOMQcgZtJxRirdGPzn85IcFMOqeEGWpgT+Ifim1nYI4+KSCX7LVtAJwXgEOsaBm3FLk1ii3UHNL -fW41WenRnZnuk9Ut6WJjyj7F2WXYC3in1OsqFW+l+LAUTEv9uJaa0e8kbsuUhi8DBON4XzHSS2ym -7K1PvGjdvo2UfluCUn4FFc6vSFz6XcovaayH45db+L3+VNM1xaR9ID9BVKSFsnxFprOocOkpmMKW -QoFlTKIcIy8J4RNePMGUTthXhJBOOVGEWZUJsc9Iy+f6C65I3zU65zr8pTgnWZvvUQ== - - - tN4aDsexHYWPXiJosJV0Ldmmg15pLiw8aiHiWCilHqrNiISXKb9WdeC6cJiiGCZbCVz69nSh3NWF -TrWHY1RWxYQqA1JhOBH4mGw3lCb1bLEpZ4B5PNINVCkDmU9rKMx2mukUFPuwlfrA5OjDSgYS16Sd -c9+Mairnt5RYhxRuYBp90OrlvFUYdjupyPRgBuMOKWY9ArPbPBDw1Zv0Phb+oni5u96WTFlBASt3 -7eqY3fNqdlfOmCLORj2RyepcKVCIwv7Eq4Uc8IwT/vGGLmmqvcP87wyBX91GoDAZy3Ln1uUdah0w -ldpmpwc3MNV0CVHDtpdt90fE0nTYcchtPRvEMEXnQIJWawCoIFr9giVQG1xDDjiBzH6Okx59PfYl -uHo1PK+piJJzYNdEZvAWV30KAjO9GFvLwoIErRPrZ8g+0lj1YdUYi/TqEgjMWxU6p4AiOsQVGb8D -fAi2PnfOwKYsqqkE6cknego+T//O0715MjNP7S9PJfJUejyJ78aTQ3jya5IIk9SVJQkkSdCQJLaR -hEUS+8xrBpUUQjretXsg/++e4+pazecngsyU2oDpFjZt2SX0cGpNf0NDkIF5wcfiMRAyWBGDdMQW -JVVxPI4Ax8ul2rdaneIMd08wLqN5Hb9shmT1UTDIQyL3mUbCwjBVHsTERIopYkxOg6O8OFJEjvzM -kXzoaJeo3jVOniagooMUJdDkovBXBCoiCBJVENxmRg+wtIPLkjVswBk1UC0DdRhI8QWqVGAKKtb3 -BAfX5QjCFwEWBDBUNwCJmCsfy1EviHqNQRn7jWm7eR5VMJRuKLl/QRx45A3XXJi1Zg+P6vEbuEk9 -2O8DWuY0CIpiaCsOIUBIJZBWHJvRHxcntZxVIPwdH0a1vHi/J6o64PpmrBlIgIvzGHgDTi5A6gzI -8L0PGeecCDVVObzQdSQ0Sdx3qBcypdGYSQ4N0eDthWSGE44iGVJxjFZcNlZenVgYc/QYg6w1pzju -hLInWAXEhYcM345C6jFTA0cinlNAyu3PfRJiBRsSFyjRi1pWs1RPvBK8jbV5BbiY5SYwrUFzPtLD -68z4CbI+Xf8jKM6K4FVY7oigMGC4MXSoFTIFeSOZzndHwcIr8bMQPCzNdv3NeD/0nIJyWV03WE5o -YrKs1ucKshWHmaaTe1Ja0cxmDAfxk455z53EtwBJvmMalvJKZIRbj2xcTkcFb8pm7wBXSDu4Mqi5 -YEUJFp2nUX2PasZa0z6j8EPhjruCpUyCty3LSUQ4MtqOAeTMHy5duNEP2Z9O2gha1/oycB8nxNi5 -kLHMMrkuADZRmOiD/6xfoKSmVMYbV507kk0jNuN9J+N6vYlhCugT/6gSWUcjQSqe0no4La7XRSYn -F2Hy7bf0LN8ul0ZliVm5tBSjNARmTsnyHBgN/8VfZR9thfYA1Nqj2BgDXfr/vQ7oZIKpNIs6hHAx -CVNVYi6+N3KDnOSoiTOZr5obhG5v41LkkCB4TpCdfRP9paN7wxIzviDyBhl7EJt9Gsns/DfgvZJt -K0zfSViHHFVA8d5zV0aJWWXksctzz1BohD4ruQXp2SYZB7OL94CyClt75NR9z8qdedSEoOCNk3de -zDOY2bXGhBGwI8LH1/yqiQxEK3fitREBAoiz76yKNyVzROYY4vQKZMfjxiYC9YSth2ISsd2GoWVl -B15JHIwSKar4WDspVtJDLivhHWuVkoY7TMMyWdYFcf/lTIFL2jByWG798wrRj5BqzAQmYzGylqPW -8bopAYyu9uRckTqGL3V44yRIfBXFH58owH2KjKsv02sPGLs9V+xaSbOQaF/GQhBgbJVQlHO15eET -YE1Ku+UczJShso01mPQoC4Xz029M3dWVgpHOKjO81ixEcJUl//KQMSSZojeqkpXeGlKxkarD9Hij -5XfrnwV6hI1YajZdISI7Uy6yYqp0V0D1UpVd2tgi1nGGiRmYhyX+nQIsueCqPfm/f/EBTJa0lpAa -eT7OZbtA8MB+KyvK+oX2aZ2KeccKUf1Wa+nKoRTPFCOfGV8ZpO4ACKtd8teVcrBo6nILQSO0oMGO -mjIIRdw+YzHlqF/rKXEbv7NvUhdiRGyZEC09RwBurCsVekmjRS9OQqHXrIXeydOXXnRkBA6ehHMI -IRB3QeFGa9P7HaFtVLzsC67UpSlJmVKSSiQinQIAKgDAA0cIOgjWCA5BQ2+zF82j1RGiTGrCaTjs -Yt+cr/ESpsbz17RC0cgnPBb+Fi7u8cjnaVWlxv5QyNe1hoZK0sb5IaJW3Io5Yqq19I8kijW5cGKZ -HXhaHlJWm1RIyfqV8m1WtSpx1QzxM47E+KuOK+YyFxrrpTjHJEM3daQaR8jYdgSR0YpXKKyRNhNj -Gy4SbkXjOKQkTvBnhg2JHdR0P2g2Ximug15yGkdF0Q42F5oDcgXFfKsZTZL5sBJCJvNtooyoyHjB -GNPMYipiTlnOWIm85oTxGGkalLGoI/Mr5pMdvK2IEvWP+XjlmYpVzT+5UEWYGGXyl8RpOiFO5dWM -12xGVL/2neZVgaY6NFkn3H8pODg35QkTl0R1HBXIM/1GQtUtVF4He0xcRvVQUUXBwbnOEOXkmlpI -xUT4/3xERIIzY0ZML1MxorZ+RqrIPChJOEVVUfwVe2UPqzmo/WzHubBqDqi6qvLM+YSDVGZsVjPP -q1JhnoOhZVpufErCVTXzoKZscjlEWkOeg9JLcY6nonKFxMwQuZhMnbpGZU4xFUJoI0ken4OJhijO -wdgkUqpsF/Wx+bBmB4VfQhUmXxjzlrBCNeGqlJjsmRJehhdU4xHaVEU15RnapfAcsOGiTeXez0GR -XlvKF1+lWirIHKOgqPZ/jTC0d+DaTITS5fOF35DoDo4dUkES0Wemimi/V13w/fdUEXGTDX3EiY0w -r6JPnG6ccaqw/FNVEm4sPntq1fhU7anGVw6JScR3Lhj4kN/00nbP0IIAAOAD+9AOnXDFuBu7hZAt -NjV0IBWmuEjByCgnkTCezrjCInwgJpqHVxLqJbQ9iJODCZFczvCLJMSKJN8cnlKNRBmpSuYVUrnJ -kLKm06SBQcqFhnhvKrPO9GE6zV9JJYoecpqQHmRFGRNyBxx5xWt02orkIlZCPlMKnSlIxguLkNpX -EnKhKjlGSAInpCAnEt3BWhKijSLkY5+jUh+6iWO0GirLVnGh8Urc+LjTOItyx1jkpUY4R/NSVjVi -kqBIpUYSti4v2YSaO4JGVEQyLMt+JUyNQhqKUEiRbmqsVuFVxhJrsOaomkPvcI+oC/E+8XkVL0/Q -G6rPYnWnRtPi5JU7Y7ydKopESaBXHXwjCpFNbhly/CCvOvDnPpB8ZJ9O0cFH+AqZikMWTEQhinem -YiYhXnUw3MLkTw2FzKe1GamGUQ05oB+O8UQzoT1NIipkHWkznNA85PUbphMxN3txhLj6JsNJhXJV -wSqGbw3fhOQU1PdiWahslwlZY0ges1NOG0lMSc1oMSeZCZVVQhaTucjkETEkI2mSz0gdKd5m6Qgn -0p1UrnrfCNxGkUfnTYWsKwWNa+3xqVVwJ6SbaDlukQlCE6G74kUbxefV1aJ4/Qin0WmKr1Kj1dW4 -uK69pNV4iCOsqkYRZlp3SRsa9D3BCEqcvtBP6hMp3xGMeEwe+E1kYg1yoYnTSEM9iZc3mfDoUWIW -nyeriVe/vdFX4nsuphiiJeyCGlk6p0+YT3mm8XK5FQ4v/y+32GnYCz5MXcDWw8sJI9K8SOyYWjBx -fgnjtHXCLsTbMB6vCK+AEao2gTWywozPxTTEBzppHFW55gWaJA9bihyDENmSRqJNZYUSL6XLLEoQ -U8hRL3tKAhVrVRkiVh2mlPO3/ZFqZuamIS1CtrA2YxpWlsNtpIM8gdqxZeNAYmnX7EDliFRRGpvE -KeLOEpv4CCZWIpwY9oohdvnFCLGleGBTTcIQuaHtkrZ0FlyWuGUIYpjlQQVJySeHpEY4OdoQOZg8 -mKmsaFk7Stmc7CJnWnbJeQWPwYl7MwPH0zgNJFesKltGse+OtoP6IOTp8XaNr2+5bbknOPEgX0IO -hTdHDReSybeHUzWTm8wNhSEV5Hu1gcHw6A5hfNp7QilycPCA/sqnYqJc+viuecME6y6WabXcROfY -QpUwoQilvierIEGbjdhp8R1ehAUPOqQ9xLBGu1ZWKaRdJzG09EiQXSUTpJQg0dzdHTikZVIJFXY1 -wcFiq3bHsPKwkfqWTVLuirhjRkLHx2uaUDLie8FAwYPerVIYoal2kCHrFPRHsnC3NHHTavEn6FXR -lB8i6DuKI1T0LcGIfZ6RmY5EfB6R/N5X6sQ3p1BPIr7bEhPlbf4vXkvYZ1Bt4nQK01pDwaiKOxZD -infGEDUv2lpVfDKK02LBtA8/jpckwmgVEeEEdrQGTci3TWgXQVEjp9w7n6jw0NOWAl8ljNguY09O -vGvsbT2w5vMqf0z3VN7ZLGb5L7dIBZIVyedm+EymE2+KtVmo3cT4fq4VlWd2ODfN4Z+LkF4Ncv6Z -j8shmxO9QT4URKc5+drUWObFilCuKYxj775ANfP6NV9RhJqxVeerH/ZpcT5DDvWZn4pz13ChPsTp -PEQeem/OqAkSOyiR4sxZd6BYxWYqNrMM558FjTKP/iFk01PEobGQBsco8xI7hGy+PGQLJSuWKcis -Yh6ZNya9v2rI5fQVWVby4OqgvGItVynvJ8EbaRFzrlM2qiCSzyEhNkWhZuxLJbPLSRFhXMX3L5Am -UhYR6Q4mFDRyMR/KuZxcWg3DtS/qhOIOTOMHdZRTmHYKucwa1lF6iVI3KfFsaNrkFHsYrhjyyhfY -xcVkGNq6TmeVl5bQrV4sCpbRPtycDAmLcST4E6xy/hEhBidGX33mUvHAWCvEjDOSc8PWkyDcREa+ -36G4yktGoZtMmJl8MneUBJHJ/FG8OeRicpiOGM6Ja2YyrtQKt839wzmugmgN2SgedoWoPWSfog3N -56VECNe8r6nnx2keNQu3zBtBoY938yoxTIzm8pmvxGFcJsaEVjjVn4US335BSChElQJkCHVnx4wH -vV3Q5t40ikUkBm3zaWPjE0XVXjMJ52Ix7xL3GEOHKBkVEXHeKpMgxbZMQ4pibItUJktHCg7akc2l -pnNVuOgVLMrBHjNUofM6kMv7EkciJfM6oKiaQj2wlLwg9yk4eEhRhSc6QfEIlUwPSB40FpEMl47H -cVPByziCOKypjyjCxiPyIlMyIX7CS4kEEuKL0hNjYtvYEpTVUlL9lCe2Kp7kC3t/KNRSoWGwFwtr -+hJxjPtfpPig1PngBBlSDbXkdXBqueLMECGOH1rFqEKZPyLDT4ydh02hrBNq0VDCF3NXENYb99ce -Y/r4xQkay9VBFgfzK/9BDantP+Rs7Ufn8VKDRB6ndegu9yALlT6iqYqX4hUsUZxWEZr5tIo0IUpW -0yhPuPg9K00ZVfuqO4tYsj57adMQHm8X6lpiUBSdawVrWlvmT7SobWSiLGzHKdbQ5Q== - - - ZDGPSNI5eCMYl/nD691FyrDOqnSDKNyJNCV0Vw76X4S+ygXzqY+i4bxKUuQyglypYJf9NPsZaw3v -81OXqJJAns0M5yOKQJ9LcEBKm4q8WiOlL9hN8sWi8XgliVXlI5lwMTYjdFD8JkyJrNNegdg0PKh9 -hsYmGgUSu6HZQWYMW9csHjlVtlacA5HKy+MH1nDcHi9wwWs9maSzeKo85+qQMKsOy8IQhxwl+WJZ -khlesWJCTRpzbJa2VOPUOH2bBytG0EQ4EpLPU2wJzabfVGwirAeaVS5VCbTdUnLkXG/KqVaiJcxM -PJuY+lTFUFiJVE3ih82GFTqiWBRotsona7l0K+fm016FW4u1kUnx5o5Mxo1Zkei8WtkwGwXP6NvW -2mxf5pLODi6XbWJzTLishGZkT0xlDiGZTGWWeawqf4WMoexgaKQxlM0ptnjIAc0dI9KIc6Gas8ZA -HkrN67A/r/qJRXOSerhLpHPPMNA7/tBK4YaIHVyo5pmrtpewtcYCKzyez50XUYjpruqlP0TqPEtH -NiWXeawOaE7kgtxDdahYP5bNDmi1KPGsZhOX2qyxM4Kdl8RCf8B6/XnNKLhEJqU5i7HptpjKprGD -Fc1q7tiDRGEVsc+YTs+8IPmE+SaUGNXB9+7r2mK/ksWD1D8Z2RSdSjUT3Fr8m9CB7KfuvZj1TYh7 -ubcHZVrRXrQytXQ3U7URUdT3Bc0XMyKhNp9XDYOdae5xP4fgHHzaGrMloikG39HsIUSBaDZ2Di6z -kDHOGdmQfZfxnRB/uBl9RppUs/liUqGSNDaM0YQsTA81GOVgj/gUM46N0qqPhxGogZ/NVTSvZaaY -Gntq6pkixic8FRVWMzPN5zXlGR363MXYOeOYyWa+yoyc3AuZy+q0rKMjhoQxyksz4StxcGVpN/IM -kp55mWJsIiKNxqhFCksblUBbSa0VTkrvCP/Tl8njQmHcLN9QXtulShSKGso3mzNakWsul64fS5CZ -BQEAQAlaz5S8ppwnL06CcK5pVT6SzzyvpBE1t9CDPa4K9TRq7BnRPD7lzqfBsE95fiHPW+OhR15b -KdQTNPPpzD1SgWJ2+dRZlOSUKZLKu1XRX3LOWrd08ypeXtUKlpiUM3IYDVG8qCol8nM0QiGTQ6aN -efwNi9weCSfDccpEIFGQPO5S3LShKfqcpFbhoJaqPm6JUzlFSV0UEuPNyiKN6qPkoKZmVJIvgiQW -ojLTNyjim9Wnpi9zdsCTbm8oKIruKN2IpXTVGEbjjTu0LHF7PckkpMj3qfk5IcqlorwSVDZ9TqNU -T6T4aPcdkkNV+VjxloXoUX9w5V3S+utwlIRZttBYaNG4XaF86CXhQNTTbsniTJSuFt13vlLtKaOG -hlMmRquPmpuUIxyKFOS++rksEMn6aoyopyraq8gmnvxOQSUhwqAXrU5BVv75HbKDb2ZH7ga/3f0n -iEU4nY3eHUNTehOjZaOPvo/y0FI7YkqM+LaSKwdbSmOh4MvPECXmSVZ0zH8TTQJ9JXupCXYawSCp -IiOGvlsNLi71RU9EitiLXi0uNKYg57I+XmoeMd8BuW6myLcEeyFKrIJukgclIu514oo+r3QgD8eP -xS5jMYvdG0qVo1lBu4cVCgoh2hzz8fUXw5wqO+6LsfGAMgrzJW9ozNw0dFA5EpcoGhl5IOxwJcrE -45nDUixqiYgYs0i1tIns4LIs47yEvCVGeWSRmiTNdJExEmzZwUnptNlDfoQ9LTWulyS9PMhubndS -fExuGQ/KVHpCanaVXo6Mg+yNEzPfkRxSxJgR6bk6ghVD/fTSeoMbGGUTEUOPitBD3NAKWaR9KNyT -iOnyEfoqHcWMQimkd7IoGRpbFBO5WChYdM5cylR6lMR8NJRhqaZO6B+xWBrsxUKzdwm5PCW7pbwx -zKV1bX1ZuLJ/CanGM6q6DOB5jIs+LBZxEhEo7lFwMN68VRNkrgOhYFiqXJqHxqmLJRre0RRv1P4z -ztiKSJIVF9MC0STq+NBGoqWH08qKG4+Pw9TKQXHXGPOiBtNKhrPD0Dplxkhhx+duiCXkrrGbVjAq -aOQR8s4rKSV3z7DqZvD2S4pSDrzN+unluCRDrzeFn29IJDHyGOVDr457rNVKqEjkMcpQzRpqJGnU -TWOQFjKo9S2UYAzZUQ6ZitIV5a4EhQ+n0uClCxx+vIX7hq0ES6Ohh1okqnF8RtnGS+uoz06s2B8k -XhQsyH7FjFTPTcqjkWpJhZ4xByOJDxeyMKbL0s5pFBCtbL4yNIF2UXBAwRFFBAW2yFy/x4XMXSpz -6uOaepDbu2IYzfm/W+dDwu7DGc8U9/0zr2vnNFK0c6YhOq7Fay/nJVzXIenIPbyGdzg7zT+PB7Mh -k6WSOD3koWw0IrZ9mSr8jqdMTgVVXazDfHBF66oFOcgtUUscRKIjx2WmSnO4/CPoRSJLxFvnUHUq -XXFR5mfCSrqoYp4okXjWcxGPaqNqNeMqKgtF2S6qimEU1VCUR4RSUqYaVaaCE2TR8ETxmG/NSPmB -+GK2yIQDCA+I7YqXkUOQvGZ70GpJbXXKUXkQ24O5qMock8Pr5zOny1SjHDULIyH1FlWg7FIO9lH3 -dI5UqmI+wqQt+fVgFdoWRalahX0oC2+KclJpROMai32it7zOZWvnKo32csmvexvXTQe0Vm3VGRQU -XS3BmZEZizEapz1kPiNDD6YqCXp1LRWRBFVdpqhS+REMkaBWhTiCVe6rEfeMUAiJ4IFD4u8nqynO -f5pKcuYlYqsk5OSMVBexhSZMqkLv50GXqFYeQ1E5KEVCbtbMhqRKeFsoNTfHJDGJ9PJGdkpj1Z8k -alMnVKkSKqeqrXivEamCQkqTt3Bbdsm2iGURoW6Ka2sZskw8eSF7UimyLLxdI70LuWV0SW1VXW4X -q/KZEFLZJNdvYbcsIW7BIU5JjBsjzaUg1UShjkTUhinp+ljUqKLSeiEhS12qPZXqCNWeklt7SlLm -rfCR0tQdUjI1qtMHvV2f1+zVYmWZNfxEZUsdQlLDeJFQyBP+g9YMN3LH5dfkmS6o1cWlOaRWc5Gm -FYNotDiNLKm5TnbMoJqD+B/8U6I7z1iX8OmpCilWZUS70zVou1H1ZRVInDpLWBMiP5AJJ9LIcD54 -LXeYD42BEfXKxpHbX5AwuCOfwTUk9dFMZOQQJWmVReRzRtZY5PG06jOlevifbUT7blfQocbqzvoL -FgZ9BvlBwZJ0mcTtj6Z0yLg/0vnx8f6lg0UfiW+mdxSyyiOka8nJSU2dJhEc8vLBqIan0mF8wIm5 -JsSpu2UYwgdF/HnXEVwHDKKYhakOZGc4SB3MZvjVkS7h2xM5qKBodTvF7jkCueRTOqhQlNwelqN8 -iLhcZU6rfLIIpQOKmsr9EJNFVTRC8k8gHZg8DDqgGMdKkEUTZQdjZg7ljz2qmkB0MNF5O6hiiHlA -rJiwxWuwDypKXKagCWMe1MUQPuBIoguth9Oi+orWXEBbWKqiPhgRVZzDNcgcCHkVOSiK/VMkd/Lh -hFyoNEGcBJED131wUZD/Tedg6jNSl+0VRA65KBrIhhmyigLZmFdR4MgPIgcrTeRkk0OmTQdTIkJy -bA7oaitwBzM7qFfQyOcOXpcgF8uvOxDv7NcDm6ZG1Sl5pU2RverHXUU0OA1tQ9QBbUKo4hQpu0bC -owfkg1ckRNF6QDLNqi/yTHGIJM50gkaVEGHtASPISKmmj08omVA9ebSpsQvHJl8aqAcjeZn8d3yS -7CTJAq3cmkSnTNSD+axMvjy8JwqWkssQCnF9iMXgaHDRyhFezadOoCdB9rCGKHvIY6XkrWpyCbmR -JfEIiuuQH7BcopEaKsWQpOxonSqsoomfMBVtRI6Fe0KVTCMR1kYPhIrViCDChYaNH4pCSsoYHpDF -NOTRFYiGxj7I0VA7KHJFkE1pQ+zAxTYcog1DI+TFJXzRUCXkjhKKuHiMRzhbJng2/3GKhVwRLpeQ -2eCWkKc2odjgOeB8QzuY2A3tXIsbckA8oGLHJsp8i7pIgvScqFA0ZbHnICmxi3pQu/saFKH0sUc8 -DzwSZ1PJYXWGV72Z0ai2Iyj1pkSVCZ/xQD4Tcw8txHAcxilVIpjjGcki5q6pd8/UCN0UFhJTMB3U -TaRppjDU0BA9oIzrVVXCoaB5bgnLg3Ex04SOJ0J5MMVQHrQtW2EOaFHjO1g8mHMohMUTJEixUFgU -0UjVS+5JaeoJbE2EqH9g39Q7RC485xQTZPUt45oecDUUcSFa2HcQfuCNTMT7HTw4e8MOWjOukoPf -9LVhB/+FRA3jz00pnCrsYEqCv5QEmQM/wpZ5bwolQxI4jvpWPWGvSAqeFT0H4VXLwbAnwbCKevAw -7BU3B+TikHmSqXxxVgl0CY1oFi4n/KTRPfRyRC38tKJxWeI7Guosfq08p4afE6/8Ypk+GWKZ4lOX -I1YaugwZJ/Ss1tEt5GVpMaJKVWUmp7KvIFNNbKpcB7FjOysasVOuKZ0qs+4aOpFQxRktWTYrHDKx -qnaAAyEXZXSZSYQKlojvBd8Z6lZRnS1edRlXyLoQWtGHZoRYKzpLZi4nk/CXjRRXXP3bVGdFw3cz -oxPDH4gr09Ck3MjHiw6ZhCEfShWt9JJHqKrrDKkwXHx2PyRcdRKGE5FK9dHWPWfKX8srFXNLLXYj -nZIrTLA4i+MLMgSNRKruoJkF+d9MTcVM3LSq0HTiEVSs0KeyoJe0Yc249NGDGkMvryZDztoraowN -Uxz0ochEpNHqXkqN2lMpOJ66E6IhmWo8I1X/pKhfx7/L0IXtQoKCKAJJxTAJFzUVRTKX7wiSI8oy -VDejxsT43oupRLMhDSn3qqQWC+LCc5AxiGqOIcRoTyLOcc+E6Nsdl5WYSnK2f2lKuu9S2JB+iIGK -HHUHve4KvrGKVAyJ24RDmOXYDOpMvutQQk4T9Wqd5YD80AUAAxABCTTQAAZC8AENHqABECAAAQsw -gQYQ2KADHMgAgwVIhUADCWwAAg1EkAALQJCBBRtsAAMHjACDDEKgQQUWfCCDA4zAAxpUYEE7sIEG -MqiABRh4IAMJcE4SCfUxgQYiUIAGG5CgABSwIAQR0GADEhRgFhGIQQhOIAELQKBBBhtksAEGIcAA -Ahdo4AALThACDSqwAAMPZAADG2SgAQRsAAIGEOCAGDTAgg1AgMEFIsDgARZ8IIMDRGcmjjRVkU6M -M8kzj4qR9QvneJEOe4RQcGC5zJY6KFnXTVAxWrPGP1ET9F7RWc1XUAHFDLsgKqhrpIKTZWiRUTAT -ErPVQim+g/EEOiU8uTJB6/epkQ3DiXofa+8kraF3HjT610qpL1yudlo41EhEpCENoZPF8VFjdpHI -s3GMWBUl4lenMNFqdqLxkOOhoJHoHlRdjFamULweHVtVn2G1RsEQ38EWlHHqNQnLTkGJ+C5FlZNY -JKS0hnHWZGhmvA5ethPxGxVaXOGSThIpihNSZyauCpGCp1nl7IjcRJxKM7TFilNBQg== - - - RJ9TRixzZIhoERRDUna08fD81iaVkFZp6FR0KHK70PxE4dJuCis0DZIpKrHSNclBIRLYm+S5QoiT -czLuJKpRRehcK++JnnFIiDSVnarUFEMtTcgaLaJTWErTqndiH610aOLK9J9aq9E3ika0y7DIQ6Gu -jZq0X43MsdGedlKDWLvmUg291KgVP/siybSGW3LK+0XJ5VYsxLg3VVCM3RkXJJWomsrhJZBYpggJ -5E4tsWTqe9CSTNiem16gVGgPZMiLhZLWRkN7QKXvpvdJnAyf2tP5qkzSYvaQ4Z2yiW+oBFkqtcz3 -Xg4s5WuRCp8YIbIZZL/vEayYkCByiecDIeFaR8mqGooOpqYnUSF1MGU56nDUPaNlOh24M0f9ko46 -RniZMYukLk+raup5JeoaF3YK1EA7kInqvJeKcg9mDry3i3E6NMsqWcNSsVQNVWWLpopa1KqGkW0F -WzWdmpbAg4u4pi46YmF6QEOlw/WoKgiVB9UQazCKhMHTUlCqDuHByojXfk9v2wntQTWopGIrSKJN -idXSrIQ6RQckQ50p9yPPlGltbYbKwk25ggudUDqYTfVCo3N0gkKhj9BU6ANfRfmDAQscgAQkeQ4c -q//ui7PTg3JgoUuBHvcBkSlFoT9EJ2yWedeLnB4UX7QgAAC4QIgtvCoyxctBNTL6LJ8HJgqkg02r -N0s0ctdPRn3ompuCRe4FEXkC0Qw5KIZVqh9wVdUDonBkI2tRHVSXpoYo7rvd6LMIkRn9Ii2Sa6WY -+KNkszRdK6RuKOhCUhtylBW+zpu8ZEJiDZkWukhrrHRChNJKTVMZEuIMlXPx55bdoUoP2JfLEmsx -kek36K1MkVkyihdFDckTmRXzSGKl3hI50lalct0DllBpjZ++Ta7NZbnSj6VZpUSjWQVfhvrVlCp7 -SDFKGqtZfSRC9SK9QkJ+SMjFvlJyhRRqTA5ZySgsOe5HVYmL1JWnz94IeU6Z02VcoWIvrNdtD6iq -fhszlsTspTbYB0U1E7R2fPCLYz5g8EP0MWsnxytC+QdimWLFikIcHaGSiKGqjRXHYjQRL1bSYZFU -4rHabJ6QEYdHi7b9qYWmfFjPB6ayRLpEwmS/dVA5zokTy3TO1MshFTLZ2qPI9PKUnnq1ihIlZtGk -JlFi15DokWr5JR+/WhxPTXiIrmor/LLQ1eAYFR6RkSgL62WqkEYRUY0rqlzzUrcUVZmoosoVbyCT -pq2aI3LXK6gcllNYrAhuxhN26JZEE84lmoS92qtcWohknJZlnGFXUnGRmFUtl5UnYtgVZWWZi4dE -VhNxKbGrylIXcawmevC6mEbcOcnIgTDMiDpJ/4mlnyhUiaJIBG+fTpXO/akm7gdKD0rrhCqmHEIu -b+RgJedGp9LzKaGypYySsFn9CLlxaZfN5mpMmrmrOI3pY6pJxhTy+WYUfX6lTLP/ksH3QUQzVYUm -So45dIpnrkMuskNRGwVikYaKZq154Sm/DLFpPtJGEZGDNHERTflC68ggy3XTSDTbxDkyitSPPOZY -vKSGFUGWCk04agbDf0DiGDbkwCEin6mRomMUMVNRJMarJpsMTXfgIp/iLn6sCKogScUl2um2fbrW -5JyQ2sGEJB7U0B0UF4QHD6IwDz4cP/pPzVPmO+XVG1NjBFFcGMoDiqCFoipLycxNjgd3EproeJWE -46Sa1MlZ+WCDeeCdYtLGOr3qSrW4eIFFj9fEd/XgtxBDOaIzFx2Y7sFJNU4PhGSdd1jFk/CA4uCm -S7eYxmoVHexEq4lI/aBqju4w1d4TmlH0lZGzlAaig7J4kkA64E0/jA56C1leq+bvPhtyww5VhBH7 -MGFvygStp9SJvEVYoYSy6C4zDKcDqmNWdGALPT2oX+YM84F94JqqPucPXDojvpeEIwgbNBnZAfWN -qoN5QFO8RtI7SGGtMYnmYIRKOlTp93N57eBBYmE4nFs4v7+J5w0zFvt9huF+ezsPflcj3pogt2Nw -beGRalJfWDzxCUYQDx51MF4Tkm7ckE5TYbx2cGIEj3HS3sVfrMvinkWEbhEefNz0sSkhqZFN7thm -4T5yR5D0ERmJfVulRjhyxxhVrsuHviHd9Bk54Etiiv6RTieIdJtmSyc0f0xMKhaZaE3WG9JpZhET -CSOiK/TtEbWZVrVidoroiWB/hpFRsBdLjdhErbCTFnuSRckeC7PjOA6udsninmnWicDOVGHJovym -FRtetNs1tijF3fbHduqon1J1K+akhVJXNGJZFclWXyUS20GSSmK1ElLI+6pU7gzNmNbXp4yj54Xu -kiZICUVpauhbWhGmUSfLJwdrlojHPQoRm79E9AyK6P2YqHRCFyLiksxmpExaYxgqnldHaGjqDkdd -SiV1/BexxPfJ/cd/8aPkq6hHcRH/PwpFB1M8aKwVbpoqj6KmvN/UA0bZd0xHFt6DKdPp78QnRsM4 -tWQxOpB4J8rxHrAcWrDC0MHWB00YHB9BYUhskwltB6SVN3msCubBiIjMTM1BKBDAwUsi3CkkYrIO -v+/UuAphY8iHTeeXPmgj+hDDgUyObBTE4KOIWBUxRESeryZxfMQJkT81kYZMps1z8I2RkjeS0xFR -4soGyV7JlwzRlKSGSoqjuqFW9jYqOmSzna5+FIVSD9h6W9zMrt3ORUqQ0OMpSx4ULYmkDeKpPCQ9 -XyFPLMSvVMpKBFdcqchKT/UUkyp9VShk1hfMutILaVbnPD26dqkr1Jfn5UDCJsdEXe0BhySkSRKd -2txf8nlTqIColDBH1sIk6J0qmoEGEACTEQhAQBwOhkTjgdFgSvMDFIAFuIg4PhKEwYAwQGx8G3Ja -GQAAAAAAABAAAAAAQMNRdEvu5EYOuA5PRIHwPwHra3YDKoo8eoIKw8JAVdFz2aTsCmh3Jyfbiej6 -w12UFVJXZLOzlr1joJnS0Gm3HRspPAMYSIFTsJTjtEdFcEN8dV6/U/Jdk67Fc5NndFF1Yc7crocj -wDQNwfNOQJyNIeqBrZuZI0//fV7OeHFIxiqjtQB8Ypo7dL+wIhEEHmjTWJ61HDGwiIYMqj718Icl -JoO4wLpIsgKhl5+E7QLECOrflXtd+miV9lHIbpVO0+JSaZF2YaCqoF7mYJdCwd1uriT7sKWRYIr/ -0yHD4MiR6+OWPLeP+ElI9m21l2uqZddz8p1FFrerQ3uQG4aF8N540250Oe6nluNud4fJV2BDqNUM -C9rEshpywsosbM7FvaGuO113mwHsNo5ipcRbHURw8RSa8PiAPWM61zqlLPonIBJgpTbW6YTeHxUj -uNthOLkGqZvy21P/3gs++JXtgqtOqau3lbmCx2EvQxVnP0LeSdzIkuV5sxB+2PoilWQ16jP3hLB7 -miQJPlCsySoF4jtkVRjF5te0FYNsfegEEBQ8dpepqp5DOFZ4T/drKsCOCtP5WUbtHlXoiMCRtxLc -XxNsATDGhJXnQhCAjAvrpjyPxwDZm8BJ7rE8/OyqxXI0Gf/qG5AEwtSqgRV6RWyVDiDtY4ZNH5fT -mvCFKq/bX1VeEn8aZNDoRbK5138BCM4+Q0+7KY8uhnpAZe5GIR6m+zCZ4yU9S+gaI1f0JQejvsm0 -m+TRJBQLayA4VFwo9vAIqs1Cn9bmaA5XWRZQP3KJpiJXUK8mX9K2CQP9ab9VmKePq4i1Qvli2ml5 -H6lVFr/rO12uQUFKbsEQymkEqmiWp5n4pjvoM0L4kdvGUg8tuHjWp50pT3rp4FybNE08KY3XfwMb -rAakof3cLlxpQMecblb+liSMbg8qVtUPVv+XSoiBVqc0ayNdaJaCk2Bcery77Yn9DJ2g4B+7Xm6d -2zdvi2GZI2QeASBIl0Vg6gEmNG08wxInwlydBSaD4NEnUnC7Rd5HR344Eq50qyr8JFyY9ZATZIci -5Nzl1pCBUsCaMOU3X9rEdwbiSdt8mW8zOaS2CGhLDCu/mHwOQnXCtGAdKxJzDYHt+HrmrJ5vax4A -9ycNPFmQ9PmX5F0w1tcNpDrAixuRDhgCnlxLWw5uaglIJUFgTfkcnQpF0JiiwtTFzKquRr4g2M9z -F2zwmS6xjm6Q2JQR8vPlpbpP6lGIMHXJw62EujaELzmJmXue0DwGHv2NFST+JYQhf+FBsnjFAynD -Zwe7Y1pYkyYxpksKVfe8BFUlKWmwY51kQpC+7qKbb53sveTCayhfi5KwroZOKOUNlC1JdCr5OE3O -URBKbATrAsYBYAPNheN//ohepNVspsKqgja1/lcK58RZuoBAvAVsFOQeG2bd0W8fVbEgkKuep3oV -MJBsvCpi57FVKVH+a/URoFQ9CIY4cLHio6GAG2k/CJR7MYWYsVUSpz/lo+01OPvFEtmBOXInuHrS -vaItop+cxiSyP3CWYaYFlGupLAeztcdEAFw3+ADusvfbWJmhOMDxDhhyOe0Y4iLeXNb59WCnOVQ0 -tdsDbUJdpO9pM8P6SsEgHmwHEU4e5U8p/wrWQXRqHBvAAdG0yRziO+pp3c3XNQ6pL2JhpPIyR4h9 -NK2kX/6Y22p59iS97/UCascDecYxNgnGXJ+cpk3+NcPWJYkRL+D0L7isKIjPOHDOtgIxuXlP5wwB -B46IXe/BcpudWGBCuLN+hjTny2CvN8zoesVDENmNrp5H8hrxG9IsWlcMdW3jKD8cWgalKRTlSuLD -BGZLbGY+dEfJC9Ln1ZOnu0UUasiExs7LosrVdA3FMDTkbh7On2M4VpUenh2qPzaETEq5yulBahks -VHPXaKpIbsxmxycrn3Lu1Ov4HUQcWt6vexK4a120tl7UFbpIAl0JkR1Z3HPG6uWV8KiflslcK7Vi -22mHnkQ6NRtkQQerf5RhLLTb3BnyGbXRfSUYZgLyc7/QRKoke2UIdiAFqVJWuM86linJTs9fwM10 -rEW1LcQxEK7rQ1ONmkHoh+DwZwq/iyD3d0cRubZiyx3jXJaviFrVQgHT+82KJNllCX8enSb4dB7R -HhDCRtTQPaZ0eJ14iSgHxBxU2pDkv1HelwwYC0I83eTbGlbz1sxN2OTSK3MbnvaskxlMuZ18LnqK -laW8bgqChjUVdR6vORRjIwqBKx3nlOHrj+GdBV2vj4clvPHxG7zYO55In/MMgNEkp07uxvLR/NH6 -JLqU2HFgcT63nTgcz2NqV3TRn9sGI6TDA35BGhf3J1CdciAasCE5hcZZfyCCcxo4jXWKciJxgRjG -oGkIKh1yqhM5tmyjdj7uZxY1i04BXFy+ffn119W9ZAmoeAdnf1XOCjpSmdUwy9a0GGkPVbjrkqw4 -apZvVUlH82jJ+JED/wtg0VVx+6v5GB/nUKw6LAYm9fkMSvF62ByGkKoo3HaiLGZ6zvP4rerCGbWf -0/5Bg4UWFbkxEu/M7w3dmnDA0e/CviHzbwc1Ojdi1Dw98M/sNH1WTlv5IvC0s/qTNVLzX/a+WVK6 -6PjKNVcGEntt69TjXm05wjc/2eWBpzEiT/jEMXeJmMKUAunF6fnFVZpxaF/sPDZrsg== - - - NQoUocqffm03byM0tdICLImIZhlQJa0wMlud/qnY5r4ZYRJ8Rf+bgTAhxdWp+d0OU5oi5w+o+LRC -rVFgoDkeHu/5P5drux5F6y0i3MedsFJZUU1V0KU+e0PAbi49IpQOYLjFObzcD5YaYWQIDlWVsRqL -qkiq4/NDpubsSaf9fGC71NCMoWUY6AKnxigkoa44cEVGgeBg/bL8dKwTEf67pjmwWjIAOQ88oN2g -7t1wbMZByzW/sKnYJKI6EKXZ6CPkDyt3FPVrDcRaTVJtdxl0iDLe7Ark4iPK7rQdCZJLZxKJQi/+ -NmoZqs9pDA2eVTj/X7zVM+Ev+DesADS3EIjC53xULYLucE4u/wq8+5qe8KYi4Z6fJ3eFuOzk5GtA -2JcQpFm6CGEUyY6Uc4QKEURILJ7q1EMQd4gaNEzpxv4chI0yzxpfl+df3NzxtR2+1uMhN3eTVSOg -4Q3LWutXygJoiCQGIYhpHyQxaNiF5sXBSz1RCJLyc7JiuzE8QmzceYBVfcuIW5N+H+vnC0BPERX0 -F3u044o1OfkxDuIyuNJgMlScsKxu5++4Of//DGGhZB/9iHnfo8hoeMVkT/UsGTw8n9mqi50QP9ak -5ga6QUY6v8RNMWO2lEFmKvxqkz9jR2QCPTHQbQtdJpVzOAOAEvn3+W+D32mmlkwYWrmBawtaNDkG -goXTRrIxReRB2arK+s9ZLgmPS1WZMLcwCTMdPqsGKuGZkMuzEIU0eG6ZnI7VTZHHv8qcoORrx+GC -ZBHTmeXqPIXy8OcMoiM2r1PIUv4AsTkVJsIdHOyBItgTk+/b/n618lEREGtGx8PnIR5LvuPhFfm2 -3DlU3dnsQod2cHYPs/w+oMOehIaLWVSf6Vdq1xhtT644ReqvSPkZc94JNnxXEFFyTwgwChoo7ez3 -mWdCW8n9jo3TUlcMS8lFRZw8LcqtVm7UmlrZZDFFLYS+QtJpjN5sMwu5g/G5jNH4xdoNcRcc23lR -Gy2JQcCdhcArH5D3KtY2g0uCR3hiYl070Pc97YwQpiIlYD0TfNAA7LqUI6+8kGoI6XmN2ziNHhNG -P+q2CdZb08nSPeUM8RJ86//WM9JcXr7Fja2QVihSmNRDcgrLu8MTLSsS6jYMpZaEntcyCqFzb1iC -qsIzaJyGCPp1vSgFNgoh0P4jKa8hHxqaAuKyaCCYiSr4eHK/tpLcT5InUKbQYD3RvePTgHtXxd9F -wHpUd5hX5mSZA41i2DuPW+KWxZ6z4fGoe53B73CTKzbViXI4SyapIzLGJgXJuM4CQhar6yNalrxH -rfyf+2SumI42d+2iiseQj4g18cjyGzmhdJuFcoUhinh2DcDQ2VyoIkobhws5yNC1V3pjjBuyJ8Iy -I2WzeTYj23mCRpPF0Clo8NxDHVYEH1EkfdmKIzWGuBw0bMEHiJsm9VLHkpGVdpc675Yk2tCiQqOA -zExkSxKf84R6XPhUmPw6DvkdECLsNADM5GY8IcWncy8ucQynNmTdcDRBaI1rbErsTNDOMUPVIaHs -0LifsqLANkHVW6Ip/h6RrOBh5WBrPgHVhONj7CmakD2e17RmuVqLVnzROsN5OOMd4s2xk+GDFRzW -Hqi8Uh12GdEwWBb91ILr1VjcIw80qrSaOMcASRPWz5iyToFMw5F6ftwo6OSvS5lXQtxsil/LVRNY -g9xRJJlKawYU9OhS3YJDZJj411C07YNdHgfOsoDn8aFmwseEO/G3ytpYdqFEMKa16AMmiocVIeuq -gwque1FTykEB7+582EsO3ZKAAmurCB0cUu5deA10Qn0Lie4aVi7glUySWXPDElcxCzlUpL4Z2biv -Vt3xkziizvsrdETlpZep+gRAK9rKRfLhZZX5eSDd6bxOpCkklEHUV26CMTSRCHQTI5DEpAaKRegx -iRGwiSmZYsZ0WCWDc5QjxlxP+Qp4gm7s5dD1uxqYVrxPPT2OWou8kywCbiqwMtcORGjSxLEsG0Sk -kuuoF2o+LATqWA55vgoPVVr0jCL6w4XHbdwVxwigbR22uEnbK7ERNH1IzzvlQtPuaQs0HWS4ACf7 -T/PH5AmtrxXuNTKRJLqfi+NESixrZjMbHUa9kJDnrLXlo5psB+2UmhAkMmUr8YzGqvBoUqEH9wN/ -y3vdObplhz4VYflANzBSGGxadirmYtM5nGda2Ox24CIH2OYmSS0sE96cbOd4WM0TNH5JKl1mTJrs -NpVmxtppHAmrcBSEKWYw/fCt7djTkFi0k3QmoguSwFdAeQPyEk2R6rTDJ/4LYJkkiicIflYE8723 -KbVhq9K2/BuDHqc64Vqjlh2Rmy+FLR+doz6UBeLDUcbQ67vrSTLdM12EGlI4BV8pYze0aalEuTpi -Riqo2oDBHBRzJGu8FImJbUurnZux0/WHZ2rBb8Yf43vKWHFFXzenRNVuJpImf26+ZpIqUbh+4Q3c -uMZHNjzBB4ZW/gcRd8Qce+/O8ZxgWq0Vkhmj+OH4HKbxLlrxM8QwSTW5FYWR6gvVkBwkSi0dTSFN -+mHjSyhhfgVgEJerFToRRRgGFS7Q4FghNUy88Mps5iHF9BoZo8ZgGyQEiA+GR1YjqxjXTYFjM8Gv -rfb7qX6LGzxYVykl/M6b02lVoZtGgF9YXqLSQm1CvGgJZrYw5UJpXSOq2IR2uRKzVAtces3dVhxz -MnWBBTk4BTbBp/dkIbCCxTl1DL8eDTmXSHW0BDnOb1E+vH0Aky6jtNOF4Jk/EGwOvFJ37nmumqow -V9bkNLmmQ5Gt9CbpHzYF9SBSzR1kLZhy86vZEo8o1AM2wMJeFmaawezWscv1lQmx8T9XJNom56e8 -sImGGwvLnXglQ3EFGX2wRjbloOFR8Ovi8EhiVlALdUZlKsBeXEmrB4TzF8RuAkyFaoFcVWKGyxT5 -7kv6IrpE1ca8EQtaeEURwE4diRZgLF5CA5ZatFhiElWPJrmtxXMgcRlJSAu/a83i6VZ0MXlPP0nD -+KwE7paAgxQoDtzcfKG4X8iOnLyG+wkmLN/gfbO94U94xaSiN4mGdzxn84QUpOYwqLKgF6lOIm7+ -oG4LAoJnMX97gME98Rnt8VvuVG/+WqZ4ojABOFYiPQkOtjqaywaJNQFK1UfooQpBIgwiziIjnh4J -HgYv6/QvkHZDxoCCKOoqn/U95K0P+hHrvONCNW6g5j6RknKmc7sDCtXtm8N0FmQqsxpi3DwCKBz6 -Abkjsli2Z2lUJJzzqU8bweTiHlfK5JAkRbpqrKsEp/EPJ5Pm1O4OCEBQM8wd7sTxG5NwgKidTxJe -1Q4ZJklCp8vsoJusyoGpOGd1JA0ugFcDe55kkNHWr9L5EG6B8Jj9FnkeWnm+p00xhDyqj0kKR/TL -Op99I27FvlmRzC1/CixzS/55Y8T0z1VKnpqA5OqIg2uIY8X1NY1IlKXNA8thpQHxbSIIx6Qf1+B0 -V+iHwL+JbexyzdGHA8/b2u8UY47zqFpo9D/oIyQG1Pdo3RSNpAuC34jXIQKZjcrd2zVjDHgMiD3d -MxuwnBesNyv4ssenf/9w1RUY8ExVgkphYWfT3Q7BLh/uOcU162uMgiiyfbG3AjMZjQCEE9zPMV2E -bIJnLdATT71mdiiPw7VVNwVtaD6DnCCmhXIIGE2tj6fg3yieVhO0CeWev3CrIYkNIspUfH6spx2v -vTieKHVcF3Z2UXgTAUdyUBgOSKqETlL0eKmwZTrdPbww71FcXcRABc8spNxZgaevLo1YelB+zly6 -F8CkCLm1RjNhAozoEmJB3lwA4Imjs6Z1jBRTRC0UR8Fns5LzK02aopgLEYccNQ86ajjPUJGsav7R -4PgEJMxCAEM3bHkAizT6xr1AcAcNCpLfI6GT36P6+vGCg9B/eE05u9wW4TkbVZtFOWfrrgHQm36Q -28wsduQFu/1r7DI18vikXQDrChhq1yVqh35fXV2Si+grT/D/wqrOirDimK+mBzoCAxxCRQ0zfnrY -liGYprEJHSirAhnYTj5LDHMiY+29y/13khwDSXVoKJ1Wuz5gSIC7F0hgEPc49oEQP7RE6jGYKrnO -WFhEo3WDiQ3+ts9I2BQsJcXrAXAlyf4i5N+D/k5lUk+dfmWZ+9i0NIigKt7EfkLim8yCbZieurD/ -CBng+uSeSL0j1w06E5YdVRv2BI3yH854GHqj+6BjibZwVWaSAczhM2N27N8PAsicsMaAeEjMI8rE -eBw8dcith4upTSxBtoow8F/pbOSO5XSbV+Tgt0rdXlY0MiT/ZGK2DcEpSUKdvVIV9iClgHf8/HWV -r0kWbL6GR7DHJQAhbKiQ0+ctshPMMyJkvx+RM0DfoMxFy79YIaLgJC+4QGn1hHD3DipaP69GT59t -bdx56COULFJYphIzgleCrdBBNSoT3WXYxf/dZQOqVNdhb9HMNpW7C6EiGonAAOumtL2MXoR18Zpo -gKMgQ7F+DX1PckAUQp4vaZ25I9+lFHEuSCYiXpE1Jn8OmZUhtRN34wSFKMw+us4ZatlaAEr98xFA -TJvY7DZitzWavXnJHbreaVZsEB6G7J7eHWiHHrYyg4e2W3upZbnzSKuUEtSIcCzTQzZ+cAb/cehM -lMsilE3RE5mlUhjiLogGFgfERrOGesIG2JjBBuWJ4r2zRvkvXu/D3jW1Ri6QxlNeKKhC0JVVXH77 -xP1qRkwfnglCThhnLmpQ/+mtzuii/yDBf/imarmlJzVVEZVHwGAlxSB6beGerggs2L7XtqHOtrmh -ddyXrQBmhpsYdCppIvCjHqYG+/uTcNwJjC2IYIBn4FtBsE/HZ0apOidKs3AKUSwChHeAGiISoiBG -MlEBuYnuXDMGrRtXY1l1CWe+ekYFscDvMo/vS+fjAyvTIKLxgj2ICYW2ixBbDjGBmKkhucosKtIY -ApS7s97zdRYOfmaljxPhvC2YFkhvC6TkxRskZsozv/YcWMPl5zDvERZi1mP89uchhp/pyxckdHHT -UJQVAQa096xrlcU933qgp9P6CGlBplF0vxHRTG3ALRa2fFFeYjmQrft5MKWl2A9hvk36lmgLPg8y -ArgW49X1OKFxogu3ZhbYwlUpjkK6Oh5CRtuU0ZpYfR9G7qqXgF6O+EtDesQ/bhXk849tldfHPQBy -/XTZFCDFvcjQVL25xJgK6u2EP3VXO44bqEYnRGCFWHr0XMFHx7qM3NkH5f5BE63hqD3HXjL/eV/h -63xKyKbV7ZwYiISKA5/9TKEbWxJ5LBslmlFJECadoD2aw9zJ7Et+kGM/IC+HLClCBRJ6tPFEybBt -1XkjlYQ3R4n2kC5qgKdXre+o8dBltsDvvqNw5GZD3UTCWdn8WMz/iULiYXY9oGE1q0hTKDkLmc6I -ixRQy4OgkGok1jOqLPNLhJrjsZ/Eyxo1u2jbcNKsbAMDRju5yujLEKPn37U/WqJVeEwCyfSJuD0G -gg+MIAy2CIwO+bIQVACA0AxGhVC3zD7GXOZl66xh1rurHNLAdcwrZnYJlpCUHg4hFQ== - - - BltsIzTX1WERLG94HaNaQkaKtxl7FkDwPx1O+86Q6UgEWa1jeS9dKDMwGnNUF0DwjTjoF8hnYXKZ -X18B+A8WjwpqQK6GcUNSVq/1d4vt45odVs9CJdKUonuVd2y1GoBhwcxBzYahXUznGMO1L32C/hD6 -o6WYfeniFBXB3DKVgEcaCXYN69cC2qb4VhLEhrW+SsynyRmHF/dF/R5t/EuDMqIW6BpKIacVRaM3 -s25vXzkwqqujzpppsPjGhzCC+y4kmqk3HyRFCJzJGiskR4hGojSWUL/59+ImPwPLfRWdxBbh4eoI -BT9JSQH3QpH31q+3FZczHJL0DRJIbrPkawlWTUHHxt/SebJMQkDmsxHPwLP9fFhzexanq4xURyOp -UKcNaM6OsyZ1v5YS4huuRzMbAJFnNdn6JGzQeGGMD8ZCr/woVi0AexxBZRLZQfhqX4SqAUZnxYVL -It2lE4lQv27eyzaYGXbNb4Lg67zqyk/DhorPOeks1k1zMDLBUJcjTmu5YkRUKtsNGoiveqlZCV86 -hefwz24jXWJk0YVNOlF6SGX2FXOGqtDwZVIIoYZAxublQF1ZeF+v2FNP6kKyhP9F6VZApBUc12TG -8lW0/jLeRMes9g/X2B106n4gjuVYOTkUs4+f4/8N2CCW3BaJ6lfQ+lUwJB9t+xHBlznLdRwZ6rg1 -EQlL3IloALyfU2QQ8tpiM54rzP34ol4HJhUjI3+DWOYFxHA1/U8TIH0EvdMEj6pNPvZZ4bA4l1Np -WlhjJNrF+p9stAJ0PY8dBEzyX06RN4nur2zRENGxdMWfoiideqgEN5lCBaFRCHk726qIeK4phl8G -mbYpQpN483jTkAE+v15NbH8cZaBsSAnTgemZYCynvNJsgi0vIoI/T3j4xCacUa0rCFDJywuhaJea -dJNPog3Va7LMzIRyl9wUszcwfS0rw8ZUnD5VYp0ZNJAOWg8A6ejz5QL7wKMICTJeqNvG5id0dhwe -pvld8s6K/5Rxnf5FmZ7bZ1HO5xopBTS+A7Zm8Tov46aSsfcPiNALEC/lCL8gW4NklnmyLkLqg275 -vPUL0rDRCQZ8n5vqOHJic2jy+bkCDs6gW5XCa6PtFdOeoEvyzJsj8y+Qu+tixMZh345NF9srTClZ -Zsifq+DfOenSbQrNR2ncjAhQdifvXEdhqKEwTQp2hqCzpGjXc50ZeF4rKFhc8lD0NCRJNXcKdkYe -tShx06SgXYVLVXcpYv1V3sOWCSzJbf3RqS2BXRM0Is6uYj/BOX9sW4zPN+EzBk+ZzVSX4MoOod+f -9q7IF+hLbZhPVrN3VnomM8Y7AFewPEXdyK0LxbAuF6WFWPgaPfGRURIiDqFuq3NKHTV7NjD8TlnP -l2QOysw06MVUYGSPphN3j0mTMnsqilja0o3PfnY+fioxzJBJLiPzIgaxrlz4C6YTJDLLSo601m+U -AXOudz5i2c07+fCQkIws3OZ3xdKlgBkMIG2ALj/jcKAYWvJ+G/1xljKhke2qg4XPvhW/UF6qSqtq -F9JSeLLkVlSf9HvDaB+biIEMkk//TruONfvB6q/zGq+MrkCh5HqLFGG5Qt2CjQnaCtcEQJ5AqyyI -GCYgVpHrac00/KZof8y/IiNpu1tss+sD090knuUIEw7z23bi4opoRQxsEQ2TSCKMmaeGwl4e2hFQ -Mtx1/0gaKU7p+YaawzEvNi6z67WIDJWC8O+qyMbFNeBqAI6TwvVTTFVAFJSx8VaFmsxTekUFQWMe -gefXrulewv6+hN1FBd2iZw9m01o9I/iCYi8aDtcqTSQEnaflbcDIB8CcPju2MO5PB3WPWI+DD+DE -wPdbYQGdPJrCSyPoIKSz7fGYFHaPqcyi29CuxSiBn+NJ1/+iVLmihYCBIFFdrEpcJwahGA2O+bzY -iOQHJuioO9u9u9RLejrr6TKTDlHpN1nUE3vXo0D7D8Ww2LQd9K/YZOIgNd61uKzegUPei0KP/+Dc -FWwwgmHAL41l8gIR8FnmILili0FaAMS3zQDMrax9rWBcGG4ENnKPdJZG5YqZlFcW6VoGaQ47H2gv -UYkimQ6lSH6HjR/z+zsw0zRkYHe0jQPLVZqWSlRjK9CwEUjMBMfTT6ciETuW5K+v6QpfDiAewTKB -5fW/CHE/NKwuPlhcAZT4bQjA4QJcS7M6MSBLJm37Q7TMXZtIAdqeeimIJGI+NXlkXnn4J6rH0uFr -vYADOYjE8Vuwg22Spc63iJc0jvJcCnu5Ft/ByXT/xofiPPCCPIgU+UXgWsadNGV0l+AJz1ErBy6c -vl0yL4LxJHGSW49r9iBodssbSCIFz/LheLvlx+Uu4SA499Z7Atuj6zg7fIuOLtWVeMMG9SMGWJab -zy1ns+EscyZ7PIOoX5U2A3vANSdBwnimcddW7LD27MnZ/RS8twW9xXEyClIO5y/19aGtRP60w2A5 -Uw7Z30rz9lYYLxm7f4LMuQUKc3nVx4vfEw+Uy10mnj5IrZhYQKLOoLnEjVJNDzawC70+rpwynNsl -0TD881zPJBE/OT/Ej2WfM0pdUYR0cBfsXVd7T0+UhETtIJyfOgDgI0LZI43Gd1Oe+8FN+hOc4i5X -Szkt7V5DaGXgH7Moqn+KaA4D7nSzCt1+K+xMHTQqCg+Nhx6y7+LBPQTw5NWt04BfdAkbbmGgXADU -rUp+/oN4uUK7cXZBCc7QoT2Cmzlj0rgMltOize3+udPCV496yYo8+fUU4EpYEG4R8yPk184JMKvv -PYW9kTYIaxiCEfcWml+OMkq7DCL7yc8Kobjpxl8sMP4pt9T5PwXcGkivVMCucrJ0e77vAYlxRYfF -MWqAMcJpNr5FhTLuaEDZxJIQiNrr4bcwWbyLlrz/33eDwUngeRpPfn4pB9ZI0zbKSXVSRWU7EB+P -MT78wZzRQXtYsZDEZiLLMJJKwD6k84VHWpTyfZlzO/GPDFPRf/Mw38jnWKkbH9C2h/7XtvZZxjtC -YHyNNekPBBjAYlNvIPmkd+mNJHh5vWS2qunVi7UISGeJsAQiYl+/ytU6UQOZIvhLOEfyKZAaX694 -udWgnRc/pLbor1TsX0VnZdZW+Vh4XZ8LNnMd0dohROFoe0jHGSA5EEaQybaPh3NDDhCzp83DGUJv -OmjgDrSpyczVQAV6fCqT22E2vgKqWr2Nl37IEgApN4Fv86cVEIyXiSUCmp0JCrYWjC3cITJFCHQi -HAGY9FOce7wW99qXILArxBwQ/2C9RFks27Iffcw7RAprkPlOycyChmx6POd94egW9Rpc9KutKfLi -EpmvwsNrb1AUJC2bNJJAwAEM8YbYq5jjwiB+2YcJnj+Vk3CeOILQb5u9xlOP1DryGFFAWSC/NFfi -jR+Bf0uuxPrrXVNEzluCEvSCsQVSyui5kMNDM428Rc/oeHBan+ZF9dXQB5W7d0omAJ0qmO7OS2Bt -MLuZjsNMqJEi0IE3Gac9V+8SXt/CmD2C2SuveeLMdeWj+ODo8uev9Yw2z9X1u1FryXBfqHl2MU8y -3TvcYPi/xmijo81/IjwTThA5YBTY161jFQyupC7lAXLq2OetWxyJWGUKZkxF4P38SNdG7G6kCrZ+ -yKfIlzw5E100q6a4yHvAA2X7fV/PQyuLNckF/VjXsAXv8p36R1YYdtLgptNBdnFC4CZejf+RLT5I -lNQcRtBnJ8pMwFCw6pScogUZgvH3QWRgl55RLpA3OoDCDuUEnSIjcnyNcrud1AtBf8PcfpZJZPsX -YJOPE/0sTsCD2p2ghmwUkuTTOBQSMR7WAUbPo01sq1kAMSBSMPHHm/IJgUSdHketkwlWoW9LEmAR -Lwlq2HF809uh0YqnCbhxAbOka1BgyMM6BGVf+RwxLURTiv/hc91KgEHQ4cWsBRUY14F3GVwT9ziu -Vj9LjKurlWBbxWRrCUkavzd+9J69GVH8zIEQwQd8W3RdKWS65fFPtgWbm/+wRIUI7g+kgI30qGPN -U5V8T3CS0wi2+aF/x7hWWx9ETSwzkCjJqpR2m5olRELcUfCyguPoTdjprboZYgyJU3ppuM9ipVXF -t2UnCm4MRfCDdbiYXTaxUPAF44JQ9g1lMCrhVcLcMBpCxKHhcpUYlrWmQj6YritvNEz3j1lpUJNO -8dOTtCfe0hqCCa59yCPod8DoKP1zmF3pDxOZfMm5Uj+QFrM7nKKxC+JIxpGHYj1bE0lJEdJJ4lx3 -zDOQR8FhI5Y0okbJ74qyiuCW8b8TuAF/iovIacZUSNY0QNQHPIWE4Tp4ip9meRYG48wWT67qAa1J -g5a8H6fEU1/o+VLhIlkkFjvp4GcX7waGIp7z1lzjv+cgvAEb9bUdJmzzl5LWHJ6s3XuwdZlmIARS -webRyiGtX7a/KKS4wTuZi2y3it7jWXTJpKtb4sXMy6XCWjNjuRE6kNEXm9UX8WuxGB1Wr5cq8Cox -8vRmPHCOUAW5EChRDHZq8cLAIukI8cHdubvSiDPxqIX+S2ohmSGt4mbcB84C03vIy/0NnnyPJXlM -dPhAhvebmuW/od2g6qKO0diosjZZFI0YwgZmNW0jcn+FQdLNXmv6DO5utSI92aPvD3gpRNpjCeDx -zODWnt4MA29jOUnSGO7I7S88HxsJBe4mIZmL7Q2QAtuHBg+kGMeci8v6jNhiml4G5oIJpXB+yFsW -EFVfxVRSiRfaVMOjF22TFKYF793b7m1+yYbZL1Kzo3Bm2IIApWSUEXse/ajWryzcVcfR23qE6wvN -l+NGlAUCWWQHxgXaJa39mWZeFq5LSg+CgUvdmPTTv7rGWjxu/Pjpcj0LAF5JdQvG5kAcwa/Y7Aze -qKxISFCfHpbj9IKXqFFsEn3X9H1X2FvZBAYKF3TZpUPkkaIRdM92BLusuRBsx7Ex5v0MKVOZtxHl -qu1sLTtjEuQmUGC30vnAgs+LaofiNzeFNyt89YR5uWZiy8p5TSDtxD8FQWrIg/tCbALQY4imeOzC -yMXTvZwb4TNYd3oUEPqyA/gYsmwnzgjA73QVxTghXYfXQ0A4g8lh+Jd2r3qOr+NCVIJ+vJCgrvh1 -QxYprV3crQyshkTPq3AY3WAVTL/cQaaNhq6SlZnhlU2Xwt1Cs9knmsUkcSi/AjIX7912MK3LDIpS -lQOMQ3kq9MQiaCjbmNOnvcGZwzi6EiwDZkYUU2qBo0cP2qKvenbBabO2bhhmIQyD+4FYbf2L0I5a -zqoGvbSgQbF3X5Q9eVcAedK7GmCe/zPNDP5YpZ7CUuHYfu5RCzhGvK4DUqOKIijQIFoKq+bl4pmy -66Gg3hp3cgf/n/NVLuFYK8MM9zqpYmR0EcdGfTE4Ijh0+suNgQbbR++Gc2h/E6BaHoj3Xu7J+o48 -DYj9wDY/DQYd7QktzHhlfJ6aU+vvo65kewV5qdOwIeV81aaBL6Klq4Ab3n/3IapYqQh+wE9y/yxy -BlB9AlhtBk3t+Fp1wmCVpfmoptgnOFQEii/HQWeEHsgCecS2kDEKbRUabIHU6QPJcA== - - - TnaNDytOOdWbBLjRKH39pZtfGFjE76MvO80r0t7bTbk10O3A0k/4Lj4Yiu3OFh2jMy5hT0Sd0aO0 -FOmmkk8hCq1C/sEHkI0II2hQhyJfHtdvDHmJVXDFk1CjyDML3G+4WZMunL6t3GsXTvCHWOC+gWSV -QsSmC6ZuEhJRfwbziogmtnlbpYzIotth5nqcZFZ0yrb/P48gcXlJG8/n42/50B0zBYt9+bOssF/Q -ory2+z6iXQ+OoDwJENdyvplOBimPdpG/4isAuyBG2NBs/ncVrGbQtGg9G19JcJLn9MQMysaN398p -5xghSnc/bWkrATHw2lbC0U0fI5P5x+FAFHHMlOoG8WmK2E9Xjhxh/Ij/nYViZUJ90h1aE6jwQyqt -S9Zz5aikj4CpttolzQpmbrZhLMpRNKwbZtwk05JmJPHjW6KQDA+8Kxn5bgbe0pk2KqIXsTanFmEO -072Hop0m7ZVw507BvmXIHMQngKAJNsH61cBTnGdk0Aw4WmUuo2+85pMI7Eif/NA8XDhx1VbGKnY3 -6oZM5DWDcO9cl0hAHypphM6jMrBlD/IMskNNfubIYr6YTTwfdZiWtXJCh2C5pWG3lh9DXYNaUoUX -L/XLPwuJdTmeIWWKkidySX5w8ErH3bebPS2gysPgRQ+/a/hoQEe0hhT60TyWZeMLmH0c6w+yZFed -SXGrBNWW0TH9C+xutvKgxlzoo1bx3SClQ/QmtoqOcw3XMztdddgq8EwuXe0GSpSUiwVNibyxTFDJ -uC3vztiFIn64M36VT7FlhBY7FEnzZcFVV72KxCszQZYHfjs6iP1OIG/rM0dw1PAeV44KGl10Vbnh -mpVOri4Ccxaipqk0fAIBZFWH88m72Yp4iNgVt+2uKwwnU6sovpHs2o2g8MBpwJCi8K/xsoReodNU -JYwml40Zc6cg7khB7HYp1ujTmwxSFHeHWbMDy897z6Z/lx/C73jMTphtMQbIr/MSgVbU+g2qdVLl -TqmlU7A3TxjEoM1cbh1y4pBefgpRoEn4bPZIB6V5sOncY+nFkPzAeSF4Ah2PuWC+ZtNI8S7lD640 -RK135eDo6/m0yb2lQuNEjjxETkFtO6fVfhwGsoDZWYmYepDtmD+zCHfoZ7HKhmeStQmXhbgHd0Pg -fPgIdqFSP52SGSlqrv6M7q/taBezVcSfSsxIE8jBrWCfuiSXJFCxAcfQsZnAkKj7uR0mNMRaBucM -SFmeI6Eam+oaVA7MwcXm0zTiELIN/L8/lwHVxNNkMfVq4ZDR2+H2q2Toy6MKi4ZL7o2Uo4OcrEjG -BxFMQIYTEl1NPlj2/IDFRmvswyr1Lo/Hu9344VliWfRibilMuFOVVZysu74QTwJo6LkIMWtp8mhO -7GESbTn3mirnOnowTJKFRtZRswR3jC/dfJfoZ2zIDqq8NulCX+MeTIq53MEqpP4nXVK6+JTkz6qV -bFJE38ecC+U/IoKJ++N6iUriEsDkeDQOREmJBtgeWi3Oo7K8sfy6PROU58L7v76ehCfv6+H92475 -wz7w0parUxGefM717Oc2BpD9iddANJIicjGDNXgbbGmPmbHVjeWp2TfdSO8xTF0NDyI6INGp4Dgu -Rgj34ljwvTOTm4RJq6Mvsq7g57WVHe1hqHClNgMhliIhCAnbB5lpMUhGEejBPBBJwBRBoMHXeeWK -fskokEuLkxGE9CudBxAusfthfpCwJvAoeJ4lZ08JKjCMIFo/EFUPP7AOvDNPWNn0Kwh4K8HpBwxf -XyTrJ/2cpES/TBVBkPLHfWfAJfpVF72Rtwu3KuknvO19/3zJmTF6y1fLeYoA/ULhl2nhy0+47+kQ -IP0wIoKAYjDIAghVyx4F6gcs5vWQylv5wKzq8Z0eqPAUD15HP7ZmhyDR0IFT6McyUFcapHD0M+wV -BDUspngEIvZrXbvnV1FOTyrrU1Bt44XVl7wmCNokzYFRFzdVOiSp9ju/ik3sBJFx3jdjrL3eCU21 -/Yas0iud1/kwX8FRVbok582um3er0qhllSZxkubAaIIIQVZp3GsKhJZMMLsim3uPzeoRBYJQtStR -JzPJ023qJB3/L+5TW1fpDPZW2jVEEKf0KnkrfYwiCPaSByIMLE2uByIh6UJx4Md9wdI58EDwcaVh -c5FQWNr/iiBwy9LpPRAsZmmwEQRpWTqORBBw1NKQJghItTQlAFrH/HjX0vxPbOnm0kbwWlqfRq4d -WzoyKwhk/I9xDIIpt5+Bny0NyvrbB/wxgQvZJasYTk2APRKX4ZyAdJgMSEFMZvUaXy0mI4i+xsRn -c53Emax2VFotEI+NI9dkb77GfEbIqY3hsTEaE6hGaONiCso2Tob5SVmLY6zWZHSPGbCNxWPhDvtj -RqSSCzR+NRn/bMxfcUJN1txj42ChC20ctUyGDHrkqcn4jo0hmjVTODb9FfPdMODmttJqxCyAXimH -urkvCrhnfaXQqUJaCHUWsLhCGWxQrvqy1hjlck/jHo7Po1uEFpIb5Si9Sz1/Z1GDAWgcY+r+jnJC -QOOnUC65RQYnvNpMYcaBVydVOdR3+Rx/jXeUX3ZIunOKj9BCWFZ6fQU5Mv5vFSRGCBdOodLtIZiF -IDE5ziZLLnIGSs4jZgEhSg7wkgDLbFR0BOWecFgWJKFgmobgmenuMSk5eE9+aEsOEpoFpqkHjYPY -Dg+JX6TkevrLrzJKkisVDC4gOQs4SEDHSe+yQHrwvsd9kFzmVH0T4upq5yRgEIbzMZuZHpywlT4g -uErCgh8EmNDNUaH30OAk6pRXyZhJrg4Qcsu3KXcrufxenHLciJgB3HrAWGBvHpq0glfYRslUKJTa -gGgpkAttVBwKVIx4Qkr40QQIvZWgkcltgyTwEf0sGyGRlkSwyuTQTwgUgzVYIFzETK5jeZNrHbLA -gANZ8DIpDoJwcvSSt5cWF0kocrWXnK/DkdOKbP1AFm5jkn4pC9kJPhtXoMJEaKiCeczxY02hhhju -zkLtILRUTfCxVLDMb0CIIlqoGyjto29OMDoXeKyMfdJUr9bIR7+GXDZu/fGeIbUQlw8/ZStQygkm -dmw+ciKGjopZNCE12KDDeRNMFxJCRBhIjZyL408E4uTCxKr+hABLWKxT3XBGuLRaahvNv0fdeCtt -uHxLVH077IzBZEOMswClfb9Sg11I405BmwVRz8gxACxAgmwIUW0qNIbOCqGvS11TSr2DAvvUT0VO -QSUCHUJvwaT2Wsyg6kwuHxiMwQ2R63sXsNrjCBjZOE9onIsLoovkIEx4OI0IKpybFWPSyZPUheqX -IuLpICTkrWrLFBIJ/cETpBZH1V+qLiTLrDrUE2QJ2q9XzL5T8ZFB7BEQOUPuAugSRAQu5MzCC2Rk -fUvgIDf7aMlwccL0Al0njlg0P5yTewGghYtrU34Pbj+CfHGJfIYY4CaCIaeAXg7Z3kB6UsTlbYDS -u3nQGBN9sb0gU0CfQxgdPNUiQD69OS4+j53Zzk2y1GKws8MtyxDKyRRKabtxBMlBrmYRkOXz7Dgc -wY4smxhDJJg6Qw6pXAIEogazyI+hHFnlB4RFNuonBOGtU4IEmAAuKSV+YwbDx3Zfet9qDbzkFK9b -u1nYXpCxUkyCe1sW/uGUvgg5DTOpxLT2I8IgIec85fFbfc+A9rYVWz+YiPLxyxCSIPfhEJ4AckpI -gnwfAVh5luJoV5ricblRgJwG+C1B1164xChET9IgEFeTo97HbpJONBNk261QH1MznWetoXXIh/pe -WPB6NDrJUwZY8RMgl8eBzHfTW3mvVQMd42hjpkurnV8h2S6qvWVKkJNuKXkAcoV4dRJNoXQz0Lcw -AS/5ESjrhbEbQhgqJ/gBVBES6+jUwfF1G+CroE1GdzjcxAUYZMDWFD3Vz54SoHZ3xxAQKhwsO4gc -HSEZFBjeO4VyNEtgEAA5Ku+Oy0klBHfcrloY0RXQr948BBTBjWH+a8yr4vma/V64C2L1ywmo9B4n -3i4vBqkOFfg4cTooqmTnewSTNus8TvJw5eU6AqR0p9LOhxshj6uxE05CyHnjcS5z4Sf2OPXeLd/r -VAWhi7XNWihvCXCSL9tfocrlg9SL7sJ9fkpyC0Z40hFF5gpVzFPBTdNSiLPHYZxDgbGPo0lPSFCg -6GvCnCwvwes+DuVJSLGPYwUSmPo4broIMfo40BwCaX5BaNZHeKGaj2OmHgTTaPU4zPICi+P1uFC4 -ASkL5adeMGggjJ4zOFFKxfmC2BvtEzDA9ZBGNhcMEKjzWODqj/uZCuYzaCjIw5wJkPRxHE8ScNRR -xMBgu1Z6LAimAgqFe0Bjj+PP5wAdh1TCBoTnEe5l4EZtCEZfwHF7XLxY4GYqkhQFNEJim18M+GFA -uDQGDCYgyh1AKJ4yINKOKzEFcOIQBPD1+gLURceBKgEQE3reL4BVDvxH7z2SgcuOI3H682rHvTQZ -3p5eYfZXUgCE/t8oyT8MT8C/lszEPlnB/lqOJkMuHMmgJZIoelqy7Lg4CJ8NXDPufRuntlW5r2jH -jcX2I4THPsFXa/3f5Kgv7Zb0+ui4Twb9AXLcSHF+TI4zgQiERiSDroCqgApBPlD1emW8maTjsYjf -pGxhCA+uyUQS8Jj8TamWQTavzfgdsmTGe1xJtbTuJtIEhMt91x5V1wypIoSitm8RPG1LO6pyXOLK -fn9fKR32HqYu2bve20UmaB0ccZjd6gDI5dRhwHFD9OnTZZH/peufdwNIX8L+1yW6+iqDvpuQ9jwe -OI5yc35QT0zYXLedkfnZsC3vBMdBzBpU44XCmFzTFZ4SOW3+IsGGGm22y9hQEzJFuTh2xQrv2fBq -mRuoDQnLT49tyA158bWH8KVNFDyZOY5nbgjWpCxY8DEAhryhZRt7Z3xbyfukG+c1dx/84RA/duqO -TIbjoLkfxQ2HMjgEb9OnFofeaxznxoE4fusBIAe65lu0Q3tWasqB4RnH48kosXc7CkT5rZuZI8wZ -us2SgMCNcbrp2xDGwehOgMvy2Dm0/5CggA5Fim3kAaep1jb9svWyxclbWjSh7cTMhNhsJuWJBc6P -lK+VVJx03MIdsbkuZAcWOSE0FYH7WnWi6rxrF64mreGatU+Ks9aG2oh7sqatC+3oq8HeR7JYbaV3 -WkvVxBxOcaZ2BTQ2KGp2BdO8TxsCWlDCaYpIGWVMA/4SIQFgiI4c7jw6zMtotjhGhWm4MT0KnDKc -/D8MyT9D2AUNXLgRzUGJo5VwGqiAzk5JC34zyLVwozVrCHuCzczojqPBy1YoD2AThLQeXIOT02Bl -RiNEylIpMDg1BCaSPKykygMyz48HChwxhwtl/3LMrhahn8ZmtOC0MObVcyPmLzlvUSkntilWmDW3 -R8Bp1FgIIMAtpFbb/81K4jHKdRqmnkjBr7AlAJV88FF9OH99sJzCEIrBDinF2wkmm4Xo+L6VMUNZ -+6YdiQwEsKVSSJj+cpH/Iv9SfeMrcvvK3NJREN+Wn53i9yZZywbq3szJXQimXpbi2g== - - - Ds5Lps87tN5E9sdMaQD8UW9uimP/dSmvYe6SupKOwq/oWmgolpxLDs/YSrlMO4Sji8smItoNKzlV -wBv7liB+H1+3KjcMRbdV9z6jvbtlvveja9WbheN2q4xrGnPwLj7RbvWbN9SdVY9ZVft1q/OYxCqr -rg9B+b3yDz0+ZSwqy9EHy+H/Bw48K/G2Bv16NZG5j4kzlocWlBq5Q4/bqgHqAGJa5YPlwB25QRAO -tMjqhpiPW0vMBm7GLRyqgavihow/0EDcchYz4C7c4D4GxsGNsh2G7MANQf0C4d9Gty6wqW8L1BYg -623EIguo4m0UMLstid2UQq79wDUlxYMZpMxBP1CjozI5JiAko4inBBJrW9RCAqCjbbS9xqH6iD8Q -N6GYSQglDttwBBBCfm3A3QP22k80ED6f4vWHHohXTyF4A+jhiWE1oCw7FZEZQClSG9MQEYfBg8gp -xC7AAzhxgSzgWNoISQUpXxOyoADQaMMXmM8kIh+0QWk/QP5shPKBrp4NFzrAs7PhEwBdEpFmLZGn -iqWmQ4VZZTZN9AMQAeZKB7Q11icDHAqUIKyAnGsSv4gAsLMkMskDkgRFHITY/X5ovBQXALWIrS90 -oRwb7kKksRmI/nwwtg/gf+8Lrv+7YjPB+ScnNhy0iC1RhIdNRu8uov3gnH5wrLB9mfnvImw4Tb5m -nOhdin8GwTYllBFx3Q98IkQMvB+q7SHEqf3DOTTD2MuyhuiE1vMaQydFPZsWgnjSi0OF1iH0F7SE -Fsn5KYWQzzD/RwfhHFJeJhl0Usi/mIJWx/i7RpCFsG0gCLMTSJAYA/LD2wAKqnP/IHHz6XTb+sHN -dPwQ1Q9E4j4ccKM+zn0kioOEcWsQ4P0A9nGjVeodQf4ao6KuX+DYNCqc2CT3Nyq6gB6tpd3s1TBi -TRQtODwqUIrWaHdCrlbGepqa6X5U5EeWgHAv3bgFqUuUcLSWMwKjNXT+njVFFM2aM73oMcqsYTAJ -R2liCM1gfkJVEVKBoSFSIcasnRzrjwFljfOZr1CSIxWdmLWYYPwBzJpJgL2QM96oQABJuoJzsna7 -8JjQHf6d3Rb2SC9tjOzTaknSbldHmL8U1l1EbU/jeI/ykTJL3VjSd9JLIz0FZRdSkpD4+SKDEJ8F -COy2+oEX0V4PKEtoRnbNYEsZuCIHkCUfgxXVn+nk6Tzn5rDK6dJIa9YGhhKsD0FAHpBi+SvZG1wM -IctemVvXPkH20ltMXU1/dUScsPX4Ck5splZpWsmY23GYsN4oUZjVYLl0x8Ay2PBD4LDTZXHWyboX -SYGI6mlhlUvmIOX2kqkOgjkBw+D/r3nKIAPWie0WrD5LQvBDF2jG2T4k+mECoHXTdf/5Zxful5ro -web0q29GRzPC4vdyg1fJS/lKc3SRrht44LuH2O25fq1iFz2ixdViEh0UAo5jaMCoryXkCYEqCsWz -b15salmsBHsk54myW7K8OHor88iv9+eOaEGnk+9GkUvSWLHyc+qwFbdBODjCGEMv0qNJPbIeo0by -QT966XZ0gAXo9tpnkMkFzShfT0eG7iGtK5pmeF8yMQoVE85YjWoiXcTmEA/F6esXefbvAfi6etsN -uB+O58l+jq9dXcLzcqOZY8jlO+NH4u7iV618eS2LzkJFD2ygZbQAEAh1XIIed1YmtMyLafYinhUx -+5V2ZkHu+hk4k5BnLMBM1P9Oh/JXTP8s01sCqZbyOy8XbOe94ej/ktI4I1+9V2ZdkMYcIG6C6XZe -ax7uLNWy5s4jM6n9M3ZlRhnuBnc+bJbZYs4/gufzcUUzAM+b3jIV4FdHaZ43R6Rwgiy93Bu/i5yc -6C2+lJE3meW7IkkQjokaOfqh3shRDJ4ggUZ1XLqFA0Ej34jXWrfiVeFj9Nam10G4oML0nYkRbrTW -I00QfBA58sN9OUxHDr9ET0OW4L6jfUF7jH+tb3FHjjrbK0QTeXGHZLAKOZygBOQosr6QU9QdPn6z -1D4ZYIavZD7O3rpA3sx3KM+DNbxuDsmCj5ds2Dve4uKB4OM4jNfZ1b5J5E/CpBuUhRK8uscLP/6u -3LnKGpN8bByRsfoa8v9DfvMDil5+AGTOD/lIK+nOvSIfxsZuQ4x8ezaOp7Q/8stIfoIB10te9FdF -oVx65E8bXKv/Ivl/E4HLk3x/ceLZBgDPz5/HVKRhkp9lAVd+ifwNKSV/jWmG2yXfLZFVnGZaucIH -RYvbykUrkz8RWwPFJV+u8XcuyG9la7Bn8BCNJ8h/cgIg8MHxT6UTOQyOT2jJ/OLjwy1KFR7GlSa+ -6vtdu53VYOKz80nttrw9axNfEECU7sSHzoqYp/7vJ37/z2qZw5mbJz6KEBQD4ycPnN4Uznkw8ZXc -FuSt90/DTHz3/GSdXJdg4s9CJ58XCwcT33sdhsnNZlY7fJ7ALSEmPt+xAIli4pOpLKnKu0NlLvER -57WvlPisjLwGR3nPZIkfF8ifLfHTbs5dOhpISvzVJoM8TJpde5X4cVktB1/ixwcsANmKQ5sde/AI -uZGPl7Utkpe9tdZefnyyBZaXY4wvnMAfnYLnEu04ZPDyjaxD28x7Z7o9Cm3EXcYTv10if2gcdwI0 -FA0UtqGhnfhKlydlekU8BNmgrLprl69CNl4uTZOXqnJoDjw85qW1Q4uMnjta3Z+uvOzFjpAsB9BD -i4HSuYzIkD7wnHwF7WLZMdONN7RUQwYnSqt3DgzNUHz9Wwj/lUxrCEN0VGU/V9shaAttYTLcHBAo -CSVa7PsZrjLywZ6Emr6TlT8N7iOG+smO4D1yqNS71Acy5Scl/NJdUGlcyjNJDhtmwSdQnYQ3pR+D -z1/Y7Ty3hGO4CLoNlmdyHQYjwt1q2aAmbnVisETrLpjmyYZY/gPoqj3A4HfI21IkukDmXtyY+FpK -5b8ScuY8f45TDNErRIRBwV+usEuxCktnoJk4nNxPbM/rAMcBU/iLpXtyjmfNpeqVAfOEthXCY5ZM -K5+FahG1l7kSVoF9tmjy5+k0XLj27MDGGJjxhPOyky1JdC+QQZpz4cRYDwOVfX/As/8OjdlRhhPw -3VyVSllFsGI6ZStAgIZ8DeMW+EPBoX0UoEdbrE1BhDLCE6QJ2TRpExZphEgZOVTfwPaHLs7HrteO -S0uGhO+OvslzEOeUqDrrSoxm1WNcAwoI9VSwBwVur8Ms2+2XqrFZ+edjSozYu3nnh7L2qnDcFOk4 -xpkp2teiN/J5IrUqXl1RSA/d9NU3/JwlA0pdoYk4BjVBHVTWiXVLusUX94zkRXBGtUrgCq1BhVOO -DFHJK1PvIwisSBkxjAbQuE0tda8Sg6Xt/fBu0UTc/ybam4Pl4zSG5PkPK/Fd+d8atFEh9BZ4Tb2f -0m0rNJ3MYb9c1Mu1PYnEtxyMIMxODBKP83dFhfaxyBlKS2FvGPR+TPaJ/NlGYbsXdC+JrMzEHZov -luytzjKcPUPzCMO0kikGoMwyFEzrac5gyh2DLz8qCxXHI4PVGvAF+36oIZYgePiU6cEsNcVUHkAN -qMPzD5ahn0kb887K/tHc/Zipv+ldEkaF9xkDJJb9sBTu4vO+dHXltFudNl/MjYEDNJr+aLNLl8Fz -zXaiRaMJdYmHilGIb2AszzttCQeB2CmjB5RfIGvWIFXVIQ+rT80kbLI59F0sD+kWF0iEzLal3feV -HfGDVXPLxSA7MhGJWkxDY759ntoJy2jKxGnX1AKewObawL4cRh6N9tLiX+9WrrxtwuEwUwrKuR0q -WTCt/OYz7YZOhBQSgNwGRG/mjztVGzBiZeABp3JrDowOSI/dSZZDQ7VN+979vbhBPXuMl8o5dQH3 -7NXCpQkafaQUP1vYZItbGMsy3CyTmgDcEUNjpW9IGahsONSfGl3cFokEccm4xDyIW+ZIrJzhkEEJ -LoAGSukhBL7obhfS6licLBp2jb3anVkaIXeVzP7bTzh6ritVVcz7a3L58KCBOyeFEgVdVFBGSLpo -yHU3hVZAy1zVi1D8y49+Bsyd6xwCSICaJwINckEN/gf+Dry973/vBb1fVU3pMO4g80C81Tm9O4kd -m6y+DlUyMi++4TGIh5AY59mN9dTHhJMtTzSn7KlXrpaWcuDdB42G/BnUgJm7c0Hi6ORTjut5XNP+ -MePhA/7BfGIZgL9fHL8oQbB7l9wuC2hdWlqekMjMZctNa935VOLPtbIE2UssxsKFqotU5be6VOG1 -53lkzs0qVBcP3tOcFOmvRmKahL3lDMoTtAtYPiaC3LBaVPOTNqxaaSVL0GuTrYbfU8HCIHoR4RrX -OjW9OvvjKNxUza/NQT6t9mh/sRTCkkVpo2ESmK4XOvFcFPlT31nm2lmkvOphN4E+Kuwyw9ukE3Y5 -o5JITaW8JnI+k0US6GVEwjXlyUIe4xhHIWecQhoasKIYgPFCxPrB8gdpiLIJZ5klhynYlIbgKGD2 -O2SinzSYwWvy7c0Kd6pX1CNeiQdAa8gpu5Aj6LSgGzbSnKnlyDH0grdAcGnDp5JupSH++OWjgB74 -UFYdNKC0pg+znmDzv8eASEymYX2G95ikMM3aL0FS5aqtIg59vCyAjEnhXPXkxzOqAtAhj0z10/yO -HQoo60jVqRNtZzOxgwznKgM4S3ri4kdJpQ8kvqkqcNTElNIw0QwMtXmh9rmTcoHGKFPDPu1QSbPz -zBOR1ut0JCPR4swXoidt+oURMk6aoQOUmUyj4TsIBqW9b4DL3MzxeEUPvoOeUgy6svsTwHv6fgkc -jrD5Ecnli74hGqoN3kf5eFFoBwDm5Nc24OQBORkSrgSMC/2Px4xUlBCCiEsAHgBnhoCc8DU6tMBg -pJNh7UhboAI8ADiPEJrDhSgwWFGnow+APXi5agAEzafccL1W1XZ/+BwDP/ffkRhaeRxgPPPtD/np -9GBTnUPdaSB4ywOB2T9HDIZhwWKJM7LObt/buHQ/FvGf39QdZtqngamw0cI7+jM85StBnRbpSAbn -82NreyL9JmIo48sLzTs2VHPtcwW7lKT15nTGn7TRvA/2CTzrLvsabt8qJmJ1lX2h3cTVDedFWE9f -j6yaBwpk1Yn8I+/0w8JdPJVUrRxFtcSl0P4MjSKZ37Ac8OHEPllnrrj0K7oX0fW/R+jyKtFnMzjq -TcJEbmyZYoZKx8pKy+h19Esq1FSrtoCErN9CgyS2Rt1lWxz4n8CRZmtiYj4MBDXak4ZHvBvH/Uu+ -w6WEzlvKqgT3I9ZNIR2twAZoImaZV9ANnlG5tx8hzQuVwdgR+IqKgSJ7VdYozfe31mxqmV701xqz -evtBg6Csl3ORUmCRAppyqmpSm+i/dPwlCWGTwf+0OudE/dr2JaV//j3hHALZqWcGQ8VAfFkHOQ9E -cg8pqkrSGA9pzJfVhhAPBEYRAf6kx0o1WXXRFTdVz4+iYu9J8O76I5MfiCCBFhtyORzYsin9AOje -861saNvQN7eIggASyjTfJZRqEoEWj+32faVpzoG3PMmgGrlOqZi0TicRwwdUdpxJag== - - - CL6AH0CpkD3xe8ghh/WKhtH8yUUpT90MxcCCia/E6q47pruxKODvk8P35+YJ7I5H4Ytinq+hsB1A -rjayPizrrMn9TWjFHiXiKE27RfeDEzVkoZWSyCsrVT1GUrwv7keRUPfJ4i44fzmPlfIREMUoqegF -Mjy3N9mUxJVqpaxrhQqYZPyHHy754lzENBXyVqxg5/XVVyqeduCZcGHJUIHiKMXo4DBMLUc1xuWA -VScdiP8UZeAzqPIuJp9B9ugOEygMyx3NYmAaDcIgBGGYDkgQYRVmCkYJeFhTur6nJtQ/d8vLusGt -anZf8CI/t7qKtK1cmXvpGwt2XEOdoSpu3CFiOvJQ6bKkuG+hSJLXhvJjiunqqeC37lDLrNejEIO/ -gNkA0D3Ct+mXAXo3tNnUeh4G5eCmAhWyg5XAxoZJksGeGUHEQBZBkNxg+YogrQfYAVeNPIBhhQN5 -ngoamTIFIDq9WdOajrJYgalTrYNooiJg8IvaSAGgxh3XsI3ns7jAiWg1CTtADXjIfR3dDuf9TdTf -z6i6CXETMAd/gMCOMRmQiQBBHW2/g2zQdAyBoLfSz2MQYlv+dA4cOyOsvNwh8g82NgIro6740Kvr -YOLfwv6tEN+q+xgRIZoR5Zzh0kY7siD09ejq/uzHr9vjbbnNgOWyFYbSsy6HImNhmKI1is77jH9a -ql3OD/FcXSL7RJE/iPqkusNWDQxWL23/oS+DwBm45lH+8rTZ/vj/UlQWd5T0A00o+BX7bH2WrThw -orYdSGhFYbV1uYknkLGhkROELz4ZaZ679UcQ0dcTFgjF87Mbg6u0Z0tKg08m0qDSidZZchq++RBm -uTt5A/PDDD+MKv15dBICOQ94j1pUMvuvOKtQxiTQsFkw6h43FCUoOA2SaCt2a6TVfRo4J2z6vIzv -mtAFqntwoEibLObgMmFEJ90gTJwsgJuflhorV5frm9k/Ffo5j+3Gw4BkknZZu+61Wc47DEMiVcFU -weIra4wrURE17MLSlqWJSEu/z4LuJkm3RcueJ5IaTS1K8ojsAYFViQlxIteM3wlrY4e8kW+ABH9a -3855cM2Yw5RfHsgL7nJBADSqok1uJecVE4siBYum+ZK0DbloFZjZ8Dipjy54iAZkuvjJA225QhyQ -xCry4bI1AgGai+yQpeF3xapjEn4oHKOKGDMMIrUDVRI6M+DPDRWAFjoLES+DgEzOQG55jJakOX13 -YcotQaGsI+xY4adCmHsG1yUk3YQOjZGLtv+4/HpOetatjbPXvaZ/qI3xrpxzoIZ1P8kQIBkZ0PGZ -/sMhfKswcX6cxvmRAHW2YrAxsCGSPiijb3CfJpJBebZK3RLaVawjA4kL1mnZq9K6tRHt04NRteAp -sA3ZJDqrXeU53i+Lpz7NUDDBvSCeozj6zlJ/5i9/piEHFAFL5J91wZGjDaHO8uLnHQoMSqfFxJc+ -UieWQFc7hosFCEZ37JsiiFOZA1/oe8PYMNUj7YspERtYN01SPT04bgEVisnqLy6rGAN2NMHl2IBd -naQR9oi8laQLCy8mNiks4CCAatR+Ecd2nlNg8DIEwEfxKaAV1pheJIJ7S1/pzySHkhzqkKlGRraR -w8EtPlDnxDdMgtcFm4GaXASaeJlDMe4SQc2f8xltTFdKcVXnOu20hOUNQfPAE1MU5zIDFYeD2X+t -S2tMM06HSLgtyzdEgRMNhyHInmsAvD5PULXX9NiPrK7tzQRjWrZJsaPsA6b78Dxx1b+qNJxWNmvw -WkDn+ntXdP/GiRpqAiKckuhKjkiZzhJAts9vJaORo4dDtsyEZmJiFGSdlvm/e2u3PBnGXktDivJJ -cKXBxU8cq1HdTfN1asoA1j17EUEeUxbHBrNNJYLwFUG99YHGEzZj4qjnlns5zREclsfmxFwhrR8s -b4wcWJ0q+3RqPHQTWApSVisAjpww3o3XTCUnZrPWXrUuP+cH6RzXbcgFu9fxFgiw8TqPNi2LMT9y -tuo9LwLWBmsbQtISHNm4PHDXx3pgSUyyPZijhHtwYzluUfzF/r5zWKmSU3rpmpMlKjfKk3YE9b9b -U6Xxm9Hm9WY9iLmQ2cN4YrAoPeDDCjyb3jnrfh5kNo3yPJ8tpI7RpcjKHI+lHvXL9unD0J5WrMV5 -Aal4wQS4em16SngySdATprihtQWuY+5p+5Q0y8pLbVihGYghRJr+ZzGfl0CEoXSYG0e2XGLdL04X -2w0iHuR9E4mjK2SjOEjkhBw3UvfKypM1927sVCXE4VK2GgfrVrq2F7lw8EPYy8Ntcml5F2Zdsy9R -kZwVMGXLrmn+QOrSDKBqUyBW1NpXVxhaTsQNf8flYVz6ZIJyN2jgmKT7M/aVmluGdr1FoCX3clY2 -DrWTG/8+xpMkzYlY+imQLfCFk2nkDfONjrFeIwf+3QTyYaAFTeJ8MMdVtQ4vLCdsXMRuKnlflp3J -MER2OkwO4J6J0ADyJo5JSwZUe2CzgriBGVR9sV4uI3GexX6ApGja/A8q+HwnxAHtwtwC4PCFgbL9 -0COtzyBEW1HQrcj65pMikr8m5SdxFD5lKLoG7fMLJD08MCxPMEFS3VfMDMMjfGuyDJrOdv84G5Qz -tS7AQBgtgSlA9k8hNshpQfdUJZzWGfG/pWxk46u7BVCevQMvUe8dphXJVQ8dbaU6E9Ewn9glVLTE -QvAw0/p39EzGTszcODJXauHtGUbSZ/6gCuWygXy4t19jszd5S/MshMyj0kZ4uMYc5Xd9DipWrDnV -U6CLYVaBjiZWleUEonfYVPILL7/IY1tfn2UCDZjq/u9XFT6BwvBhECD3ApFZ5nTiuILig8B/BFry -GLBdfD1LLE/Vd/joU0VY0OpefzaGTugRMztnlGJ5NL8sC3lKk19BWr/P9oBZTIOEtIk8vJw2P8sl -vsySEWsZHu+OaH4j1OFDZJbv8AB8CW2lL7Y6qIlOYMRKji5WZq5TDi2WR2liOSg9rrB4G/kMgeO9 -qpMIcQdvlYIXeV9M1mI/PXeBGPq2KewACuPpryd+4QKPPPnq3pgyx7DhaLXUF0Ze4ruyTQxaLRrl -x+JqSp9Hp1jMJdQKkDtgM1+0fK9ovVf+lmdPAQJuY2tZKv3KoGeS1ePry6Ele1SmzqB72x3k6Sth -isOQRXIyNtDeVNy7pWoEc1kxJTvxHRq7ppCmtVbBl9RQUJvKRTpjGGRaM2h2nh/dnsqlP79Hltz4 -/Px+qRY6PNX+z08TUVGDfrpf66wkno4/K54ct9r5odRFlH5vP1gMqvR7ovTgwC+h9zxZ4CfjhGaB -X7i/l5dlAwMZe4QX/GTHvIt/wA6YnyjMwg/wy16Imnu0geTpAT+mArDMNwBMpjYCfuM4MVVOBBf8 -pDSJIIJFMMj12f++AspZ0fqSm/6r9fmJAVsIdL/K+obCEHkGPqwvkCiNbzBwWp81LZPvItcBhOtg -Ok3uSJNaVN/gzSjh3pdaVbV1fhsen8oT83/oF09c0xYOLOr3TEq2VPwRLPULciL+2rJFIP22HAwI -0cUUodAf6ScgptQqnX5SCbHL6bek4CtZsrOfB9DPgpTWZcf3cvH1qBZsfq1YFricyDxdON2A2/VC -kLUdwHVD783TT8V882hrTMWtYa+TiJFXgg43gFuwMM3Yu2Hb2+UPDJFKeS7UF422vzI7we4ndja7 -4HpvEx9i1/t5pQVgsGiw+16SJ8q/QbbY/bM/puhld0kLK0SDLD/ZnU2hXBlz2Gcmu59NkaBnnIwv -INn9jAVM+oCYPsfun7t9s1jVxibbdceRjjQoi+4c666y7l6X606ggJJadyOiu8SG66hdFgBf9ztN -YGNPrrtXlAuv++2bpQjPyvRuSVC/0jsnnLGz32nZv4k/ggL1yrff9dhx4cKs1u/iGLNE7Xdp57UI -ryMFkFOMXEBo1vLEO4VycUGuykPHFPpcUogbyrOnUBzcOAyFhhspdGFiTKJbIsoUMgbqPTik8IFG -Q2I4hdTzrZO8GaMohbwRHYMUMiCprklvIjGF/Bo7Eikkp/V7h2AYU1K4FJjF4SosN81KxhxC2U9M -pS4+X1/JcfIYrFyPkFwthhghwzD2WBaSm9NDzpegqlppFubArTvVgiQ9JfQHMZIrAcgYMCgQpjMk -AjIQgndVraXE22aWxsyCeLKCsFG7uKqAsHD8sZtL9A+EhppJIUFYL4Q25EfYBQj/hHBqD31jVQQQ -4Yj1Zvv1744IzSt5tJb/dotQLRel1RVh/DD/QwRxAIkQptfB8RMcz8WHpX6E9sTxokQVCZ0gUE9u -NArtDSaPe9ACji5tg+F542KpkLGcG1EgKGToi+KHs5f20aXC1FEskXp9QnOg1iTmhYeYDSd7YTVG -KlP4kqcBYqd19uAifpTC1l7ZrY/CLfpQYQA9yTNgdhNWq0FWhCa08+oWtgkTzVrEmxDqPGNjNFBU -A1khhi11bU+tonoTJvfmE8eEpdjVSRD5aEJLDVVICWSU9id02g3QKDmh8xZEVQ+Cuu1AN31Fjz0P -BqiL37fLBIVGsw9y7+z/g9a7Dtz/4ODoD7yJZF75QVqncHZz7zTtZEjotnmPc4RlQ4YtB7td7QIy -zPJhKykyxNp6BoQjbvtl2GNEwKo/XWP4ZxmMbg51aumBudwTSfv5IOq4cjVPUqxitMu32cS2Egd6 -rxVxiKro9/S5llZ8hDAocJFdgGnzh8oUrEbqQd92WRaChLR6W3cawrGGZfIipgIJTbzxZV/5h+fP -65CscF9fUAZYxckzm0eC7qfZN1jlKnbbZYnRwNQIig+yKDFrNDuOJWw3SR+LjtdwN+agQYImPNKK -DRTsTI0L10z1zywOxzQKRDCaFVuv5l3QMxzPDJkoGtTYuXPuVg1KKUxo9/m5/xP02QZpNj4818er -NgmcFi/0qXuWburSx+bK3dq63a4bkwV+VBPVB3I+X4I6KcwuTjeENY2EdqfqqPQ9e7NRJunhkGj6 -zojY2GjyI2rXQRnanq4w8/s50GijxHmFJdSjeLrIBlZ5ID+iBXvhCT8ErxQVEempnJag/BStzQbL -h7RlBfObg0grvRnbJXDvxQguRURNQOCvalM3CJzj1g/M7RMuBiK8+hazRTB3aeOXbi7YwaUWoOP6 -AdhK/e62/e+7+/katmeSP6Bt0qSRBq5phak9toXLFDLWvbMap8TJXnhErStog7vkMUwuNriLX7b4 -aeQLAvUJcPdMXm8oOYIexTa+Osao7iT2+7EX3+4dCd32/kJk9Qu3z++2oD5ZtEs1PvCwQDgN0s/O -nHeKahdeePd4a0wqQ7Rpcnfyb+ynK39aRwcv7kQGa0V/CXmobFTN7YIakDpF6rOMAmpibUueZ+G5 -ks2Q6P8iUC9gwgynbswNuDdUhNPworOEI/8xz7u36QZoFyL/NF9v5uE6tcH8q7W+nypbMfdzLtId -S1uenKMp+z4E2MYgd8PwBvUQ0TOc1H1+cEsexvvpD0ux3+qk15n3hjUrl0IXbuQH6Q== - - - sh/EGTWvtKFoYzAwbbwjFTRd6c7oXB14LCxjgWdvDjJxnrWhtuaBvM9lT7ysUDsk4JducqEvqADS -V+YvhRWIEg1agHkZ6hvWlB0M1AYh+Mjbmm+4tdDGxAAqaanHA+WnZ+3riTbYcL1i+03AayQ4BVkS -/3uFK9/vuJLA6lU09uzC3v/vRmzgfpp8efGTb3YkTiyxcj1gY+P7PrM+1+NB0AtdFumX19tyBV/O -2bjmavxZy1tz1RTGAoiEpRRKYMkW7AKzXN4R/UI/2SHBwbqmHsxC8Ga7XN1KnL0l/WB5x9xBDVbm -XcEEUnJhsG3/doQEd1YGFp4PYEQVYBmzP/irGuc0HWBvkh5wIA9PHlhXx+9dI8AaAb/vBT7lgB3u -5KXot9JELIn7t9pkEUDiyqWDhMOBOQmutu9/kCR5c24x1gwnSlccdKkhiXbcVVruyRXedtV2vOM2 -dgyv5XvBq3kxZqRjorBln4jOiffg7GJTyJfW4CXKplfB0hQiLW1uC90FdcbjHkFjKPS1IPX7qv8d -vMQ/3vI5mJqb2w/uNnLfukCN2DxpEFZxZ//rHIH7ZBFLetHiyihfAZXt2LuBXfT0iMZosTE+plgF -zDmafs5WPIiwwiYfUoMbD6rGmnsX/6AuO0X9/R2sWK1DE7QXJwNYsa4waTX+H1detsos500iLcuX -dr5OHSW8NlSP2745g6pXN84FfoZHWerwKwGRsqwZTcdTQO06HQ9n0kT0Q0vH2VJW+tOlQba/Mds/ -Q4GyYGMF/l+7sGR8DorUsMwguPoSci3EkWkmuyB5QNeFljDYhwlQdc05BhN37i4FkGvmxeQEfCPj -HE43tVJ+FsYqqOdxSYOGTTqBI+8dwdByw4pmmuJ6/vBj8W9QfaHGDg5KfwR6nPp5cAO+mYBM3eGg -6B3VLFhvaDkcW4ROle1jfoOil2DsoAUcIqgutKjuvmTH+Eunzv1OGn11sPYqZayC1tOaETiCVe6w -cDcQStqPBMTb3PKZ8wXbhw5EvZ4iE0CsAIQyxqPCroq5lRi15h3VNRcGZjEN/eo7A2uAQKhB5PRG -VTBjIPROxh0eFF00PjeoDtjIQWwtUCTHDWrvBtbLtiyvOyjCJezNDUr/HilPJxo9LLicFsfsPTLo -UE9LoLoZcYQXNJvkNFG6/gvo3NIdExiHiaZ+D8groqUPmgFqlxFZnjlIZqF52o6IrySmSt3q09j9 -mQKmYOd7Zpq3k77LZ5uFjlSD/rOv3Fm23lU4D/ukwqM6MAe1I25dJSwJA+agswGeKZOoednQOIrS -wB8Y1+tHSyjtAbDArR4G/lcNsJx/poMEXxdd3O0eJOFZDQaqA3fRF6zkJggJWf3v6YlgID5IZrHv -/AJC4v1BQlkvn7xDDhAS8gbgrxL9DiGJ8nylYZAtPwrvGxOWR0h+G0m1te0VzT1tCyEhyd+dTC0k -E6d/5KUFhxaScS94uGFlYzxjWAEkaOV+YdqQDM6elG9IrKfUY00Tgb8h2Z2rnW5I4Cu68S29Nxlc -SObGIWFIFMCMQ4IAw+xBJPFqNP3AciGSlGE2JzWXXEEkh+Kl8axEMpm5cOUukeBzCs4mEqe6ZCcy -WFWpicTN4wpmE4n7tEZ4dSLhAHedhmGwiYTY4wOjfoRUTSRBwss3TiQyaxP2ECFboxOJGcHAbziR -fBg6guqJhOyEJ4EAW/IF0RNrrIQFVPEKM6E1OQsomwecnZ4ub0V2TRbcpgqcB7M+LeYYPgGUJKo5 -5X9sVK6Ynhw0RKGNSgcoABdxGLWsGFjfaBodVlnJtODTGECR1NMicwwXGIlMwpkETzWgw0sY6uzl -pcg4iSyQznVuxg7UvxKjdcc9iz+3FVFoCBCOeoA5gh09ImHmxcQ8nEjjz95cqapxQR29Y0MAivab -9JNa5Clb6ec5ZxLA2EFFu0ov/VydDm4oizSTLd0UpVMd+veI+9kVIxkMb/1tJC/JmCankSv3M+GP -/Uny9DN3WZSfK6YgtHvAD36C/3EXJ96K4nLaCQhU2/KT5iRiSTnJMIvL4LSZaJvcRAohhGBT7z7q -ULN9wCOEZuQDXYCZXcuRF8hE8I8GxbQGwRNx2IAJKNtLcCYxq0usRZ1DPd20gHoUEWa5+Q1BM3ji -bz8bKwZZunNKtFXSNBEyyp9q1iYqZT1Io3y6Up4IXDh+6ktcpeVPTJG/IIJHKIDg/zR/Omx33seg -1vwZvrdfsi23xiIXVD5UDSl20fMV/nnnY9IV/wzDnOG9O4l9/FMtbqxgkZe1jqKlzejP9exP4/dT -+6cQK6dT+i+ULnZiWZCk3lqKvW0kItpVcOWJyKPeA+/v0yj4RQVAS222JXYm9fIfRHoJwl5GVa9n -xWAN/2DjTlikfzKyg/T5adNMVJPGISMvnTZ5E+FUcfNpsu8BaSwXIjkbBy94dV3b36d+1pntMx+M -RU2V8kAv3fE1yTJLTNo+X50R49PeiDRJCtmiMlyPyL2Vf7QYHFUuDWDit6DOPVAv7cZQtz6nPYSU -paU+nOeFwmvzPj/JJHrBKGCe6dlTyl0XJngPgLUHMtWYsKlL46Z9Lm4mZP1pJ61ffYL/TUarzy5T -dDBe5clCoTA0dikFXn26J9g+LUOcSxv6Loo+8/yeigd3tM/lYmR6nzAl0sOa8dOhvcZPPSvzep8q -NzLA2FPYAwWGolNmEZwvxb8EBub7NvYJMHSOA0Bovg8jGCyg1dMH4MSZhQ1oVQVK9wdreQfre6mR -Pd6O43HzU/uSX6P3Qp+9SS5vS6oAX2E+N3L7UF/XXB6fcWza7tqJx+fql8+KsawkOZPV+BPgjJhw -o8pN18JXWNgUormhPs3D1Vr2mQ9ALINIspaFDBVE82l3d5B9H/16wnjuU9Lbm9LN58Z+eem7sE3K -agBm91E+G150kT6ddKjwh8G6XNSvt/k8Wz02Jdx1SJ8XUI5Fps7BzfY6rei0L/IZycq6YbTPB0Ng -oea+a7r51IbRuud8wrlVq/RZqCkRp6msnZibT6pMqZh8xrCRtdISgpi7B2bPnPVvoqYqKTEFyecv -tHAmn2RJlBiXkixcDaQimG8UKD7PdsHM+EYy4U29ktnDufEVcv4S3tKNce+6PxF8WhI9bwvzGruv -UxEpAbeqEHDT5U1UDgs+F8gwBtNIo1uxEpVY5vEqw6jvQ/1zp+iWppo5SgWfFK0whEmJYV9jYd2F -UHxK5QZRmRRVxl8CcU2BT8CaMin/kgLvSdiFQoaQ2HNq+6d9MWm3Z4w1pZN32h+S/oEadW0YkX57 -Si4ClJUA1nBPK+gOniK34uxpcDNcVpHj3YARRenUkdfzaUxt17PllnhwRGbgS8E9e922o/6axy9u -fb896SuYeleiBnfaYcA9Y3WKRj0YvLgnHgfxJXSv3j7ReIj2RFNS9lpAYkCN2fOfLm7ZUxsgt4tN -gkUaAAjKavCjBJidtsqe3QuotDKKab49EeHRhoMVrCIdnMT/W366PVkQNFl/3j40fJzpfYOSxmo6 -ayHEt9V2Rk1FttXPcVVw6Zm9sCuGStj2RPR2Yd49dZdws7dn6xbfyNVAgvfE6HhuiO94v3vK0i8Y -bfckr0YB9jQ+bSxD1D0dYbLAQvdkYoOdFioSqeLb2mooOeieDFjxv0eHd5mlmmPWnsxqBuvz7NSO -I7AlUBn4Qjm0Pa8f3fZWlq8fylxeMxEfULiuUkj/lJHGQJdQWbyHr/89qyummd9zs0UBqtk0Ow4Z -t4f14aKLuaAEzX7dE9E5TLcDvu5JRoHNsqkt79R4ZeJVXDg6vYGlPBiMDJeWKKMzX5XQ7Suxtbft -WXO3tmMpIUXERn+isqr2cOdtxkZYUkYaybtX4izZE462Z1STPV8DeHNYOcfp6yCH2R01kJm4+6Q+ -Q0q82HruZX7VNNelpZ6FFy3JMKgxeQK11GrLoVpR6gm1jxoYr3btaz1Z4BsvRbWezgbJmyTsiFBo -g1S7wg0PY8WAK956+rPKnThvPZ8Ox8VySFLRg4xtZ85TsQBb44cPam/okK1YAmN4tZ7dlwh8s4Go -Z4miJ6Q0Ie3nIweEIT/7P/uySVU7JhJu0pcpo/XclIiYNrEEGzkPMK5PUVFnnbnbgjwstp5EvvLL -SeLPrh1ysDEr4Sqx2rWNM/ZDsVxTIc2K3fcDvHmKj7QyGuLGz4LmwwQ4e+gTx9UUjFim5IGRVPZr -GYCNCOzDVG0dOa6g9KQtg1Lka7nSftNXcUrq+AD6hwlwrLBiFXwZBP+MW91tCoCe7YwCWRXRQWT4 -vZyDHuG0e7QOpuypQc+JzNJTKPSctSp1bZ4BB07i+CMPOY5CT2f7LKTbhZ6qP9ZKtQIbNoRmCuep -atBTPViH5h+ubQ0NejYwN3ZasFJLR09XyeI8W+BlyWIfoHs/ZoanEGoHMgf0CsKa42VLgF3EBz2v -QjwygZhkyt96SOESeioGKuGH0NNWRooj9OSp77iU4NX4ff1bVgSPHk61WDqA3Aw9a1pac6LdJiav -KNDh1qnp1/EnerI3i69URfSsWkJtrTuyp4znBJUbOsDR1avroZmY+gBJh2x6Msz52/L0oe2Pg8Gd -J7SD87SdZ3w08eG/88xb+aCGPGf3JUB2nA7EOGcs9kXk1ZsfXHmAwjwX9IJsOxBMEObZEX6pn5tP -wzy7MSKBfPIU4y83pi0xTwmYrUaLB14eXSaZFD1NoKiP58vgNMZXvh5MKmElJVHGBc8ghXRVUlVn -RE0gImBAed2E3sTkkw7IYyhJX/oSd2cA5vmHkbhAXX8PWUo48bQzh7Hd9I+Jh2h1xUfXlAmDnXIQ -lts5/hZd/nnjqWTRaI2UqwojZ4w6ogxrjKBkKk06Sx1JrriYPRZ9IRYjEdSS6PQ0jwbQKXvhhGqJ -h57xsSNeBYYtD5EyYqn1wwh9YvYA/ToConKeJB/2leFFNZjjQoK4yPlIiYEcp1A4hDGEj5KDOpiY -WLCMwc8DcBVOUssPrHdo42vE1t0nkK3Gd2XAFld7od7suvQqvNnNlCdILV0wjJWp4TZ6IjZs3NyH -UgHfppCBgnN8iX851ffAJI/ya08DD/3Npj78eZFs6oOdlNjUhDbnv6YekHlVPH3h8tua+jslSe80 -WSVNcae1QaZUU0NyPISdPgMj+GlqQqGY0rNp1viD0tK0xBbU+pyZG2gbTXNUwJyWs+X4ECK57TkX -/DOBxJp0VBzOZByXhusZ7YkQXPdGnW0m2IokFWRgIs3UuBy/ZCYGHAuxtjVWo+6+PNrAAsmWbLbV -BX3Atpsc3iYT8Auk7moI+jyXyNST0DZ5Go2vAFca+S8GnNEsZRszY6ILit7F1DHn/ZQ5G3dEeGtm -PflhLmZRtqoFW9a5mMyGiQyPAiYZLbESKJo6QryxT4ppebHh+7iWShoQBNgAoh5/KfNqkkljVVSo -uo6Xfad43Zo+BoyGq+T+JaE5eqldSy1Gl3RifMEpwlPR9nmnl6nEi01eXKJxbnPnrg== - - - swmHxjNcL3x1+TK/VENDl+DfMKfPMJdg/7eoxG75COIyf6s++4KadRlv+FtqL6ekt1tCU5iA/LAt -z9W0cE8raxRJHelc9HOitdwyhHUmpNLe3Obk3Iy01KHwfJXRbXXCz7L9jBLKyGaJMl9Et67z07JU -zXY1popUUzHLhguVvrEkz87SCBVoi26+DeMeYZlVumN+qX+lTzfsldt2pT7SoeeaTq5s5qAL28rc -A4RbkiI4qBih35YEUG07KSXc6p5Gu5OObmtXC0nWfRfnROmPboP1zGkjVb635ySptKmcrqSygnp3 -BkBUKhceV70KJ1Jq8UtfLsLADFvSH8bSHNuUoCICPzBTVmNFr7iUo71rH87uu3ZKuXce8X9J+etV -EyektH5SS+rtzEYspFxZI5jNL0RfN+LElNnRuEqRuFBWup8oj8WBGHCLJAjcsFBWrC3pyh6XzhqU -vZhvIo0tUS2btRdmD+UQjQRsGLqHB/UECjWZTOsqPBklrFZUCEpO3RDYyedTpXgeAyoDQBdS39Ho -9yaJI95gz7gPXZJVl0/PiKQpHm9OrEmJ5mPbxdFkFw2WwjxrJsnu1tRdZDIbMTlITZDNhHZuYZI9 -PEu4GS72aQ+/pLCiSw7vVJWEtpY81nZ4xZKuR3HOSlbyW85YHkAl/9E2DilZbSqZjSTSyODwSaYJ -md/Jatz3wmT0NU3VxkC/KSNJt+YzfKOFJbbfSEp/Mrthy7yBzfXnPX465q0sg7RrIfmCDEnvKZx/ -GkbCAsjLLp51EoLxAuR4kkdKoSSt3GUo45k80v86+RSWW9heDEbkz2QqMnLluTGjYG3j2/5Ud6xJ -YWn27U9PoEzZ2vUln9rbn13B0tDQldT2J7co4GrQ2p92qdN0f2L5xrHvnzfnxOgFIYjXAKuG+6dU -5r9A7k+tGYi7fwYfBEWNu3D/BCS9rWcqQ8QBBTrfk2wbgCuowAEEw+Xl7Ntke+m5JKWUKSUJcDgi -N24EygauBuIGVZ9I5SoR467SrOq9NOP2Sfe6FFJhjbiLO0G66UTcxZ0o7uLWxV3cmnCDpkMxpTpU -DWr8804WEp0Jmhj56ZVNTGnqTaNacef9bVD3zbiPS5a7YVkk1WimfLTniSi9CCN8GcAFAPS+yvH7 -l0Xk31NJ4bt08EOPK++/5A+/HJkbzZ1DizP+cEvXjDFHfA71Y1LP4tSl3AfdoSz6IY50WnyLcr6I -LyI9MRKWl7P4VoMcsz6IQbqIjKrzRAyaj+jwPNl4VU2RN2udiJciEbeVvwQRW/RfRtosRJRijl6o -WJ4Xq4Kuek/he0ovG86Vikpx+J0dXXSJRG49iXWJKzOieExDim9RimfxRRajr5JkPQU5arVbT+LW -k0iyrCdxPYkcYl/DIKfvkN9QwjNaTF8hw0LSl9GpmSixI6bKlT9l/ONYdWTVC39KyqOoH1MohNKP -kGrqq/2GZC/klZkS0q5hDn+JWYK6eTGo/USjzJ6mDxiDcyJyyjMqlrJ8sOKSmIclyEvUUsXu4cZ2 -SkNcrU/IROk41RV3r6vVxsfRUMTG8VnZxktCqFNU4jhRyY/2IhS3TmGhaMznuq9J7UzVFJ+pHy8p -bb9LspVSspYcCRuLkUuISL09pNNvKioe2ucit0+6faKL7ZRWT499qCXKY187QolYJxHdNm10t1uy -ei9NKegpxRCnJhViiZa6zz1/8k7t7ZBvr0ucx0nKeKtmfKqfImo8qhJRdhWnUncnjbdKf6quRuMj -FTfOKs07f7mKtiI89RuPKs34VKtiW3wvuT15M/VyKmLlTTEf0ahLK/owH9HNvLQTfs6OMsKPUPjT -nhCraD6h9hy6pyEJxevj84Uc0wqRJ2rBJifGns+vcfoNJUylhO+hTCflVuLwpfSIpJDhd/ZKjxfz -5YTvckUPSZ8o1jbK0syPMkoJM7+xlX5LRkOmn1DOF9HmLZTokBcq+YlONIJan+iwXLun3Ykl2+5s -I2gxO9vurInttJ3w0D7s0GqabWP/+rX2ifT6u6mW1l52qL6+YRLHsqY8w1P6Qmop9//NVyM6ZWry -jWVRE4uc1prHMRSqiXC1V8xJxbV5wi+EPktIxSaPT/pJv34PTmRcP1KIfPyqNlxFapMa5ROjzYR8 -ZOIHyVWQQQvH0vKGhIsTyw6y7CBHnx/L1J/5cEsHDVc9mUTSB7H3sH0Vg76jvQwp2nt4mjPZh/k+ -zJcLcIACGBCAAyggAQgwAAEMNEAAE0FIF0NhkaHOJ9p4tTJSjzBfJSFe0zXemomxHhgeBez4ftkm -CuQlLIMHh3uFv5q96pqM7auDmWiwBFRFIcslwV4JOWh1EeJdskAHjXkjwzqgakemVnaEvATb4S3k -POJQQTqt16HKmD0UmU3DYKZFr4dUU3/YsdQV+b5xOUJhr6emURJkoTGlJMxBM7SDtjY0ppw+AFQo -I8FWi09NThviSlnRjFbEYrChBc1KqMYXFwmNViR0D0nofpjsQ1MeXYg6yxl0SDZOEgZiUkNWFUSz -JyJLbREqClHRItTlSYU65BKWEG2IXFUPGKW9UL1Jr9iqSsL0IC9q6kFRLVPVmRRISclpPnIJlaQr -Cn9QIT+damhBTnbIacg3AxFV+MtERUWxolVVt6oxSzSaIGNNRXdA9N0OE3OU/LJhEU1UrSGqoqIQ -1ZGggGgiQTUWkVPVWw0V1TyEfNJEiNHARLcsRvpiZqrHBGV0plQ6UpZKUarigikgfeoUcPYoJOxB -vSoiBWf0memHJtOIYE35pDCGcTM144YLuWiIMxnXLBqeaE5+xZKJhiZTfolGpg0hYikkoVlMhkgY -2nlUDuEM0UYxo4qKmVBBMUQjZRniY4hIaMZC3VDdRtGMJtQ4qRoyp9DDqc7sQquqMceascMP0mj0 -z2vF09WxjC3v4wsqiutirCgTnYrIM50qfyKmvGRV1IlJZtSSRU5BK1n+oQtpaS2nCJJOfDeWx6Ii -qjqxRJEsXm3lFioJBlXlNT5FnJ9gLxMiuuYncYmnKmVyyPJT1F1vJ+VZPfTT2wqTffq51YNmakSE -Ni9O5Zd6fKZT0xQfVGNWPhVV/lykND+JUenIPObyNj7VZ8M3vKTWkem8Ptlx0XMNb3YmcF80Y2aq -uhpUrypcnddhv/PaPm2q87p+kv0XXwr02C5lNbuv8TWtiNKcUcue/Jz2bMmlchFT4xSk16gR9ytT -MXm5Y8d6xmba79mLw8l4Qp0jloXk4+uvjKcyUeYrxl3lnN5ZI5RXZHOKRPSVzU2iO++FVt5YHqSS -ICcxnkS878SIjAzKxGyNtyQMEmFUSXxWfP1qeYlK6GlQEI3se0MOHJKGmqBCzf2hUOOZUCNjoKFN -eOkhc6IVBRoqRYTNudD5Qyd4FjydMNNgEdLoNB+2TdjFToJkpPXgyhPekeqKcHjXMWoik4WYVb3K -JGJzZlA8lzYyWyVYMbx8OFqDUrIIlMXULMqXm95K0vBhHViBNcM3hkaojN4D64GbEIyIYCyUgQIE -DgxrWJUwrMMwDBmGXRiG4cIwFIXBQYJ0KE+gNlAlUCdQAxnI80AHEUbCDDGMaj4QBSo/0HtHqIc6 -xw0ichhKJPIEWWSMclE7c0k56susjOt2z4oRF1VsH6dFP8Sa0yNGUH4xRTRhV5luxqK4pyvySzE1 -XSdaDNrER6XLzEgrZuKfjgyJKeYgiXNOMuIoYUeIj8uQtMizkW7fhjNdeqGRWad2s4H0khNOzXpe -a29bDfHMe8SIyEwZK03fTgtaS6J1p/Xr5ozNSu9uzFssrvRVRqVo/TI+1pV7dHZXWGbG13Qs6hr8 -rH/31mIx6QOyhkY05J3a4XBuRWIdie/BUjS+B8v5X3uwpH2qwih6VlM32pOrOGpnX0sri2nFzlUy -sZV9bm0V0u/vLaWUU5npTCk+05fiM52HpqHHa+1Od2i6z6W2ugcRyVMN16/qAziLujVPMY0cdohT -JO1pOFrUXNid+GWyDrJrlGLldH9ayKGa5HxVkxQLac5ErBnl0Pwo5Y3VJSIzP0bG8aq3Waz1JCwu -ih+tj7l4Tk5PoYumPryZ+MJRuVWZVygz/YQkksx45uGpsL+wfEZpfRAnItIHuRL5x56T+jLJW9yK -Gfqc8kb61Zx6MYu8oD+TRBViGmmaamiie445z0h2jRT6wZLU5khd0hPTWG8cP8iWb1SisZFKpTyj -xTO6T2r8o7US1dl5L7Yks0v0Q6Q9TtOReKkT73SMjkMmnDE5oulMR2hCaFwKEVY/j5P0k1a8ph1u -l9GHHqmXOofK12Um/okRTdfwyjvKKfN00ifT55S7gtEPcf1qhqwtWSPiKclWl0w2L7i+qtGbeJ6I -4a9ljYaK0iBSRd1VFT9mUFjxToNV0xMpSmLuxa+iKzjeqnSJ5hI0UawyE+lVU1vCr8/dZvqE59Wx -g2O/VM89j5nD6jzm6dzS+WteYc5jlofIbH8UNRsoQOBAPf7Py4j7Df7Cv6LD//UW+S2+l4hYi1c1 -4n3jUQ2yOURxmT7qtN3isO21Sg5xzMQ9kcLeq51fLZnErTEtatHIkKVfpOn1ZcEyOt14YWfjuUpH -OH7rJrgTW+fIS9yd7ojaksi2fdKOxGEzStV4VCueTDyoNHU/QQ1xTUglXvXbwvpQWbN4UUfoZHm1 -MxSXaTHqvUjLFK+UZIjijE5s009aMf1cr5R8SslwVMeLKlRTOwuhrmqZKTFhy8Q/lbhQF1VZVUbL -zLipp5WrhCPbQzq3O+3cMkeh3M6GLuXbIadmQ5dFOZ2svezsZ0dKpi5LGa1DXsTXSDbuK8pXVKKu -9OMfrZWU0r9K43F2ojyt933SISYRt6Z9WNnbjuIVjrS1uOylpbK705UqGndyZdzJ3aedBLkWktge -HTc72xZP0UCojM48KUTM00kuKp5jbMiT3NBmNjxPiaItOx9FjpSU3hesozohzd9iiXTiafi2RsIk -yZ1Exa9I4kP6EZa7CUkv+JnJH8cYnFYp3h4VqV2krVUcHFWjyjxFWYKx8iVYliBrs7IEGVEOVrBc -FJEa+XhDFOFGQTvI2SzPHjmcffFsyqQ9imcMkmi/f+m+hiW6r+H0I7eEErS/+RErjd+/yzfM6TBK -/KF+hBNSLyOxv11V6sukCZk0b0NDXJFQP/MIZEeRTGb6EFLFR9qG9CQkEZHUNFE/ZjtylkiQqXUN -PSRJWkjmYkP8FGsc/yLN06nq2YNI4SXKFXY510uy53J8kxNyw9OI2JzxlIvHKU49ksaxP2OJY44O -tmOHyxglPD7Hucqi9CN03+EseBq375C00tSVmfsR1l1ETHsOZ5O277BRlsZ9CTsJkfYdVj/DGp2o -xBNxiop4KXIkq+hLDGFpqFyhaWj6WX20SIZb9EIs4n6eiBTyohRpkBdTzCErrExoLB+TkSXoN2Sh -yKoKURBlalJb9jmTZ5xZWriRc2B5ltznUqWkKmgqr2VHrbxTS3LvhuV0sqpTpYmTSw== - - - I0qwKP5Mlbippt6rO6Jutk/3Hi3tTv9aVFWc06J1JqfS6HTrtBSfKdGc+KjxU4UdL8SfpqU6/2As -vneqfKuNr9qPqStVUE181VUZr2olXFw83ldJkTI+1RqHG2dVaDYkLlShKOMOlW1cVVaTamTR6iWb -DZlT/DYl96wzkYqhkAyJVMxizUqCLpXWIsyNW3ut/n3ijc4ZijFtRhJraURb+JC87viOhpt120fO -MEQhiH4gBhLTq0JJRWh8STBhIgeZ6YTOO65Aq/qIW5FIMTSCX0MhHqRedgNvoACBA1yr5Qotqarg -ep2vQJqY4j9EU4FMrQROWC7hIuGyCpcLTRSRERIqKQm2JzLTkYzMZoVHRjzPHZ1ieJyVkDYlFFmF -RpXTdMKPTC25iPxNkFHhjFkT/oURnrhf39SOLr6GfLx61B85Sckci1BXXfSzmtWmKMFipYJkj/E+ -l06C5sGZTEEjElb84ZxHQgyTYjM0ecERUkSUT/GV2IWqZXbnaUgVm1XQQ9Og0e416KxoPfHDmz2T -Ul4xaeox/KLpQyguzhKlFNE8TCSk9DGKhNQkrmd7CkcLwxThVGn2EnSQa3YWR8hE1EdJe5A0Ng2x -Ti+WeFVeiBfkiSyqtUkZ+YogY+MXcUwM+deZBLKvw1gnb1DJwrWDNmyMy+AazRES4ZC5VDxhE2qI -qvaij7bhuGznwbF9Z3cuHnkv0sYzIqfQRFi2G67RwyIxl4Ujl3bN9zgdGXzNIPeK7RKvzKL5Eg+S -3weDfAlSgjjjl1gfNtj6vln6mblUQuWXwd/BFrkWqxFNJtS3ikV5Fxm/Gy+PISeeWyLGj47Dk4L+ -WR+DpfJr9kemoYLS8YuoL2NQSZ6N8cQ4hCqXWk2XsXykwbSoiwTTIiYiRl6S0Kqkq5nJQex42UxV -38Yx38jiEjizo1h9zZ7EnNJRlTjqhJ5584LVcR2PzCyEcfZj2keKnAllzo3o+0TEns9sJVnhsriU -hNSsZiZ5a0ZSMwqtlppC1ChquWv2SqyHqJk2Wslmb5yULZ7PbogizayTiG6CGqKrOYVba27huCql -NQ/holif0zyPbqPTx5az5xUSNaPNSo+JEcWYHrPLjp8vh5ov9Z/QVpXDWBVmJIoI5XlTQrVKEXw1 -xhWmq0uSAzEobCHoCpWpPFQsMgwWBotUbCmFqdV8saLbFFyMc9hLCSzaRgwkYjGUwpCsxapaYEVJ -+eFUmhBFoUX1ogZCDSuqcBo7MkFBhFSBakZaq3BocxrRWRRyNF50QmTqKxULpE8WaGYmeMamBI+D -hxJIXj3CmB4P4mIQi78g7kNdXbgrHoaqKszlEua/hPn5Mbz2CvKbiiTh9fkf1NVI03bxiVgtojQx -0uyj5pGDhB/TI2Lk347p4jlE7DNduFImKD7NhmKkC+cQm7SkTbZ5cr4UoaZhEzYznmogKodVKCIF -GQcZTlE5yEyQCTIjl2KFoclrGgV1qkQNbg+SS5C8to3I0CxFi8bH12W+mn9e1snxQBEkOe+PLFFw -TUiiOGFXOKf64TV5fWMz5KYJB0l4KGqi11OJkJPjQb4ir8QhL9q/od4PLnpGyVNHduqUo43MRNMo -9seYsYasoaznTPCyjjx6rI5UmnWn/Bh2NeqjFor4MmqQcVVBCmpHlKgI8U1Rt1+hsCVj56aR8yIV -+VJsmOD8RbFy5VKzRIScFgxi3A5F85wYivYLQ0LkLJqIdCNfaUUconBEuiLpRkaj5NfMZkguV+0x -+0K+g0KtEFpFRy60aY3M8vmk/TR7fqwOKZkLZ0E6V80MwCM6GShA4ADNhA5NUJjxBIWZCTMOMwuc -Sgw1KGrBFeJvSY9NvZ9zHEWCtm4rGj1c05qIbNsWZh3HOG6gT+jpWxvMTUXE/FFbR/Zyl9rGEvLp -s0bILLSjal3oULEgmk1eqWQ1dxdTs4maT4XDcI+abzgGy6uZiNrLdE0w92CQdjXD1j1HoI2lTy0i -/CWfxEok3aimjFGthKJSMumt2DDc0mmCRLg0unSlR82lU2IufRJrTd9ik4eIBb0+Q9OET02RpKPw -mdM+wZ/fa5CHdEHuDj2ng9wVZYjYHjMDBQg8IDgk90SrDdIpLROm6zDm+zyZV0cPx3nJh/tFGymN -tNSiX6XWhrxElKl5iJMQvzQK0bgSRRTCouuecUJCjD/NEIn/BBnFVUYEr2pCjC6HBu0OzaUTpF+X -8hssR/kVrCg/JDjdhrPgZnYvJ/lmJiciTxBpnauTLIgiL+1mSSiieOpT+bQ+11gLUvtX+aRG7iIi -YiJfK3fNBNdjZKbISZPwSCBZHjX/XyufIGMcU74iuw9e5DTlYBqN6hNMs4SVnKYU4iO/SCpMcIo0 -9vcxNhISETTTiiN8xoRIFULsSxRfPBNonER1xK/XgoxCEYnaRcS5ISg/H2bdGaVWmtqnKsNH1p+J -g8mu9AlDysjMhGh1j3amtSvOPNpRMMrFiJOGbHSJBXln9CTwdkjoQyJejbSzaO01XC35IkmTwwmT -NPdv881ao0mNMQ46yijPpsjChsegqlpQ1boFO1G6u4+LwXl0NpKP4GItduQN+mOkm04raNKKVgSn -fcOzGm8yHrUrmTyP2l7orLGCVa6oxqt+SbNCMmR8o8m+TVGmilJTJTVFqZDi1MhUESsa9CFrnS9o -nmv5iDhFVGszU4u4F1K/LAeljUnjFVovwZIoRskSs8oV2+2RDYv4nSnTQ8jBCm2EZNGpjIJDcgXF -M5IUl1Tz4nK1uaFwT93I5YR3rR96NaGSyT7arMhQJIRoPmHN22VjF2DckhXEcjj1xaKI+g9Zn1Iw -+FZHSBTsOqkfwfMb61FdIyul2r4yar6Pv+erdbSa2aU6+1wjGyQ50kROtEbYs/LiiiWitR66H0pl -GMQ1iLSew7U1axCDVnaG31aTyLkYRMrZsZ0RSocVlYpSK1rRaUhFS6wohfq1C39G8axhKleM6C2s -IrmzJUEiRZ5GykRfneKC7Cdk5z2p7YlSpLkQEjHau0j35itjhBIsG40hZRR0soITHZ1FdJGs4hTx -Q5JRztdJ1BmeMSx/GcZZLsqV1lq5td48Xsej1ru0HHnnSivrBmUdixwckoNeg1g1r6IcPN+OlSDS -/DlVSoNCIomLziJajUdNvTsXa4hDIlIiFR75RaQ44431jCNl10i7tIShVsUjIlRZ66vMeIqn3cjF -SPZ7kp7MqVKiwncpsrosX25OE9wtnmeizBBRvGj+EB3ioVvNUbJc8+LGcJiyVaUZQjgNFE53y1iC -Io1gkNElUtrisJRUxODJMWRk6VER3KLkOE7WehBNM0GUTjAcxaCpGZrxOJvN47NO7agiWJZgf8fY -b+YrutiRfZ544niie9IiwZmkKH20/mGpkY2i0IYdt4/i8Vqh2sr9Vq47wgnFwxHHiXDy4uyOLF5l -/EwyyzptsPM6FZtORU2pYtNvKhEckiVSkYZF70RFak/FxYrhc0gjcTxVIWv14TjUiKLNq4X0XCR9 -/lcj05E4TU1qjnLCroa82mg9tcGhvaakMTGdCGrJQY4XKzMOIemScRC1KmpaEvSJmvZlTJVKfdCt -aMzSXaRSMUpplU6kJaW4qX2MEPUR1UdJY7EHTcWmno6CpjPxKQ2FTEkeJD1Vbbh953Q4cYmzVzlX -Mra01nWWcBhBQp8TNNJq1UoaSbs9o0kt2HGZpkVa3kKfcxRXfIlDGR+1pbXaTDFTqdS0csFGkCM1 -smu9Wp122mmcsEUTlmgnJaLMaHcGOdGP1o1lNP7Ryi/6qFyC+whtMm3AhdtJJ5tubleXZzJt2HN2 -pUE7TbnSRlK4LE/3dMmolFKWc0dPtkxYCha/MjFiZWmHsnqdkvLaastryMrWcJyJ3kTiWDy5ftyP -OLTEBE1Q25jriEUWhXJGK5QzKhzKyTq4CuVkRE3kDDnRcqlcVCZI4TCGGBWacWu2ucmKriSietMe -OkrimEjmICq6r1PJeTqznFnWrefHkFQQzfgsTQ/zRenjLbMLT6scHBk3KqVqLXu85b+lqBSsyJBS -NRJi0TMhUm2q1KJMcS7KlBSnw+m44LTCIzrHoF8MCglnCyEJJGvMoMmy7HGiSlLMg0maTV2TFSmZ -S0r9IYdTjtJBDkKiENOieJP+1vwjJsvKT+6HTqWJQR2WRFxa44u7zstvjX1ROZOoipBvG701yAm5 -fJMoWlCcEcHlZI1byaRY9Dhk0TGXqgkiTV32R6Exvpl2pvE3itBRFKLDZ1XRGOLP1C9pLXwS+txU -oykpQ5wYk2Z6lESgR8Ciim/kq6ER1Qy9QZsXZTOdotb8mtpLFimRiwy/0YR8gkivYzf2GCvpvutW -mldf/G/Wl7O1C3Plxi037sZlTEutYo3IoKxU+sRIeEHOKTVVwzmFFJasy0ZppaOP4mRmZzdtO9PZ -SiKplUSOb9Tvo+z7GjGdiGsvl+L4aPXa6RBN2BKtNI32n3YpWbHm8ZVSdGK2c1RNFl1lueiil5lZ -9GVE36oLA0dytmZitIc3oG/HbaAAgQOhxlJhtc8vVBSBThbaDGnqEn8iOEeuW87VvghGpXV/hiTU -4wuSIa11UVUT2PlJNUQamjVKT+6JcJOTn7wzGQptIyufWtWYOnSqOUHebRZjLqamWermIzGPeoYq -u4eCEJF6/rJP59RPqDf/6/g2LyEKIeuEmAyF81BXn4aQHrGNPm/lVAXPccUsaDM6UW3cf0TWbMJC -qypZdVSninaOhbzHkme1qRFjE/Umsn2qMtV5nJR1bWRzBrWhqFTyCMWTGDoCAADDEtDAIAwGA4Ih -IcHoaH0UgA7rciiaieFwUAZmoiSEigkAEhKAHAAACGxS1qMXfPAMALfnWVojcQZASXVZPILW7UTo -n29Jmu71Ib6ABkBou4+oHjYONACEmi/HvkIUUb1sW7GTRcigJBhLNRsozfWtOAMw90Qxk8CHjfhh -ogPxXtEAUCEJvGyjBBoAFaIH7VYDkHlff8I5CPwws8WegQ3x8dMA3OT3aVwff4FlGDvaAkbgop3Q -RXQh8jzSAFBtxW8rkPUkYBVXKcFw1w+scQMlYtYEGEoDsJpdVoRw/3GvGgA6DXEvXex1cwNO1JX3 -4xKvQIzRVAVeYtBXHHcRmJEmCTZqANy6LQDUJ/KBmDvDpHGOQrC6P7CxG5e5EjidtkndEOjHGs+S -fd6Aww/333QiATDWWjTjCnhHVtXv44fZ4UsDPI72N+vy0NQAIJysqRziy4+9QRBHf2oAMMwZse9t -XXtkmapzVhoAw7psCc40ABLkZgayBdPGWSTaSAPwp0q+uAVQWSIoYQPQraHoJS0cunGqsCedMpkB -AiFqCTehZPVcik2lAaDl76cEpQHAtYOuVf9NN+Xm+pA8myvaGzB9OMHeZddHAKiMdfgynGbq1gAE -UHcBSWHb1b30GgAXymi4+roNc64Pi9EDTNtNHamQswFAQ3zCVVePkCcbgLFGIfhtQA== - - - CUvtQuOm/O1JtoaWHbaDUhMbgDN+kerkClxosgHwSABk4IrQZuVTCX5SlDHdACCPb9vsSTEdcAOA -bNSaP1MqXUnjMRY7KeyPJY82AL8krgzGP7lMK9Ot7Ys2k7gK3zYAot4MWyUxoTMGcrIicmMSbwNw -pnUKWQGYNVz3QjsQmZ34m/4+x+mclQFQROSEllG0dsEF4NxbAGZorv6kU6IUSLc0KQVAiWpu5dYR -GuY5CYAqsUMCIGoueuQ5EbC7LFGAXPwBcFAM2aCZyUBm2ACQGxal9bbq1gLAYUKPfpO6Qwz4mNZJ -JQHgRxogwKsRfDi4AeBZWtcqbVErdV0CgES8vbaV9/CglADg5KbHF0yEQ9ECAMDChQ8B73Op+/+p -yV8fRutdhLv/D/7/eoXVzbzyf67lKt3bmrWDvXqHxaCC33D7H4CzSQ0WX3il/+HNYbL131GT/4uH -pR54ZqkG/P8Qhsd6wwjwUt7+E03fss9UM0RJXP8rMQkaaLnWN07R0v+gvkl5/pUJTjKoU4CoyCkR -Sv+ROorkvpaiUpnfkMaoyScXXfmkZXgq/X8/PEo/5Wrp1s/5XwRwM/m/irJQ8f8bEkMeJLY8H4zA -fxCQv6gqRY42vH9X50jGtEsysyDZcMplzdSKfM3+TaDS2vAtZEcnR9c/orUFOrAwuP5HMCh267+Q -vX+Ub2H6Sv1LuHegrKkfnfpP+s/9oO59l6idctr41oL+f01mQSKg/+/Btf/8M92Isa7+bCpBQGKl -V/4jjDcO7IUyd/+SAJ7GS67Af2m2YqpI/K/ie7iy0Cb8V3UH6tqLuwBA5yAc/ibFc01v5cW/958R -G4Pe/jOKBt9wu38adu/kijN0Wdbk/idxenNyKi7bbf81BNanG/+48FrS/ug3SegNjUIn+6dEISna -gf1v3D9F2+jnVM1b/0PPdd3HLoWnkrX1RyHLlrwL91gltPoDA1Ow+iuRC171/4lIQkzV/9oJ5hoT -AfhsJzRKjdwJ2Bgipr/vVO4KI+5H/1Mg8ob+LyuJff7TwhqfbZT57Zno/PGjps4a3TVd15p/B/IY -/HuwKqw8AJ/5F7A21CrK8q+L3wbhjAWeMZR/gpeJEvWxEu/ylEX4e44n8KyykBN8/JdpTI//B1CL -CdMg3MlDHZBE46+XjOi6KcKv+K+tLxwqbSvRJOLfqagj/H6I+YGbrwx/XxEy162aCeG/YqrmCSZr -rAN/ZfAgt+hdedCsBP/9VdwUJ9I4Gez7i1jfH4JvN3CdXPlw9v7HX9bCLqgc7x+i6ZUwqEYKYsra -/fQv61dXvZAC00f3t01sCbV1bz2ARO4HoNu7fm+rjy4Jv/1PbWx90e7o6dn2U2sCe1FipshgsrXf -fjCQw85n3fPv8H1xSGHPjnw10trD+wghpP1bvasPG5xXIzhpvwWA1dH4nqH8yYGmKj3L3mb/HIrs -SLJ/gdfrUdL5AWxif06FUMN4G1AEsL+ZzTJSQCYg7/p/zjsrAitJt/4prMTeJ1hZM9ZbdrL+gNvk -Jx4RbZU92upfwoL9MJ+MFh2b6lc1BxIxNQN3LQV2XkDjSWklab4ViEHKQNtyKoOnnH5/KEMcUCiN -j7gd0//hpESCtnXK7o7SD6JAlijNhxJtuhVUmh/9Zy2o4F/9uJoW/Z0ApUWlor/Y3Ikihn7ybRB6 -4wpG/gBxBvoLEWgD1OwpA67V538MOK+TQKWleH7I2a1jedQWRYLOzzcCyIFnHeabHzfiSuOcRsCa -n7/uAxDJB3AJr4cH9GPNT/DZBqwncN3DB+oFPHcCYm0gyZqfy5MncNCARLHmh2O0kkWGsA+Olvya -f99wsbKnGREeYeFuxYYJy6d8zX+pW044WnOOy7gu626G2TMisIijQjIDMTb/VRS7iSx72T0fTBNH -q1B11gTScLpcXdfWFLdrJSksYdf8fHBpJ9jdSoc5U8jCV3xnZH3X/MK/PU9RBVQhTEeOdohxmmv+ -H3/VUKBenTU/6+9QCG+hCAiL3fx873bC1vxXdjh2OTeGWFYWVcpY8w8LOcOYBjbBK7sl/CQQ1fwP -PlzQCcQEV+hfNNUZlwL2rdb8B1AU3wyEFk3rFbDm39SOBRyPIaoLZ9EoArTutRy35hfzjK6hhG7Z -he6ZqqMwGKeJ1vyuGUwkEabyhDYngjW/lJmxnJCfujXzM6u7KNJ4Q3+I+XlRgBXFVGJ2+UOqd98E -jDR+CeKKFz93+ese1T7Wxo+wUXnbELPE0i6/hdkhNbxE3JYGu/E6qYiialwX1vHy80lgHXHl8ZRZ -/pj5ThG2bJxhLH+4a5H7LtEjC4ddLP82mZk7UiLlzroeZflDHteCJ3l6n9L0/gD1OPJT1rJCe9SL -ka1n3k3FCFl+EfVedhBGRPdZ/hlpbtqBOlORVf5X5w+c125nWaYof9P6xk8Emw44i45Imsmfd+Pf -lmcvOWQSkh//0T11fRVpwDTNAsTZiBYMHjMyINbj3ZdFNyGzKFXS+yH/L3a1WRbwrXCKl+NxJi9B -Uho41GXILymxG2DiKy+YzLBjyB8nvscyH599/MCzqmEzJSyRZmBmulclR0Qyg4aX2PgliFBA8PzI -5hzjHyDd8VT0fjabFv+3ZpHOSShGRVcUf2T8xZ7tWUAj8fPK/sqLgCgOCP7wI2t+y/fLzT78BYMH -cu+qw8H0+fDv45GJ8or68Jve2Wdj5D/8kkg1mSbl8l7nDO3Dr5M60Qlw0eeHv6blCAKf+s5m3efz -E0QGlfL1h/9cAd/0UwU0P/xcN+fxUT/8bE+MrKYHWX1av+yHP5zt73grB2kQfy390i4oh9AcC+6z -RRC/2ZMyRZIXQiF+z6Jsu5vCrkfBqhC/yQP4pSVBxEIdstCF+G3W0w8muV9TKcTvE5vYDfxCs1QM -8RPSFvRawGAiOvyIU2OxBs080okf6nZOYgx/6r+ZcjgDBTNHLoY/67UFb+/dIGaP4a8c4waVhjlQ -hSM/3cA+V+BkGrXH8EO0T7oeD16DKLkgbl9xU3LWmB/DfyfQ0T4M/6v2lnow/LOBMLQqTB4w/E2I -ToyubOllg2BlozWG33nB7R41hplJK4vht7mUEMtSdIkUw+9rc8euhU6OjuCbXiG0Y/iXl0iNALzF -ne8NbhA9xum6wZHnRZEQSzRWJ6G5GP5IcE8o5U+lUDwy/Dz7+JqEdqk8yfB7FbueRsghIpddfCBt -fVP2JCPJvfu1t3NJwx+N3CAOE2wZ3/fTe3EcmoafhX8xWLaNY8sa/ol60BWl4n5rPoGlF/putjNI -SK7h5+t4DmXgcZaVBEWboeF/LTxRoiBM4jT8WWvkVqIQpLh3iYYfFsa0d3Bozhr+l/zAI1rW8IOu -Vl07kHbaN6iLMWWzWcPvExFVKhWbqMeQEzGvDb+SASiwCy+xSMx9Mxt+L5v3o6c/3eQ2V0pt+OdY -6mwkirf4X3kwZ+frg3o8vjLJCbzioZ1LNfxAgJL+Te4Rpsduwz/HdxtEwRlz3oY/XIIvdQ2SxgkG -P6F3Nsp5RG2Y7d60MBt+8nuQCIoQM9bwmyH3oLMwsvsu68jCT24juG1OMMLSut0ZszXYcj9gtuHL -teZKLCqSpJYRwgi/favCpvIcDmnwJ5h4NUyVygj+WnnRXnZKg4eCwK95aVitPUZdQiX/+6PbbAR7 -17fk3O+3pCjeit8jDHLCfT/SgNTrzwShNrrL92kVCR5n0kmPgrj3ERXFCJnb+1UanzW1MXxJ7/Pw -HGax7yTvv6ugMRcKUTdswPsnQQHKOYBBbIT4mUlImvJ2H50pWJgkohHuuv8MLbMgSbDCtNYMZF7C -OJfQuUuL7RLruT+BaPb+jJxWud9BeI0S/n/BuD/hGs1G87o2K2RdDO675STZCDBWmHWl3n6vlS10 -6eEct5/xV8mfH+NCPdr+DWw9U8tmwAoU8WtfcYVLsWDa4yLBaj++41jtGamaHcV5TfuBP54R0/4H -riXR7dgzwmQSRX6Ag6Vl6+yrFoTgAL9pCGUfs/8tCSG6Fo+yYQTKfgK42+8JCz2ndn/sc9i5dFb6 -nwCL/TtzTcEN+86EgpjJ4YxfWNSr3ThgtuIlozsj9vVXZAWTYq9wI5ik5PVvun/KHUKw4vUv000G -JlnElskn6PosnT0TuAeH/Le+axJbjC2wqqxFZ3eGMGpuNT1EKrDWrP8EYTY0OuzICrgl6cGrbNng -s6svVfWyHfN6EjWy+nJ7o0ri+V3iLFWf6Z+/QdsWXxCjoPo1O7swsUhg5rYv9f2meA1uuaQAXUd9 -vleAw91eOzLab9Q/jIeJ6pYTvEZYCfVzj5VtvjTTQyz8nr7ekXunnJcoUUA5fTJdS+WEPo9UbJq+ -8cgYCwUuz7mAhl2blUpzDsU/xPWv9N34gWKl73LvC4m/9tWEsyZ9ngXOKqNyComvbyL92TOABhan -qUDALjL6rRWqDupLxafjXor+fmCruWfkmgiiz2XkwNDfMVK2M9Pi0JAXQh/UeGgRwqA/REpwoI90 -ca/APrP+OeGff3Lg1sy1Rd8+H5336bF+AOX2fDhwsp89nxJbAwqwo6D4dzw/G4DnhbeBa+f/oK97 -LnBb/uh8exH2QjyuwXLk/EB3Mfg4X+qPwi6CkiXS65tfu4/A8lxG9DDp1+ZXWk+ENp+kNR4xSCM6 -KH+r1XwQuhGY7fC6Q+VPR2wkmu8PkXuhh9XMJ3MBwMx84pSVckOakPnnoFNjD/P7T2MmY9+KBIr5 -l3+8su+bX/6RKlGcj43AunyjLDQxfcCDA03a8imNpxkOVal6mXScCA9ZfuZNo6aKIF8I+HQrHxnl -LwjRCVL5sTwHZoTiTAEyKf8mgJYHlP8KKc5iFBqN5BEn/6NHBOcUm5f8H27IYuUGlzEm+b9pScYc -KzawYQJuR35bE7hj0B7qEsSCG3QKinxGyxlN5DceJji2+JOzLQr55EsPBbxnVPSOExSQ/w2QX6hp -GNo7DZRPcrgTuMfn3j4twjyuCu7442hPBFiS1kNcjj9MtmVJa01IlxChiXn2CGJpJ/jWmotM439D -ONy+dYqf5P2r5tTBFLH8V75s0nm2YHxuVbvkGrrdUoUG6wwXH8Y1XKDD4psvHqvnKX6Z6AvHcf2u -CGJxb3aOPV8jOU988HyTViddfU3+Pe5jGjvxXStURxoaJXh7mGbTOZp2o3d14svqUdzDSnm668RH -OF2ptun8TPTED8AgzDuAoQzj/InPxfCiBR9I7xOfr8RFJIoKOZz8E1+GIVNm5r+YuMjQR7hvge/k -2Y6STJ/4MqKQt4eAVEmWHYxPfKPbeflKe277w574IyNpFIW72X7id3x3rxJHtjqA7P8k5TXLyl+E -T/wH2xAh5be83t/idIw+8b2fpHPQNincPvHRJ7gRxJnJ/RumBPqHMqOAmGUIYnPT2ImY96D4mcxb -LVd64r+FXCFWF/z6ib/Z5eRTGV8VeKvnvP1kkVZdXkcgwW5gUQbJ6y6IT/yrnOnQVA== - - - pH4QV/ITvzb/3JFJw/m03ePgd3HlBeVlD4Lp2WFWJoyoU6j65ImJUDByfo2P5U7dmpeg+BHDqojh -i84tLugR4REgPqRhAih+02q3nyXLHEa7DBlCH+Ei1P8Uin+/zMFPBBIkqVB8KckMH0ALWvkBxb8q -RSXkYU0BApN7pjEkaPrE93FDm1hZ6mQXYqtY8RM/oscjBU4nEEWw4b0nTCrMtCTsE5+gcBDsJ9mI -v/zPEx+gJnUL7yqhw0nk8Z8Rxm1H/BPfz34yPSAGVU5kJcgWF3+h3uMTPzqqvNZlRaZ0UfiJ32Lx -TsoYpXWFT/xnRB5xQJZM9zMtMxThiZ86DL1jU36XL+wLoYjOWXX8/hNpbdffMRrIbcHdNCN+aBzM -N5ogyQfIDeITJbiFLH2g/xIM1sPv4Rc/MqxmK8ThB+zFEU4oCfmGo+FfrxbGtfA6TUPut/3CR0UJ -wrQf2iFYbIVvfDfxsFl6oesm/M9sKyIRPh3PmP/IOV3brR38OAkPkj5Kv2XwCTIk5IjJQgqAfgo+ -C+5koPRQMB0I/hJ7BrMxDM102gU+FbQQFlSUbCf1gAps3+nnjQG+05YI61/mmSYS9t9LwjDdaGcn -nJiqoaG/hyj8laTKL9j1e17TzY9MCID4PR+6lLrN7DA7LfyrEFj2yhj7nmDT9fL6PoXSP0gN9lZo -s6vvf8jH6Qg1xXVD9Q0Oipvv90PWKaPkWvO997MV5P5RWTTfwzAulba8rrNLvFYFczo2nzJZNt+3 -Xl2XXI8333MiCedI1eq+8z2R4ZohIcQQrxbTiHM8p9q0ANRbB+/ne4e5aIi5mlme7xNVztOiMcAp -IiImaJCwRTrfFy/6uHxanUWK5Xu3R6o5MmrlIv+c1qIoY19fexbQRRro7W35nocOXOWi8r2zANvy -C92y6ynfq/t8Rjz18TdGqXxPyT4aimHhHLKOUcNO69DYMAfyhv0L5ftdwYXRGkfd1/XEbxrR8r0/ -TmyF5fL9FGC6jgjme5X8IkF7/LCJ+V6RCJprvSDM910R7bvKazj7YekCkWXDTr3HCslEDWvx8Q0S -Yb73nl/2FKs/Yvs4udaZONiufXjc9e5xtrvJe4n8w4l6d9Wc7yVstb+B2xY5ZFMn9OqrmoMiQYpT -VcD38xjOS7iO53vibseCt/yFLYBu8X2+/1nuee72/Qu4Vxaa791AE/gc1Sn4Nd/flxcsRchlHN6X -4UgiCtEwnoro3rf5XrvFvdMvR/XBs1SIx6MH6qtUUxQOCmvfkO/lwdOfEvCd7zdMdP0R7vpLz/f/ -dTEYnfB8H1xx7QwCbbAHJBUOIOcNM5wxSHx4P98PmlMYnFxSyvP9DN/j2oVf9p7v9RPT+BQQ7Cie -71mwIq1tRvO9kFgfENROgJLayKODLNK+DfkDlHub7yM19EERKvjj63yva1LiJlYw5oiwqQnJBGHv -+d6HooRHNBDR53vp7JdtstDmJtj5Hm0UdE/9eRWsQbpzgakzgdPuScV7zzWYSj2bQ3uPGraJIakN -a0CqILd6D0BT8xWq95quXNRTKr67apaPDL2v3PvVmNf7oEAqdo89+RH0/qMttleGSy2RmDzv5eP6 -Dx8q4sq9lEwPxZq2x9Dq37+L9+I979Oqli4VuZF5l77WeX8Q0leWZrTvZwzi8UA4xOeF+p339n8x -w0mpuPlm77xH/jVhyqWfuMcD4Zy8an6V2zByii9wKRUsCtiepQXxUJ73BjJUJHRWT1DihXKd4jeD -8c97mVj66DTK9GTaFO777gk5Cns4OOtiTZmxINU59XnvuM8VS08yuZJlMet0bJyf/nXZG6NxGJpm -DLEpp9eK4gGad0zq6CFK9cQtDVSAb9R7knu0uy3IGMJi+7yH37qBmLvMRdn4vB8gID+KV/8bTdZA -A56QdKgqSqlaUQug99z5aYLP/BPi0aSuTmCmzKXTYQx69yVToqXne+Vm3Z9qkClMy0zvzIkYjd6/ -qvWOkxoMGShyHkO3FNL7YlcVWOCwFX55PVV6L4s0hcrPiV9tqO649N4lqS3p/So/s9cC/+j9i/Zu -pvYjem+p3BghavPCXa6fQlHMczMmPW0GxPfqCYl5GEHVAw9aaN0bBXIC0kTvpWblYgY3xnel+evo -IVMhjOzjGvQkHwvJFNHK33y65NtYjThB9B7LXRErWJHti95XUe7FxP5tTfmBYqYWZYjejxeJMnq/ -XFQwS4xC0ntDK6X3xYGBI/I2OEEXwo3WyIG46LHuCa0tC0zpPd+j/NIS2MTaYB5NKyPjxjZLTkiU -3rvbC+FMe4EE3EFe6X2VXidV8NErrwbvq0xYKRfGAnh/z1Y6TO/HRBdVcY14mt5Lt0T8LLb8pPPi -waBsMJBYCvl52QuSfP7TdFZQ3iww288vOwsMmDS9h8UuxxwLec4hqD4jhpWz0icOlNc9sYh0Yrlk -Oe/r5ZSa9czcgICWZ/LeMxdL6Pw5IH1jJzYpQUbKMpu8Vx6aXLHuu2yCTKHJe6eBDOHnAgmWaKwY -yIVpwMiSVMGJ/fmPn4TMdF84gVQEgLzUfOkIs7z7C/mwPmKm+gh3Xz/H1a+5Hm8F6Oxe0/Jsm7qR -8FHYriuJzdphPEK3xDJJ9V1NNGYypIw9mnTU0PEwu29S50sNkCvs39XzhX12wNl3fzVCtPtm1kP7 -7D6AKgBQ0e63OkRMohLoKqJ4zyLRYRW3xxOkYy2fTruvLEVGBZS0e4uYtN10sUopcuufrlKe8u/D -Z2+W7w62bd9IX3PvrMDK5ICga6Yw7OjQYDLa2p2+k7LMDZj2UMixdUXSTMkVcxUHUkmeexUIfK7q -imo65JJAAGuUnH3FVlsLCz7luX+29yfzQ4MvPfdTAAZg1j33TaKz4AF0mCrSol7UACV6NbyO/J57 -m6mBmdu8ovPYjvPcq6ypagYAI472bh7zUEpBee53mViYdZSEPqA25Okijp6Wn7wjMX7d57kXC3Ga -esbOSXr5ez7UYlrxnXvbmqSr65oRlF+xSPGz+6Bgr2ld6OvcG//CXZ/ERBVRIGSPPAiFTILFCBwN -M3jRiPu+kA+MsNkJct88bS9MAm1SgnHfBuz5zJ+5801H3sO9kvQ9N59cgRwG91WuUcML6xFnTOq3 -R+PgdUqEkd5e51/jC91uX5QK3p4nw8btqjPk9lr56Q0bIYiEbftNqzxjsxYNm+yGb7TZnepjO0vV -DsEPBlHZPu6yrc3IigFzkcH2uvLVES+uvaQaxHBrT9JBYLb26mQByz05qS5pq31tiDwXSgGXXJDa -Y94Wyjjv7PJu2hvgXsgQt00RKmmvfWysPHtsBKPAWLYmaWJyPADtF5QTACrAAc2d/buBBHJ1KNnZ -9xEhsedlMbHNPj9gmM1+0QITZ7vX7L+iQ6u/yAMrIx+52osGiNmvE4YMZe5nlv0Vg0cxh28FhoWl -UIWyj87GQeDIf8wJ/SN7xQg4+Ywha797zcf+OHZ9syXysqLi+rE8hc+xouiZyEFwr/diYrNh/5bS -LGE/20yyeEWHONkS7MG4y6qEL0EA7FU0vpssqbTz3NcH6Xcj2r2e1jhtBde/1xsrG+Drv7ZoU2Zs -Lr7eKndCClJDn7GssOV4weRUWhxR2Oy7vpqv3WVdbzN3kg1YhyDN9fIPWFtnP8pAUX/BDXH9snhd -2C+nc7c+97CyHIqjmWz9y8o6p6IwTalQP/kTy/HX14haD+jZ8Wmpxftn/bgKfi5/+4GzrAetsDTV -VVXTsf65tE9dsK4qWVqpPl6HrOKerx5brEq0atXHKlXV6ocyexSwsHrWLCUQFTJqXIdVz0QbVUB/ -Ad/EO3481dNlXhQIa0mP7ecWvyRik0UalGGgqH46qrGrGGJ7UOhTXzc2aVi+7qEce25grqm/EKhF -9+0OS/1W2bBb+fcAajxSz06kvldYsALYyjipMbWM+gMn1BD1by1NB/UL8aLOwIqr/vQRtAwJEPPB -5xelHkfo7XERI/8U90WoVEEgVFz6J9ErcfpKG6vCxGz6f3M6NcfRQ9PDPdJU6UHl4pqx5daZqvTb -/bt7vvTVaqjZFRwbpD96ZQ0OrvQDHYRTerq9jInzKuRA6Uulywyw7bVylafNqCqBV6plx1yizLEd -Q4vuw/yQXsaBkyMboXvtDjLkjt4AACdRuACwvNFbYk5BjlPwNKMH7auyw+BQigp5SNlFPxTQeDEt -00uJUr5R0XcqNkDqXTLoXKLfRwvHv5j2HQC5kRC9EzDAS+6EHHoKTewiv8iMEobenfoxrciDPFFg -0Ak9xc/rBjf5ne/M7OOXB33Uk/UZUajTGyvjxqjSPgP9jiARGX8wHaC38IFAqag2pMzKCKscU0Od -dL9mxZH6w/vsPCmkGz6/ZKrHEZo9f9tqdNFljEn0fFlK6eULL9xBnqcMMN6da2p/7tinICbZxeby -sMNOKAZupbawnZ/XndtP23kuq7RXaWwe1pKt8w2lFEhlUtZTcmhJ560/ljLLiLL8e2lkmqwXZQbp -vA09sUUXdyVHOv+7Ks4k1AxH8qXn+91GlpfhUpEmUkwXhYwxafXma/mtpAcATsBOcZ7FvGg3+rAk -cR6QHvT6igc4j/yLqXG4OHfzN9ouKhp41I+cZE4kM6YWJaNV6MJ2HwD3bH7/auW5EcZe85P/dLJx -IkHFlaya760WLDDNL3B4ftNCgjtpQ/PrdnKW6BqWVQHPOvPU7ZPsNsfMfzR6BL2wQplfuyAxP3F7 -zusf80PlsM4PsxVMi/koo+T9HXvp8tVJniUdwkHnFa/CCObv77Hswy50Ef8W7/vyC0DKiGEwPXkQ -+iQvX5LrVbY1Z9VXD+ryCuWGNAFjIC4uXJ5lKToXCD2vsBqCLf+ucVFjYblg1dPPU0Os/0HpiQKK -RN4QlGtZ2175pZwZFPd4n/1KrfwOir8Gbtm9/8Yqj5q2RbazKh8kglH5Kh2d4CsqNOWPGM26cJG+ -yZhI+VHMT9QdpphGlBe8V/kYPnitP3l1Z9kd22KnPANkdvKYLa6hj5u8ZTqveP7Y8FUmf55vsjwr -Lv92jEt+yM6xIm6itQU3TMljbELT7E/vhJJ8M78VFs+KHDq+uI4geSDcwiWO/JxA9jq1IDHTQah6 -kXfREt7KMOTPNpEvn5kZO+TPmbhwBz9gf2hc4ZJEcriYk2KE4bog71iX4gZ8c7w+CUI/fmLQmEr8 -+PjRYAV9CEB61RpCWkOPl3fCDzGHYA1St1qa+A/NNPEQFPT3Hk+ceKqUaEcu45cttQFGYYXGd+L4 -rSqhE93RIuzGH+QkB0GjOCAbr33sW2brJaXGqxCNHTwCS6hWBo0/Qft3opXgaEDjl/FBs8A1Opmg -4jG+mbFrvFziWwAt51UZxqOxYV88z93ZWvfFQ38MeiW++PCEdDWZA6sRXkDiJ/6V6Twt/sDpLrSC -ABbPXzwk1NDMvj5YX8WTZcQ+2YZ2BrS1U/wpMPiFKIOvsuwy0OxG3jYG8V8LWCgnxA== - - - ZuLzH3OzeLG8TPwaufo3qYJvfoxdTokfRhbIs/2E7ssekPjj3+1XXRJixI9HSkdX3pK/D/GHq7ck -N9WSNoiPyVpz9TXx/vDoAEhetIc/mrdvSRwSE9wOD38WW6LJ4SOnftvwO5JyPRVgafj1NXs6ekw0 -jP1UuN3NI3BASeP9Ahgeq1XDRTjU/YS5iUBFrBEsMydWygSmK/z4X+s/13aVwj/fv6q0X9wittgG -qtlnkKiZXDkp4eG5sxAlYXKVuAi/GqyWu4MX+EtLQXhighftVmU8cHwyk8kBTXor4vElEJ6HYiNt -9pWG9TcPKzuHpS4vPpJmv/b+BeE9OgnnluTu7yY/CL8YZOf4fC95OCF8Vp/K1zcnPc5+hPCVjWyq -DPBfHiVCePG/vucnLt8iTritBEUI/3Gtg1AMappsr3FfvTzh7GOLgBB+g880foUlHvrtYgeaHdMK -ZJgNwm+nunJ2FPHVILzt3KrptQ273Jor2M7fsn5m0bgH4UNEbre76l/tmud4nnIuqPdlgbYevNfL -vSai4+AX9VQrcjws0eC3OtYkMa/jTSRQKsaBzWr41NPMVBRZv+BnYBvlHei5+4IHgASVG6luX/Co -qn/Bo4wtH3zBa28Q15L2gt/Sjp45c7m3k1s86Iqo03mawxCKXXm763h4wWen7Ie2yLwnRo3qSFeI -xgBx6jGxbgeowh1MY3cSTw3tglfnRdR9SS54h4LC68s0Qr6LwitqAp8wMocL/kvypQu+3rEDbkpe -8BJFvyQls9lTz3/HiZmyOLYdg3oi2rDTKfayFzyg9JTQPdAgZHzBv/fVh1+7Cwy+lBXFubUJkofB -d3Iq+oHP4y14/4J/tM0MZEoN7SlLfMGrFm/G/K1APEB9v+BtAY7v5EDksw0GViU8k+YF/yGXX8U9 -L/jAf7wSHWVcUo5fIg/z5E11oy6gveYrbvGqO291fF1aZemCX33IN2h+60tgn7l0dFsXPJBDhSYm -ueDlWmcCESNVuQs+FNWVIRUGuDsfu+DdagtCQeKCl50prXZCsgVPg/89PMPg64YucgFKCz7nm1i2 -4N1CONsnMNlrCx5VeGOjO5j0QnrU8nonwSRrNdyCr9uPliuSvyfO9LECb8GHVzPs3YIHhc6qNVMK -MtvdqEkB5ZhJnIq0prnbgrckT9DKL7fgl+8i6LoF3xp7zlLyGC54L7OpAXZyr5NQOuTaHBpZdcGz -OzwNSl/GBQ+a5MGSMcT6MJiCj5CYlOBJ6LDGZpXsziB4ZnUFLrLxZeSr+kZefnLR5h/YDcMpf/4t -pv+6kU4VjsmLBi6H4DFTdQGshPf6lrUXIYQbfg+IQGvLP2bUMHP3y+jOja57E6VFhceEUXjwxZAO -o8t4/h4ToyqF1OH3xeihAge6UxFQSxnsFTgZvIBHOnCfQMFZa2zmwOuaO4Fb4sbIuCuLK3CwV+8S -KqRA3631juwJjrHV6lcUTuTgb/sTnLfPiSSjLxtDyuhJ+OIqGXBbRhdAqG0mBkcJp0lFcASwC9KW -cMzdWfoZ+5oIjBJOWxUZVe/X0hlukOYlq/RoReCNKVxrHEa75e41DM5kCSeVICoJx1jcYYSDvStN -WhzHOP23Mn81uSg3ELx507wQuYsI4aStP+IBScdSPTXn/CaEYwSsuLm+u2eFwGeQcpqXB/gdVAiH -CK4bssAj121qCEdoMBMDSVU4gDUbCoGClJlKhTMkgE3hgCUnUDjo44RO9rsrjJNaRibHeJjY30p3 -zjzhjErMr4vC0Sv6ldyqUnvqztn0rk6pNe0l+g94pyfQ168PTqfCSHW/Dw4Rgrr/2TLiICBkYzlo -fRiGykgwlcfyjuI1Ryvx1wScxFHE28rL2sG3IXCQ18taQ/bH1ACJgrI7Fc67itVKS/lTGt8/gDsz -fUaBqEMVDqkWuSR0rDHyVDiOM42IZWXM0ulQ4cR7N74HZh4zsoBKztsBPXngmJGS28NmdHEJiZti -6K+mMSPMZBUsF1SOIZzEriCYzbTwgReCl7YWXY0TcKRthUMVTBHOILkdmoqbIgDIK4QDZ6tFlYLs -srx5WXP5PXj47hRG1d7DDehjZLpcXHxkrW+4T0yvareb7RWEA4DRT+Fg1ujwEWpzZOYyKy8fV3le -Z5QgtStFHWaDv3Y4CVRA1hp1Rq/T/oz/BGyHuxl1Lxml9reG08G6ZYsRohuFuBWtyg82m5gz4ibc -jACY+TkBsbHf+Gk48fH3JodvRuKowME1HLALmE4ZMxqqmwZSb0aUa3QjZVhVl+3+5R+v4bS54bf4 -vfpiKjyj0QD/Bc4osTUcVZng9fwtLGCOJkd8MKP/Mk8NxxW0ymsGOmTgil0YwmJweisOu16JKCAq -+2Z06weV3Q7Xm5EG511dBW04nNM5ytTr3UMxznW3yCqvx6mr9Td4Ds7Iw+3dH04yf132CTtYO/KM -QLb3k25Z9Y/WcH68SPVAIXEgQORFKuHmDZ7/VFc4NvThbnprYn9o4VUZDU85vQplm6W4hHwYTNQJ -DpRV8ynwhdG+TK/G36ioemBm+ot8IqMdf3JIoFEAZJz47uiM5VUMO0xkZAzHGzwff004Ib8Rhklp -/+UTJjg+UkJJH1GxAJPR2yHm1w5CeXGymIwAJ1jsP2DpmIzOb6W5e+FXT6C7ZHQGiKiM3sUHldbj -kTJS1NwuZih5Gt7g4KBUjbYcCkt93CllFDd14HbSElqSMvqkqAm2Fsfy2eBcUwtENFWjDc6KJxir -O7PBAau1VxCsyFBG7AHBRQkOjqfB+U7BqGub40mgR+NC9rkAjdeubb+kBgfM1az7F1sOgVBG+Ald -mceWREMbCtSoQ8v4GuEEAxrxk9p7hBMHEdE2rEssI3iqJ6w7FRYjHAw1WmQypLRjGe0LSsaXgDU4 -Z3kMxzLiQa7XJaZoqvsV4WwhrzJhRvoGpWmWl8pZODuNANTMlN48ACutLRzILqWdkF6fw4xAJPsE -OID6pX0so8nbqmSEbTwzg0k4BFfIuko2MUfCgTxjQshxDyF2kXBOb8mBzvE57kEkHH1u5dV7iAPp -IuFgTk48ceEQ4llKnHpSoJ+GXDhxdONywwkAmtS8Ib9rRgb11rtj8z9SQDBiRqwHFk0SAjGw1GZY -TL9wypQRtBe4ijW1BwoCyowZ7WBhuqLGHuGYkedy5JzTEUGnFLBBsyPdF5azXgnHV4J2IDFaHMHY -Q1hEXThO0CKVZbIPhQvn2L3r4HCgMWdRXeVwnq1WYMeM292MKJdMDw5EQRSUMsK5sMhw4OBVqZxB -82Q4o5S034JU4MlwRpuEZHQ4vsca0AZgoJXDgarAwUMcG/NRmTjKJ6Y4dDoUbwnuK3wLck0p2iWD -j1scIwBxMg54cKRtHCxYjU07TohHGac1ApzDA827XqMBkHMQ22QtNjIRwKcm58QrR2iOcggW7Qjf -RsVa3sJXE7JyOtujNH7b0I1G1Vz15cT6Sx5zgHQWGzQHBiXSEgAdM0rEOWCe7sQRHK2N/EQrEGTR -cyZ9PzITgejn/Jrrb27QEVgux37oFFzsiK4N/ElHLmt81APGV+V5vNTR/A2OJ5s6VTpfySgxc3MG -bJWq6MXRetrTz2HvHQAsMJVwwYk6H0JAYGeWP1WGOsYHQ1EHd8dzBPBA1xFOSG9TUxybOcNbKnDp -TNZIk1qdJHwyZB3sr6ZbBzaTcIUcYioeLw0ofUThZAIT6kwrC/5rsnNHAGbPAu5xYVnaAaH7KGKu -QFlAeuXMSPY5aDKBO44lSq/LrW9ZTP9CB0t38qV3WG938PGICnnHhI76/ds7Gld6rZgg5d9LpSZI -dCThDYAHoXEYZAXP9cAJRgJ0KCIpL7YlSAQ9gUUGpI+lndqlDE1IalGjC2nVcVJGwOcOQsCKJ8yX -BCc9hMaDLmFz64iOHs/JMNqBkceYVh0oD5Y9aHmALN9e544JfwZg8xi2G8MYkWpZ0VtfkZ7ct6TB -I1mYgJ7vYOjJKSRfY9Sz91mfJ8fb6FnRk0gbiS27qPjnAvbMem6Lk/J6GICrynqkFE7bDbwz8Qnl -C/VIg+5yKH+kICB0SmwPaY25zT9PiKQbxMsmYBlJTYokmeoqxfJ70CTBM6SdT4IPiaAosSeJORzR -YzUALD5D0sHoU1IPM48EcJH01XXZV0m7vEApwJI02ZG2pbQkeulFiqGPwKvzYvpkBQCVM5gUOaBs -Xh9bLhxQmdQ8wHfEfbB/vseSHPRPYqb3sYnRbadwrqMm4ew4B5OxFIz7TJV/b4VyC690afpMGsvd -vj0ojWXSBANNMceA0dcn/1q5bocsgV+fsg+iTjXMv1JpYxLkK6wxK+pFmDT05sq1H5jQ9O8lUZiN -l0JEBgSh6TMtfupyY0Hppk/uTexIsFjZXpKLmBspULgLnYrok2oN7SVZFk+d+EYhkYSb4SwUx07b -9HFN/sU4Ru646fO/VSN+JXh/PPSS0EEKlssSdGhGRhNO0mIN0YdZc7KbW0Dlm2kBKfdhmDCKUDyi -jzc7jPyCiqD6PVIqtVS6FCRoNqDgLOk+Mp8YWpKYaVJuIHtDUYVylvQykBt3IYckXtz5JO3XQoe0 -2huXK0tHaucM9rmPws4HXJH3pfiPF86SMMjrVgWtZXvn87UkDVqtlpjtfExstabfa5Uilj9Lws+I -7Z4cVl8SnM4HT0CJoQ8mY2umDxCMjZ7a57wDDwkHGIJJ3/jNARe66lMTV6oAgTzrqlh9lCIo/PUx -LTepTPofJ0JN4j4P9NM3vHcjcZ9sd9Iam6gy75mkQfCDUX4e0QMpaNIU95FZt1CCJs09Mn8UO9Ck -NQuspbSr0s19hMyoaCVhAbaAc59o+FMFo2dMmfssj5+YGWf8+5k0zQDK0bnPhBVzH1iKEWpln0l7 -sin0WpCkJ+QSwxLiP+sIT25F0wcCaO8/R15yUJ+d/AiSdFgppdzn5t04Vgnb+EwiOI8uA/PRyT6T -jAoFHv090j7Rl1Qb+HKTNV0mqiyTvq+/7FqOJxZtQMsk4byyN1bvrGZBkfbJndI+SWg80z6qvH69 -E79KcvNQ09cln/aBMJbRu8OetECxTCogLLKrBuhG2kdg+oiTxAo3ifaZeW+l7MLfYXpCTUIcYzEL -fAK1LQVD7U7Ab+Am1hUTtZ3OdJ0ZyDD40ULruAU/EA5+xH6gC+jBz1GYArrmsSq1gd4Gfiz2Lgcf -LacM/Ay2Vq4CP28cPnsB8VAGfsYdtgwXEndNIfCT6M55jQJHgAJ+Eg1dFFnrn7Dg50d/1p6/kH4U -LfXRzWoO6zQqhQ75oyyNk+w0rCZfEAE1seZjEzE2ibkglH85XTtGTcAPmTiQym4gAcCPNnak2bs+ -GcPp6/t5wA+MGjygxj/23+cp1O2jOLX0EZt0+cNJ19n09+VlJLX6+8iF4yZyfbKM1COJUKkmyOq4 -GJINNNFhIEtXuj66LNg4p/G3iEFbtjCHe/eBBNd0pCbFVMi682v8UZP6ngsUzJbR6Q== - - - luq7j3dW19jWz7PNaSOJ+ZRp0B47sfwAZ1GTTpe7ZniyAkRQk77mnDBo99lBulZmfr5tEVCT/Jnp -CEEGgB6D8L/UJLXIqPRzJ0rSrjs1lN9GRvaR5rRvFO4+mBeFGBVACPCD6M1YMuJaONPlGtvzFATw -46ExmPipLwq3qoCWRQn54QuLOGlmdIPOzMxnRpxU4hX3uNFvq+IAYTp18+Ic4sGM/DjzLmHwAclN -nJR7WtpG6mP38o1WF2YU1E5J+fi5r1IhtBZgFeHxI+FUsVwjxBrykyMg4vGDZeyDfwAsYXZf+jXa -QFFkjfUNTvpr+nRIdldihu+4+uTHFR77r4LYXZJMwxIRg5STCoHPLNs4iAgQToLOz3TFgQ5hO8cP -biXJNpgCQDZ+HNNKlmdriPzbUSSeaRhflq43FFtyyOUTsg85MH6SWI2s86WNQ6SXOCnl2GCFaT8D -seyakY3SbDoJP+lnY0BXxl86h+EmV3vUOefMeGqzr8tmksrqCj+t8XPte4jiJI1T30ZmRg5Ajemf -UY3jRyjVtm8jDHn8BEjDz0t9/DC0lCCtqsLt+I8fJLe6vloBOuny5IoO8oOki+24z2DIz6rXKI52 -WpoJESE/tjk7k0Eq9VjbBYgs+B5+Vt8+Xo7fuS45aRtNejdLZ1kbOvwYsg9HHVggnTE9CPv4v6zg -CduBNA4/Sf4sf1IBn1vIT9jBr9hOav7ZrCBPok/Zg7R+zL5a9NkPIrTmDe9HRheXiaBUnJ8yEx7i -zzFxjbgC6VkhEaz+JeWxBApK12qoi7JOm0X3/fBFZqFD6Su7isf3I9liuqDVTV8ElNSCLRsjWSbn -+/n52eNPNB+WwCgoXRT2Krws0tQpe0f2T3zSCSsoCVvZ5QbaVlBaBrtWZBWUPGw7rKMGLiNHyJ+k -cHsxH0imhAvv0x5R8vqHXQGlRL+B18lPivSt68WPtv5V8EmgxiPGo+krg09qFL7yGLYXGhW4J21D -k5mepayqe5Jx4Oc+Kjq9gKYyP+pSRPek4bMBxdMxbJk8Rj+qMkFmdt73Sam8sJcw/w1nzH3SOIN0 -x/Ga5y/sin7EyhB2AqvVQdHck3gTwpxpU5YZc+aHF80CxyXBMj9qtq2n3i8N5UlMWYUzQYwqd1Jb -y0OngawefizA8QNuoMHf007UVyzkTbeksoCMgBt9+EkvxCxBemzzww8zrUB+Tn/bAJh2LMeC/Eim -YO/AnkQN+TmFDMlgk5B4xM6dpBgEfKRk3DIgPxDK6YSmsr8s5KfWYfl9ph0SuiV30p2Rtp/56WVR -2/jvwuNBpZkfQxtgPDIAGoTMKE9KACD7EEOEvHERsJ9k3aEQ8rP9sBceuRFFcaQqmTvJ3RP03sad -NLZ9mgNo2YQrID8b/Siw0fFG5wAeWB3o1ODt6RiOiYP8VDOVFUswUoT8lL8a1rrVUXPeTIL8DF5j -mTYYvT9+xP21wMhYPYvHD69hp+0O+W1yq8HD8hnk539AFtpSsRU+3UlsboLkXUMO+cGh6IMMW+uK -3eNns4SNlxkZOeD++JFXtplMotxJ+1qSQTi3PX7aO7Dus/D4Ab4ChYEHu8adhOtowz48q09A7n38 -kC40/yXdSQfhZVsYes4gPzqEp9wQq8v8a7qT2HuawvnSKh4/ITGBWKbPdz1+8ND26bHF1p10/8Vu -VU2Ed36D7iQw4otoFgAMUIBvd9I/nbHSHz/aeu18fndSYqXUX0sRwPpCjjqJylnINupcfl3gFn6u -ulqvIDbxkJg66U2vyDunjcxyEvqAbt9HTRKEk0p54GFEw2VyNTfJCkZWLMwxqPZxvQDhpP0gR+T7 -pDco/PSiu0itc/LshZ+TRILHRUxS+HEOSivJ8INNqgM/TZPvOfz8rcAAtTd6+PBzw6tGNBmSJeKt -k6AdalVuNLh3fQ8/SQ6Wx5aYxmXg8BOcvoGabnJdDocfgNA0NQmSU9M66elTJ3eAxE82sZt/0WJR -10msUKjWyYEtzHWSABoPOMyx9ToJMnC5taj+JhE/V07d9ft4plLix8Ruia6TOCp24Enrq5LiafZs -wsgPzNz7R7cU108F30mlBJUBkA2886X4TjprsjO9ihxTv5OQNERZGyZ+ZnzOncXET4LXwQ1tz55V -tTDipwJGjVHVcl8hfr4M08eKikURP1NJa7tCQvyoZafZiB8nj/TgLHeYoIv4Ia+D4FAPZ2g+FPFD -GM1R5LBWrh7xk6UtzVF5QJ1QJ4EabXR/IDmpk1CMm7Kjw5KtAcQPpP+Fr4OmaDppd6TzdhOzn04y -EBxDpv1oQdgSP/YM1NFUMKtHdOIHxNsiPz/8a37Km7588LKpPTFAVpE6GvM8ySwK2nLiOGDzE+Dh -yJeOxnFnzo9wvsMj+h4/zpOaZItfO6r1KGr979djHAHsedLpvd8mgsM676RpZ/KV5ptgeJ7N7cnq -JL2gvt2j3wKgEAh+wFWeF78YhmrVSXKZTiaxCg6CnyKshHnqJOR5RB74OhnEkiAFP29T0elq6KaT -KP5FhqxH+ROmkygcFqh0t7PppJVe2a86XOHRW5EJcUsuqJv5iimp0GRIPHzfkQE/2doF16GwiZdM -m8nnFC2RSsOlAT8/0hy8dviHbWS0CiqBAuCn77EVpSJ04qfg7UjuevEdKLjT39xXwfjRpvTfJViW -QHX+ToJCrLYtgbukufxfYMZP56JpWcRlqxqQd9JBGuoaHzLZ7eLn1h7YhJZ3kswU8YYuf6J3ElPz -yMQ7dnq64sd59vxDFlf84HidYAsBJuzED8gQanKSd8VPBQ7YVbSejq/4cZNT7Cz5PvlJnoM63cU9 -pjoFb4J6mTL5CcS8yXotbjRa23nSa390KtiS04ee5MAuKfGITxgpxicVPyz0ukZcpvzAu68tBTSd -zwIcPYki+AZ/XAvUlDPKz2aZtYi0ol5PP/Skq7cPao+WBB/oSbzIZm9PHT8T2nfSSisnHuXH6Eav -dn5CGRJxph/qc/SYUjW/fh6SDO7C/RjsSsWFP/4sff/h8gdsUX9Mcn/0xKjvhQstzAoU3z9up4I3 -mpR6gqN+Mt+S7Fqi/aUUCf2hT4Dop1N1gABNQJo1aVwYkFqTqEVzQD71Kn8p7L/QsPxU6iO6DHC9 -9nSury4Qnhp2oxkIbQXQ+BsIHDukr8HvLpvgDASxidSBGAxlsjAwV2IDh1jn/OuiPRzhlaIgBRF6 -eJcBS5MkknzpMSzLtL9C3cRSVB0AxLHkuEAMt9WHDPIRVAL/1H/+aEe6LAGenOoHOlMcJGC6FhQH -CYSMdXUQe270uvMg08AjriBqSbemU4ZyLOWWUlo6JENHG7Q096tINP3WkejjoHtMSkuwTC1J3Q2M -9oMa8nnoDIPQwnpbqsRbCsaYfSNwieMyDmsl5AGc9uQSXns0Q3ZCqfR1aksUitYl0JHB+267bJea -mDzxu/Svy+XfweN8oSqhhWhJG0DGhTjTYLhTL8ScT1kGQ94IMxbGEHWtU4l+6QUt+cz+pcukploG -TIK2XmTbT1DJDWUKSmeJcOhTZOIth6RcpiXqkLwQxmOHqUoNePEOUrKK4rMQrbTsMFWMcq3CWjrC -wMCrO3+OZ4c6TAVUJUk/wIqILVY/vJZWw9C6IWoME7wCYvKaNZIQw2QMTIPOPWyQZm45NK1Itv9d -pTbxLDSdjUDyNwWPU71/HFBRr2aMcOiOEFvx98E0ZM7IQdkvKcFhHvIFDA4FycBiZcohWbzsO8b0 -cTCbO2QJGBK/rYeYMlThXrC1yD2EV0cUuw8B/ZriAKDeqzLECCJlJpNrEcdUBh6m0lYxgN9Lmv1/ -Php+MPFSS6IBpUrDUL9oRNx0j2gNRiLdu97GJ5F6Q8n1XCYBJ81HmImE4eBvNVE8C6J4TkTOsaVP -PpFEDUVp+Ub/o2hae7H5BC6RMGeFrZsbI0AimpmIg6rI9qYnHEUTuFKCntHIzCuiEjgoFmFseY9V -L03F7652aaJNPbChtYhywzb9FsUjLh7QRcejRlRSXqRjXyTzKGdRfieCkWoT7+8NIz9KGaJbjJyd -VBuwie35BcrT0QrGU5UAtVGxkk2fa8gdImfEG/ItpE0tNM+NS6WLtWna6+Dw2qblXEmW6aaCaJtq -tOgH/J+3Olg7GKmHAe28RiH8nuh/Y28Tj4kFCZiCA68e623C+5khzOeA04nLidfI1IiB53qiRK9R -Or+O5lM1chnxvdUlqct5E2mHEWQwzIzz0jYZ23d7JtX5hLbpbIi17r9Wisdqk0BgHnGOK40q2m93 -353rrjZNBvaeu/zwEm1at6ctwma3lGhTzcyZJuVQQxw0uuKM0prC7QrjQSMHb/NUHqKPg5CCRisg -TIjWsQtZwLErFkkLok20C1Ss9XXIok10CAsk40x5grtuQaMOD2gW0ZGIQKMGeYFeVJvOzVRmqi78 -ZpsY4bCf3snZpleguGWN0mKiqi1uioEO4Tk3mQDAO2pu+k8cU6EbaUYPMYE3aQTJIz5C6U10csmM -fvXKN5WYZ8LVhHQyZX2hI8dBrl2DU1aB2F52lF0hid0d0WQJGE48irbPiGCcQvbMgViPfvJ4lZOQ -0/UsOYW0ngd+FKNyyhjm49Qf7eYW6/43mzycTVfvzMQbZJybdkFQPpvyY2ZO5V/xb444lhgg2VHV -Qk+ob0H0Zk6WuVCpOuXh71LmJPwhS/jva3/UU+vXEDIz/pG1dSvEJui3+UfE+tCGD9gGIpUGW0Pk -vaLs5eYfqSmm7XXKJFYB/SMUGTVpf85k/KN+56Yea5GCyj9Sj65104B/9PVAiD8inRIde50Dsas7 -ID/7mfKjHMoxHFHuj4CAkm7YXnbFBCToMZTRosPu8YKWP+uaV2bmlKcfYYRRRAO7Yn+U7KIIaU4V -zP5oQKh3mGp/ZA9AGULDiBumPzHRdzlhd5DAs4Fko/0R3HJUJSDl027+0VgNpAjdo498EwOxgVSS -RwwHUYn6BtKdYR2nL6Q0AuaDm1+DKSV5/RgBybIsqw0kUHZ1Ii3M/kRAaj0ll2xOz2Dfr3xTKvQC -knTZ0GolsVKO9qPO5rTAZJMVV2+IUoxdcwoI7a9aEPS05kQZOIhv/zP7WHPS4PNmk/YJIAFJwmlC -q1IbBSSEh8hINg3cL54C0jQFSedk5M6SBJ1TZNPo7vrGwQ8iHEA6J3GNDp6j4v2ezony6BfvAyVd -MpD2ZUXIqiBxLqStrAMUFSTvJ7rgZYCi+pwucpn1ZQRoyzAUJL5KzU6/PjG8lwAyQbLrSUKyF2KC -JIHCMD655QsyfE5g8SMSJl0NcM9puV6hgFDVcZB2Z7+EdIwMilg6UV61sIRYOvnLvytf0m6qpVMC -5AvvMwj5cSHRIDikjpJYQtLQ6VjBTjAyGtnSKYMjVXw6AeT8rYp6JeMLqZoloixmEhGzgToxzkzb -oHmEPajTV0TvJCP3pYqwjCEAdfIUJNLl/fRH86BOBzkGArKETKc2l05za39qBuiTXg== - - - OkWQGIqkQG5CqvQzyqhEP7yw5KXTDBlDjXJbEUxIMHhpkQaOjKjMNa9f6RQNCVJJKUs8grQmpKpS -bqZm+4C+WiYk6PITlVk8iVY6qea3SjX+Uy8HCa923xheStel3waJ8YaVThIaLvUqQG+Tcac8dxNA -KJLDSkKy5SS0vRLoPgktnY5hq74VHWMhIRUEivOrT0XycSMh2aQpk6lkSUeY7cRDZrk1oK/dBimt -ySEgtHQCEmst/YCvBNAsnZIcB2u1geP0QFQlMgcJcd0zIgY5hoMEiIlKciOOWtDifcwgrxyk0H/p -kewzjiqrIVKQ0FzavdLpx70Q3KUUisVBOi86hXsVQOT4StwNEhqCNsTB0JTJ0fG4yLfwruW2nQwJ -B9zsnscWFp0IujGzJJIxdfVnF50wMJCswTWCLDo5Ao/nvpD5mQgSN3VQxEUnsOhlZdThNEEaPWDp -NCARJeiDG6IFsUHSSevvKo7rdbJwgyTbWbh4hy5Uj9OszsvUbZBsMEEV3Mnri/SBC1Rso4NLtxjr -tKGmR0LdGzcSUl4A8RaS93OJNiSInwJL1+kynh5W0tYeFMjkiTeLIr2Wmu7UIiEg9gC4Tur6MmdL -KXgk+3Ukg6SjeMVgJMGQvz88KUSKFXuSYi4m0EKvCXkCYo+V9T/KSkJ6ymotyRBHIUi+JFuDpsSY -hIm1B/FMogp/eCJXTzUgFbsmnDRfJ80AnKQnQSI+oJ/0hZTCOHAdKUcZjk8UxwIRRml1lFhDdO8d -9KlZkEID6o4CKf33+Ar1iTj+AzP2qZPODg53SnvYlxCikhEDLMq6KWoamauf4qKUxPuJdMmTkZpp -h80UAj5KfjH8fN5Pws3JDVnemHU/4SqASZ4uIB7vJwGCdkD6I0JXyS6fYV2mg5P/XaVWvZWlPNSy -RV0lMMgGTrPwdpVU/H2NeiDRVaKQKHWrl6Vrr1L1VBVjysHaOUJdV8BgsUhE81b+3Lon/SAlqOqO -nq1SrwRXeD9YOhcysFPCOznKp8U8XJmN7z4a0k0lm9AE4RVP75eg3awQM5YAA4pY4CWF45CMpYwb -1W2zlJmel1mA8kb0hW9I3f5eLCVTVqDnh7UcuFhS2jj6LHYBSqXBMOMXPxeghuGnRC6ZFIC+qy2W -DBfUAGN3AckRFkuhxchcQy7qRLFULeepuAB8KZaMRVQWS2C5LQ1QK8lRUu69kR2gLgAzzYVr9w++ -YqE9igLLTP5NG40GS6EvBEveNzgrUAvTgUYQ+YyoN1I4Ms89yhriwEp/2ajE7ppKQqUdfckypADq -QX6PD1B0vJfwnS5WQgmjPeTLqcqPGwMlSadfp8Wv5K/ELJrOTgIoJ3XNic9CIYx/JWDFkxK4a5WF -v9JBL79lMOn4r+RVD0n0fqW2L3oQwDgAZb/mk5CDDJcJQC2kYmSDrdJjGzFYjzHWSXJThmyaI5vp -Y7KKpl8JacPblnmippm0BEgIpS2JcPN0VwLNEv/diKxcJS5C9NgCCIeluySK+kq+5GbZT/ju1YlK -5mQ0DpQy7cv64jR5vAxcCUiQzMy3T8+DlmrIR9NvYFBvszI7YfF33lclDjtXR3m1Kl3ScZBixiCX -EX5aQbTHt588Izkopi3e6dyqhAkBNfShXUWr0rTjpI5GEMa3zvZTYnHXnxaGES2STSWhUUQft2cX -eP90ptc2lfpG6yB1K0uoqZQA4SduEjxcCEnGwJnO0SHMEtwTynFVqTyC/kZIMV9Vil846NwgkLb9 -ZOKig3CTt+MGU0x/QgK5KOqpUgmYpIMcQ/AwVap/pVqSP1FMq2VZyfCV0q0E17x17hkJXvQvBGDJ -mPVxsYol1gHPAgNq6yFU5SzxgH1DLC0t5JjkupZURJ3igcLxcW8QabEHKCK8JBePXDK+glq2BTWA -iFIFCnxsdNolUHv5O4yX4NNVU/ZSYLhbqL7EvnQp6i9pduKyDUz9YNI7rgJtJHC4k8rLL0NMm8/n -UlVMP+IR9zLq4+UxPeOkel/qE2oAkz125BZp9IcqPDC2sOcKFUck2FVyhSCSIgsVObjGFrAMNRAd -qWeOlsdrQynHKUSLTI1QTPmQokrsHVRkipPgsErNyPSWMq9iMi7Yqxf2MzJB9lh2q+0u/DAyDaYB -TO1lChgIJhoLNQ6nPBZFpgpvMCp0dHdERSZfHw0MiYPoPgwDQTOJefkZpnvu6NEIOTMyWcdl1LsR -+fFEtJHtLoRAomzngSVgY+Qjk4mSZSRhQpXb4wGUYUNTYoZqc4LpEASgBup3ZGK3d+kiRDkyxQv2 -DHDGDLULOKOi9LouoscUWaT0Sohz4d1NN/6m5ssw1OTaBUrYunEIQTlVKLSrQP0pLPMf7OwhtqIx -kccni9FAbYKH/y44vJKem0yBA5MKwA6bmTwCmaEqqNf27Z9B7IbnWGY1bo8p23IhhGyl7DHVLYQ5 -6NtVtiAHujH2jc8wSQl9QyqlDrKSKD985EaEJvU87TFdkjU1jUyy1bB1lC6hMVPghHupgIUairNj -MyBPx+PCyPS2cY2ZtGMAq49MFmcSzVKhmf2rvKoBNuSaUbIcR+nBecdnb+o9EWRSutOiZYpEg4AH -KdnnDXXPXCxwLbPCgUeZ7mil8TRi93VDWZhVt7kW7OzvCVEmNquD3en5ADtnSx/MxkzwytMB6jAi -lWPgHJZOBj2EpWYCZE+PAmU5Jp3EnTcUFvVTR4sIJ/+kTB1q46LFS1QNWAGPZbNYO8y3BbkWMMix -hd5Qf800C/Jt5bVNCFP/ucEtJtK2H4x2GqlaOgC2b6jFxVcalryenrpSpjzpOEIfs8oiHtkAaK81 -JiltTDUdJk5fEp+Fv7GOc4C7yWc4a6jBMlefVCzP5hMAJ0L2GU8CR5X+mDdO0ImCrh4YU/5REn2B -EOCxJf+VZPo2gfqcPLyRJM8xbP2y/PI6LNB2Q6RBTjzA5M64VdqZXaphNUky0cWnoUh4NR9WQDAN -JdbOcedC+R5ipcYdiNpgMRmaiZhQCiZbXgoePnV82gHmMyfI97uh6tqQPM8Kg0p1Q71Y5qU/V36w -gMZMWcLEmFcn+x4wHGqovy5PoyXOJBOGhadMgMdts931fOINtUzGXPUHnEZe+j0LmEfUA1SCOmXy -Peab802x5w01FColhkwmBi2BdjLOXl9DCT2wa361k2dhFXCE6ohPTWMKR/5DCtQajDbfa6Ds/h8y -2TsiC6JF0FmyE5dpSi8iBTbKtIdMihpdPGTiuodM3LaFnteQiU/mj9oLLxNLKZ4MVZDZqqHmo637 -P2TCHEfUCRGZ+m3W7ogXSjp4TRig+a3GfE0mxzo/zUwQQw0bbdwCq6F3PYCZhnqUnajuNu0HYsJ+ -Q8nru1oqjm0zkHwT1cmIP6ljM8ikIVIEl4JMG45b/MeZVAaZtqbl9akkMkHujtBPYyBAEplcLHwE -WEzRNM1vRKbwhRyhsWVHKsxQJniV6lHZZTG6ejrpDQWfLRTnULDjzZPp4sG8TC1mpgHO2psJ4EcY -4ZkAcbp0GeA3aeYI027QTJqyPJkYTtNLnNlSEwBH5Gqi8RTK/tb0ELuqSlEzYRAEWRqYkpqYU0q9 -n1yX20RG+SK43NSBioizdFGR1omDvigsFzCTWsOoHJ1v9JuIwIQWnIB9vMkI2G5exv89o3rH1aYY -xQiAgLXxJt/n4eHGCUd1zsms6SF26Qa2Wi+dIrQ4iiiqU9uu0/DBcFVodoqht9NwDY14pwwBVcE0 -RYKleXiw/mdEanFCKshTl3JIfS9n+CTNE9EsJKMnAaVSlJAJk+CXJfNgx6SC1FYfpY/nfn2c9dRi -CyApocq9xCtQ3ka9ejLxVwZ1uv+Qa6ReGyWVQ7bWSIXWeHoRE+gr0RPn4hlVW5pvwSJlFl93qjuL -VFk4J0Qkdy/Gs7tkMwgI3aMnE5beSIm8P7RPrW2S68k+n5z6ZT3VrRbpE1pP7EWn5+20qJOaVuuJ -hOCfo2WcjtSnKAqG8gqQIU+QkRqWpl3X6fQE/V6OVNnOo9sYvOdIkf9JS2OwtISkjmeES61K2RD3 -dAFaI67lRwD3RDemW9rbr2TuKU3fsVIuVAuKe1rc+JIesnGAe4LGkCg7gavhnq5UgBfFlVW9DPcE -nvDjwEFcYIWkHmblnKIGu1UhKQlkrcEn08ODaEmF/urdUPAJgdmI6v0jT2W0B5/0Zn7xESd0DFhA -fGD1dcFKCgig/NLvHqpPWVh2vfeJbrk4zU+Soo59NGDeavlIpYg1zsZD8FMxghRgAfXaL6URg6dU -ObX0OlAB8H5kRmFsgor6nEinF5Q/RlNbWIql5aHjlmXkNMDBQa1vLRWVlQjxUwm2lgp3TuIL31Js -lhF5qVBwewzFWg6lo/xYFGWlMxmKHt8jS4YpWfxpPjvRw4mq4fr8MTV8PLCOiwmLMplIojNTl1Wu -i3mmMH9u3v9NlTGjyiflk9o0JV9JVV9N8ZEnIIBNBUA5u/a0KejEsEl3+QskoTn6KDEb7w5AatLG -WTznSGEXSVEGUiCN+8CQ0to7XJECDiz5OfWGxjRspaSglBnOQShSeP5RnuEUXTZoPzwF+PZpT98i -dGXyqVJZzARLnMvZlXpJCMV8s5Q5emZM1m86+S2lrEbB508ZTKVa8u1qAlOeupFUTIngZyKmoMLy -GLCyd4xb1sDSVFrinOm/piTWkMLpcGrjUWxqosLb9GVZOWYcHyuqWZ5C+256Uu/O7p26tUq9wpLz -lCx8anfJoTDkpyLwNVkWpAohqMsBqo2yq8UFGVNBVQGFmxMqLbYBFvHOPxK/fVwRgupb9Dv+f+Gc -CtODNp0Fw3BR+fSvrMqYRPlFJfik+EHpsunuQLiw8ShLh4Fv4DIEYFSShxYRQAdf+GG9YVRcqYju -PLmgJQ1GVR1gwUeV1jkxKtxo3XGr1WJUKsrghGl1FTDlHhUjRqWmD5cXggfk/K+TH0i2OoBjVE7D -ZG7G3HxjVFXZ5zxSAKq/e0Egb7ICCFYYlbMXTVgFSCrdYEdxE4yKob/jT6zSeVY0tow5K94QkoPN -1bFHE4DZJ8/AqA7JXmvfeQnkcPfy9jsGo2okH96xsedX8wSxJckkGMKonCI39GJwqzyUTiWEK5dA -nxzQTyEBGYkjmeKBUR38xYpRQbU/GdVRwn+R22RaOOPNqBZNaVQvIzV/NRJVAYvhVdVFDG4B2NOo -kCL59dDnxgcXGtXdNqM6AoVkFKS8E8/NqBJWNfNiMyE8gjUAn6SnubujqD3PqMD3ndCoMHGlRoVz -LBUh/gDPeaAN4hdQgmSjYsBbq4QlHpYnAFTySNNN4EihYydP/6BWeMkflZqs328wLiqil/iaB5bf -pIsxP6oCd2DAAGGb1o/quXRE4FRIS7maZVi/TDxViAwRlagumW5VnvTXPyqMP01eO/RC2HpUuRZN -6euBAX/BbKlHZWIkdGD4oHKP6vp+E2lKOtVNAg7cGhVJPSr88HDQso/Wrt3lQLc9Kg== - - - 8iILPx2iPKqA9czQuZVNUjHpSIH7OSg4EpHDXYChRNwhj2pjsD+MjNx2shy88mVgkGxT8P1QWeKC -LB4oaGKnEZW635fK+AjV4CXLA1d6aK30qCA5NPgVaFGtlR/w1mEBeskhThkrMTK98tVfDgrlRGDJ -vdIeFdCwalGBJJTCrTTYGXw9KgimOQMp8XTSo/prUJXuB4KTV/ao6rwOXRoNxUmPitfh46B2r6B7 -VOjjklXxqPzlmkZZelRd/HILvUGK0CL5UBLRFnCGgPiFyR6V10+QDw+iYCEwN8+D4/LLFitV8NdL -elThefRFKksjmHlXj0pjAbuyYNxW9Kiq6slRRkF1GL/drEdVupQ21fWEFBoxJAGk5QpJjwqB4Wcd -/ubWw0GoCVimR+VNg7D9U0olSo2c76ZHAPJWZT0qBFGJpdzco2J5pKixBNGIrUcFsy7MHICwSyQT -9Vr5yrdgReGDncl7VGBPDFANJNw4AH6K+EN7jYNo2MfTOi7iELdePapndE4OoYqukU6lQa7XC+Bd -UfjvUeExWDJgZL9LOv0QY1z/EcWMKkTlTBJCGqEQEp2gUiHXSPSupT5L4VElIXdLWo4zV+aQkTuI -iUfVPEFXym4mfPEYj8o5b4PYUekQVX9BjOYSY0dViT7hf8BtRwUyMna0clRjhcwPMh1KIQelz4VK -gkpeqEB1dFRNWjUSbTLnOSoSZODU0eXfX48QRxUrR2oO51ZFDkxWACTRU9JpHJWdrYbG56gI7iOD -ggTGvolOA7Y5qkOLcrYCoZOKiBE7JL5XjkRllLOb7cHyP+t8jsqOunCPclR1FAVIGeOoepNMASEs -IHFUCCDTwY6wlwiOaiHmwrLLpENrn6Pa6fENmhzVja+KINMNgHrTLZCjOkJ2XmmO6n261ht9Neao -WrtU4qhgrYZOOSBrt5O95vaSr00Aq/D0RvUJ6Uxlr7tRaU29cr70zX7p5Djwhx1qNTJZLLLedaN6 -52NVMoZmEVe8Ubltp3Fd00mRH+7Dlmoxk4CVEzeqY0w22JgsZfAbFTRPp2jeIc9vVBVX25JmW8P7 -RnWn5CNtFN3iqDoajOSlrCQFIRYq0diJJhZP3+Oo2jFG4R318DgqhPxem2IZiOCodqeutSAOvRVH -Fbpos8xi+TQVA1XgqPxLaW5UMJdjG5Ur/rqfXXZGssA+VeM1gZOcqvyhnkmTVFwUnec3s1Hl2CHV -vFcWFIQ34PXvZLZRkUxfYf2y4YmUjUqYn/zmmCiivDB26ctiEt0rUN1I9bRZXE+uAaKkwFFp6n8c -U4qtjTLhmH5MHNWLS8QRVFkJR+WdlrcbFabt5KLp/EZ1TBGJNkFK8UZlc0QEWPaqyx3YqGBtBkoA -1PGpCJhFPgFUlIo1pdBG5Q7smO7Iy+EACZdqytRG9TbLeJ+HqVH1Q+ayltYyh51GNWGEQtjoS6MC -wgiNsaD7utj61PpNoyopwMFQTdZ41Y1oVGEGxBrVdECYrRDYtYRGlfEBRKNa/7SB41cEIMPONF+6 -9zRnEMacUUH46Urd4GRNuX7WUxF5ioZs4/7RqKxQr0EYHYP0nrXFXY2qFVUTGMac5sjDlmrW8lRv -WR+8aquEJxUb4/eXs963Q3dQozpLukijAq3Qz6hMSgjdCVVn+BVLkPNc8Hi8zVddS9HZ8u6oDO4o -pp5CNvn3+2c6KXiEe4J/fQVfRoUVn9EcyJwho3r8Opfw2JG8V5cQyo1xUMuQURl1Ao50ux0Z1SRq -nDed0W5uV0YVXpZdBOaKzyb8a/obzzIqo4oJu4xch2BVGRU+ToN+8qJNFg5BiZFRQUz3xyT+l1DL -qJC61IZ2cZtlcDKqDwXNajfjAplg4qfXp24hWYVGZNyvyqiuUy25+BHIqLg8FGZUTpBJGtW5O2y6 -XqNqsZUol/MlolG5MzLT6l/wSBoVzgHqOcsxo0oLWFEfVd2PEcgqp2ZUIGMf8W5CqvZy+2dU9DWc -q4rzp3pLqnK831AN3jW5T40KzsMls8jiwJ641VKjwohTny3ZQ4/TCUpl5i+1NKo/RErtlnBG1blS -nDGjSl9gigFbQT+qAaI8uB25xW56fJU9owKC0RCeBaSMygecZOiAdElGddoPrIvBcs4NHAYnf7EI -sTbS94Cst4wqw6JM9q+aBpFpy6gI+gRAuVS22YXgGRXIgJ8UepYE7cHqGZV/2dkSSU6z4HZGRV4D -F7xJ45och4plnmmid4RkupFEp36dlpVRwepdx8ALBELzk7cXRn2+d5dRrWn7GwFv6SuLUf0Bms5X -oLl5JxR9RSNGhfcGry1TjOp+OYqtHog7rfT0LVLuLZzMvbL1YlQuAyKawCp+33BjcKaLx4NG0kpS -I/djVH/bIzLo3Hwu4LemdjzwoDVGxRIEue0vnAaPS+spa/fHVYxK2wyz6GNU3VYfEsLkmQ8Lw9Xf -bGItqy0RowIRw+4zSH5mwaj4ayzbe6V+b24PVGKa1XMsw6hAe2u202ISss/gdW7POqe2Z41gmJSw -nhZ8sXyqxv2il1Yqwbl+gXs0c7GzhFGFoNomv/K0FxXg9wDyg7PLMr+opBY9lK1dE8v7RFDUupFy -QEWkiiLgi8oN67qxjjGFNi8qxdKXl2cvKiBM7ws4RKJsLyqTgQpWmsuBUTHZnTKdiBNwL+aUiYFR -Ac4V52vu0t1sni+af/OsC7dSBVfxtB4+IgEai5TKxVQdWduoLIwdeiqQBW67kMTIvEtOIsRUsuAZ -wy/AYVRt+vWDDp8Al8KozrDOKDoYVZOW8x9raBeMapgcp8FuKruzwqgw1ndy5rogEEaFW2RepWBU -gZuCUg7b576o+jUYMFU+vaJfL6rF0tVc9OWroohMcQlS5RcVFNpIN+yF44L+ouLi5GF/GCAxJc53 -YEyH1O5wgVHpH49r0nnvQE9tnepn1yDG5JuK4WrudUHAXg7VoP8MRmWsiJhD0j2MUkIYFdimAsIQ -Au0bVYsqTGBUdS6jdEkZLfFXs/ulXWBUabZe5Dge42o/gaGPjh5G5V/+gqbrXvRcHIXOtiMTRtVK -HMbXbUiM6qNQo3iljHiDKoKhHm7gRuJlt8WoaPwSymaM6vCfFKnK8NwBxqjAvtsw+BajchT/dhFk -FiuDyxiVjrCGxajs+ivQ3BJDktxtRtVMJ/y9zrBFrJtRdRcTLTanZcafZlRIQKaiZg5smvb2CBit -yasUBWU0qpjtHYXzdmNqn0yjGpbPYxHusRhcVeIajQr9CoRyeQcdlbQr8mzYGOvi1uekUcHYz7ih -ua1eAjSqOD4WT7WXChrV+mQCMAQ7kE1NH+HkNKoo+OEvukZ1JdxHTA6TjtaoLpbqx0TN25CZ8hqV -lPS9qnWtUWHxqYdCVPpSXBzcIon/0XOoVqcwwX3ANaojmawjNSrSGvOfr5Q1KrI3SH4UMYHqEKJR -mVn5EGhUUASU3nwVdhqVlpg/Huo0gcsJySkBhmlUnGp/wwH+pkjZsjUq122Y13Mu0mFSeRJgIPjR -S/arUaF1PiQpBpWZEjika6OScZXVW2Fip43qs4lWa8EDVXBoqUC+ocE4aKOStbrUG6CN2m1UHe7h -lhYB6RqVr3hnH2tUysM9qsfm6undCuMjwEf4gxo7uxewUeHdlIbSc3FvVEqVoqbVkpge8LlQHFUJ -kJAfgcoMBSqrI4gusUnogxXU/jiO6iyFVItwVOWMl2kH9vEO/OnYjwny/m9dk47u4Pyr2aWQATUU -R4Ug1OJX6trD/XWvytG5BNq3LbSu+ovzEjOCKFU/RyUf1QKAvSqRjspxz5c/QWYrtng+RFOEwHtA -ooZUACnrHisL1kMqeIxIVVoZIRYmFxU0tr6tuMTanEhFj+ovRcC2ZomeVKrbqidpfStc6snFdqLy -9516o1q8k13pHnZh7TD2smyAe465jkj1M5mF3mUilZXSg2X4HUSq0NipyUwEaOWGWPwQJ+aoeeNR -MGnBdgJ03qTiD9VqP0MYIBGqQaQK+dNeSH1EsbyRSibi9jpIUy0lUiXJbeFvQKRaI2Eu5rQnIlJd -qdeKUc3MhWspfhVzpChpNVI1BLTK3+BQwJfRSMWGxLkuWXfGzB+pXrWCukc0mZwBxH4LeVDZqRuH -xzzI/mxQtueR6mAbqls6q7mIQkZFIfX5jlQ+2zieEAL7F2A0Ur1Dw5SpTCNVxdYnGzMQhjlSw2Qj -VY8XrjT/yHfb20h1NvF/2wW4XXCRjFSMFCO2dr4xQmF2Yw//l2U8IeNIdRH/3qFU1JHqaALkWcKM -ckjJF4t4SzlKnVSC7HiyIUE/deSkch311CfvnJR1oR9+nVSU5lQhOlpNf8F9/Ul1dmQYXAJayWBe -7ifVDZ2GSPqZAHxShXQpou7gkCh55tPsSXWpZPNix/mDiC21KVPzoiOfJxUBUGXwmil6wsAnFeVL -/FpbZdLKPv+kcuwVgM7HpmSfVJZZRdSi4Teq7p9UNmRDlrc/qdqIMlgd4/eTaleuqkq0oRqwnqhA -PakKYBCuWZJnwWw/qayPp81Z655U1Hp9zgMQKU8qoLbuc5YJmnAjEP6kksdq6EydtXYI/UnF5vFV -si/dLWcQn1QzKh/v+6RqI2pjjTPglnruSfXUJOUp0G/xPakqwb7bsnS4/KS6vE8igez3pAqnFTjd -80nVXOzrSyNFTWoflEpPfGoX0+KVKECpTNKSPU55bq9BqerGDDVr+tYRStVIYPEYFCbWsFCqypFL -5lc1y1AqbJLztCuL8RplR6nUWU45VdVso3SPUtkCEAHXN2kdSjWhCiM77ZEp0IBSHeN0PZYdB3fT -oVTSp/BVrRVSwdZLtmmoyVvHp6BUzRi3qyeUBkGpvvMo3FEq1Ue1YxLxkjBqUSrrZWnBnhBXg2uI -UhX+Q8SF5Ird5/WZHqJUebXbOhktlh0nSuVSZKbWej2Bo1TwaCUklMF3oFRKFWdIT2UWNjmZu5b/ -t3d3msywUqpeE4UWDGd9uyMFo/pm8Y99gqMqZXsbvMmwHC0hpQr69voppXqh3OPNCOlVKdXxlA+W -PPYrpcKYAQ6lVOfd52ANXQytO+jsM1XZn7tHKZUVrPbwEFa6RSSlkoCZc/hDGRRLk1Jl97mNfz2H -WdspkIiUascZVvq4q0ap4PDvU18oNg3tolQZotqE6EEbR6nSD9BKAcfUolR0JHeY2OjKRqmW/FXy -AP6jN6NUZUq3uc62lKqP2zDdM0i4SalAng3XGSlRqqLfTMwXYSdKBfv4c7xYShVvwO2cFqXCWoTH -dCtB6WvW/pOvWJTqJlMxjk0nfZQqaXeT6W7uLKXSjMdL6ZNS4d5W3vqpNV+9o1R1Get9iVKVUUN5 -agTMlJ9UFEtcoswn1T2HVgJb9Uz0e1JFihCLpSK1KOOTKgCU2qPc+ps9qbAm8K9ilIwAGOpcGTth -LPdAonszq3tIpKbeBflguu+kuhuSkIRsnVQQqcbYyeTb0MRJ5anR45YnFfMlkAl8ag== - - - WTypWHfn2rfu1hORT6rR/XKRi26bqjg+qfhybzh2t5U9qS4uQ08+oAkX60mVtwNUN5o6qa4e4Q71 -MWOb3cToN/JMk6ofO2Rpxkpl/OfqbgRFGFB5Wqm0eJqcsVI1nrjcmYCqSuUzjcZYpFLtoWNH0qX3 -8tngGu81qVSQLFhC/yL4pmkVVKoogZeUijrWCQI7ygxLtSMYaNOw/3LrEYHTMF/AcSxtlswRCQ9+ -3//Hz2ml6u+fCEOALCtVtM+bcKEplpUqnwEMJgCN6eCWcLiVysdMioFVxfAc0p+j0twx8IE/YW5V -f3ZQPNLD0WwXKSsVBX3ismoNqYiVyirIMI2uUiHX7g32MESaFK1UIRFkkVfQ7YfJyi5j3Uplm1H6 -f3IoG6CHvVIx8mEN9s/dKxUJpNiNbBpyrpWKJXVLh2KJqns1k8srVeF5ApszqGU3ljYC90i2dtj0 -7SuVyRXhStK+XKn0FjCIN/X0lSqAdhxosUIsZJRXKl7Wi2ZmeKWqNPHRIYTrABZXKgewEiM3UGiL -75Uq0L6TM3MGosjtlYpxNdOgTxdrBwO8/o5rf+4Sr/pXKi3hbhKfK9VeqeYebOohUjLelSpQz6zk -7TOqfeRKpWYzHFV9peL7+lFPaM2MB99XquahUWMJcJ0S3uJKFaePXYGQcgSwVBi1pYH47KKxVDEO -Acbm01rmYKnY5kerIRlgqYI0FZflhyMRS/XwdMN2bUwKg6XCKsOBbYItwysVvNnP6JXq5eFRpAkN -u5c0xQh/JMi8LYMrFUVcfF9cqRzf5ywA81+ppLBNzhVvgEg3St347Uq1QcEPqhB0vBm84Avo2/i+ -UjFLWb01QwRXqtzzM7Zx1r5zpaqCkKqAPOr6SpXa45GqhpTNgz2D35WK+jdCTDJsIkJKHms+qVgq -8rKFaUXOlepnoOzKv2/IrF2pbONHGMP5XqkAQKlSH+iJbX5hzf447wtdqWCsyPgUS9VtpxqflyvV -xQYXmKrWcJgq9N020cm+MD4hTEWzb8Vjdkc3iViZMNXBksb0OmGqsrUiWpEYd2ikQCNhqih8vsVc -XKWYSllB/wapLqbKZAE2dBE7dzHVykUh9CqWtoupyKcG5BBoYirYUzQPFVP5PUG9usepAotMNePe -rAoqMcl2sx+5NvW4k6JJbEIDJaYCqEMexFT3DZcwuR6Qvi4nEljCqQ/0rgtoUZ3rj6kIlen2aNBM -ZWU7gDJkvUYqrI8ofsdUfdJS6s8qpqq47jcTT4mpxh9Q/BXia4uphqQrVLbOYarqHoDnZyC2OozD -VP2KjM8afDNMNc40An1zEpPYaMlV/v81s7swVa/me6Ri74YzpEtIlJKyAAmYCtzqZfqg6WVLhLpR -hh9MJSG5XEw/zsSNUDBVpgOJKg1aDDIMpprUQNSiKPYC/lV1QMFUO8NR7zmlHpiKTuwaaawcpkpu -qGcwKu51xgIjTDUaxk0/TKWCS5D+IxN7dIsqwT7nmoEuwnOYCrjWx/3CVGxGGhyeV2KvYao/n/XB -RhKGQhXFVDue6tSjRd1cxXTrf9TKlAKE1gSENItV2UD335xtMVH6mbmQKJlK7ep0+AGSqYZtWOyQ -qWaxdzMEcI4dXj0ylcbUphvT5KrRVraJlSJTgfJuoQruEjOZKq3R8ZpkKt1gwUC0Ll8p9EeXIbgk -U51x9YvCI1srlOTfKeQazUiCsSyTqcoAbMNkKoRarXU+mQycvzMlj/5qICNTuXR0rBWdV4vqC/RE -8UgdMlVk7jfWg0wVN8mBQFjh+4CTkRR2h2Sq5ememHYJzSNl6gB6FdlM9MhUDkLBW5q+cYyaTDXH -7hB2iEbXPYE5WQSNH5lqV9xLM2T0/slUHUjKh9M/uItvDt/gD3J9C7EIYUpMprINCNw697qWmltl -+uuFJjpGZaqnYuRpq12XAFemcm1CyAFA9i9TeVzoK98nmaoDjCtbR6YCYY8Gdi/baPCSqa76EXHT -Lx6OTQBjKh94/2D6RzOmUklk0RzAoRDQhXkVi4SKqY4uPnMQ3N7YsFHM1O8XN0fFVOwDyO6Uz3t4 -QWhBQWiQYipy2jNiCaeRbSPlQ8zaixbjw2xiqnx9CqLJVFlTTij54ARpej5bkKmSjnzrw3uQZCrD -Rhr1H7A5MlVDbohnW4fjRscUmnMU5mSqlgHWdFXRCyGB0pJ5c2SqVhvHE8hU2tanqIhMhRU68owZ -xitT0duc4R4yFT6sRjGZFWZWqbN9mao9nOgHpS0sM1WMnuqjGvnOO6UQQmLNVHzEmdUeiKaZiqNL -3FmmYts1BEGZChVBw9z4QNZMVQNyy5CUS7lkMXJXgc1UH1F5lTPSqJqyIVJ8TgkzlRcIZQ+URL5d -hMxUO05kohI9ZyrSRFrEjvVSzlQbGkRRID4tctSZys1bjVI2U3MzVef8Eb1xFQJmKj99wbF3iM2J -ezMV/N7PEhDI95qparUjYh6lwkwVpXadhmaqpCzPQSzp8EIY6eeiZ6byM9rUWi9XFuVnpmLQC3YW -y1SXm5rMBglXZao0n8zeq8DJadiSypGpuKp1CXtiTabiXqZKggLk6f+cGLEql2x75ehuVHx8BsdU -GqtnrfOuLuJ8ZYEnPL5kqrmjhkiig1RjMhWaqps0DjKdZKp8mmheEUr+UaZa3tAF92Go2JepkDCp -ZLZlgV2ZqnRaKeY1D7ikZSqIrwxcnBqzwZtnmepQjhEgk2X3mESZinBVdZfZeZnqAoqyhcf0kjhY -pgItUa/jekDYm2pWKVsElKlEswXlUaaCHF9I0vox05iKwLLclS91zTHVBnlWwDWDSZjKALQBTLSh -epiKTZoM5TH6UUOGoDUZphoNUip9voWpMO131FKipnLLtcJFUJAMZABZ/yg11RFzlgV85yn3d62m -kgzaoUo1VaEuMvPWNFUEdid8BpYaws5QU8kScxly4SyUUFMZSwrH1DiylF56mgok+Ti0D/kV0ByS -MY9k0GG6JpZGPCfZkHTDhvDo75g/u+ASOwuvqdpdeNnBL5trqlZKG6htBZ1fUWwqjfa3Ry5/baqX -CDCgVDgWGzYV3t6UKs2+BGwqWHFyS0VCzqa6hn6U7iBi9k2wCBxfPsOa6uySK8Rw1NdUz7jpKT4C -l8G77HqN65NrqrtSmKlA2vv+0qZavaZ6oQ7y+jHeV+hUj/xWLi7hTN46MwlCp8L+qL6RUt5Lp0oq -C8vCmGk0qRIxrP/ddKouD8yVQ33Fuf1kCJ0K4M9bKVxSJrAWneodhRg3IXwCXa4b4GfwM/RqODPe -rjKkUz0SLUbZAUQZ53KqwMYb9S05ld5HmxsY8p1bTU6FGoU1LFjyM1xf5VT0wW9YPIsEif3NyuZU -Qz4upqUfnar7nmPndbtvGRvvMCs6VXlb2NnClzrVEFEw56zyR6c1fiHsdj9U3ZTyJlenKhxY3Om4 -n8peNnAm9/Wpvk/Zq4o+1Q5ViN8zwPL2butT0c+qjg3sU82bj+qV/D4VrlHK5K9Q4eIDAIDHr0+V -6vaCwKl4oyug6v15odenQrcZg/pb5VN1jlrJjyXFpxKc8gTMAJ9qtdglID7+S3yfSkUu4wo0TF5R -lSCmg3ZSNz19qn8MUikpR1wzfapryStFsja7JL7lq6VP9a9C2ti0vBWbJdWG+30qyN7judNPRdqV -3xApqn6qeiwZzOIHmauIUWPlp9ou3JLU+p0KpRZ4lhb9VEbP0lbQZX9PgSXNa1/WjrhbFOM3vER5 -Nx+W8o6HgvdTwanK4sxDOYsUP1W0nfiUDKPpkZbAUZKScdLtk7EL8FYGM8Lyrg+A36CFXnnhkfKt -7VNValslixfuNi8pg4k9XCa9T2UEOeZk9wn6VGtqRFfV5UigqsKxfySsiD0CVTeKjFnNlwUMdXgH -qoDcGLMTDkZ+okBVM9YD5b6gCvAfKEBJtlpN4SqoyvKG6dpoKvF2CaraA+HKKo2+B/mIoIqKzHS0 -aOk1I4oVEFSlqKOwfU+iZcOk7FU3hBYSMC7TrBZDlHkiraMSIJJnG+bXh/AiJajqqehawc5WxsBq -pYKqH96wIrz/OWhZypuZoKquig/oKkcpVcIQeFl9DzTniHWXKm7dUiOs3ajTthZUFURsB1VgI7KE -Knz0DNRlSBWFqi/oTK3s54hNfF8Rqt7eDH1WOe1B1Qdxl21dTDI2qMoLp8IP2IYxqMIlv64u07q8 -BlX2Eua8J+kgSOoLqlgaTRYBSGILqvT8izov/lFLwMUuDQ8zi3rulUOiBFUVy0TcvbryvuQzFiyD -Pw+ml3BBlWF7QZescxspAu+npX7egvDLuDCzdid0L1+KFvOCuEsHzs4KqnLRXhunQRVwvPU74xYx -qMrlbfl8FK5BlTsBchy3zBa8DaqeMIxjpCnMQRXainl2rUm6RRrsZXyB9R9UVb9ukJHq0+DUfYaO -jPYlYjXMksLCCz8jQtXncM/9O5TkCFVXD2HW4g4uQoIsVFVhrieABG7CsxGNE63MepF7ps8wFegO -w9Ads64fFfkmXgQMVRBCbx6qrGXJKogqy3M0rZwno3CIW74ekxfjU7JFDkCuTDZJv/uOfhBVdcy1 -/JHhvxFVwwccUkGWhAxR5XY3f0M9KLsRVWCfOqCKuJQDUdVpGkI/vmseZYkqbp2/gkdE1Q+LVJFV -iKXsPVSBtuM6RYV+HaqwoCJuKCFe5S/WJh9pFZuHqo7kDC5YejTLGeUQZx4t72130NmKOlSBLyfo -6BDeFS4S7G+Cq7SF6RdnBZ3A9oeqKhtTWTMTD7kp6I03TAJO1M4/VJ0fQXGKEVVF+rWtDJ1/uhyk -Zwscoiqnp2ylP7mMAYV7jYtgpAnJHMdEVC3KdZJ8i2G08i6iiqyocoZKUgwjqhbOJ4Xg+DSIKnc7 -ZqMqdvi/DsT1sS5Fosq/nx73HEnerbMTFSlRdTkux4KLKrsEM0//oU/JdTGe2+xFVUVR6jlaHtEw -Z4sqEVWM+trQW1RpMx+kbb0UCllUQQM8KqoQ4f6UqML6hqxSnFLL5KyXM0FUWc8PZYqo4q3dRQvm -S7iIqqX6A0yhiCqMQS04EFVzikIayUMgqv6F+puNiCq7Ubt8WY4nAWxVYacR0J5IVhzqa3Hi0dU4 -UXWvc6jy/y5+yTih98ooBvUMXkRVMD895gOias/+iDZXszNymD9TYJHnWyuVlWW9IIXve4ouR2rb -FbYsEFXv4K46Po4z1V8Zogon5hYA8itEFSG7btBB8XSyAeuJ43awa2gJspq5VxVgYuxJ68SpmKyp -X8nEf19MROOJqrrqcDloI/gjEFVDPuFm6VD1DbmD+e4EtCTKklmPluZfH6rKSy6PGhF6SDdLSFhP -CwPCbL0pouq+Rq14gMQIiKplr4urDhIr+1AjqraRH4eYwBWaywjXbQ0wDdLHK0SkqakOTH+WC4Tx -UVoEFLbFJ6iNQ0yFqDLKji/tx0FElS2biwoA/z4hqqzZlVF+l8N1/2f4lXqwEVXpAA== - - - 0mvHWO43UfUkv19tLnggmo6xn5KWqHo6usSalkQVOOJS+ueogkQVydTyFBPIiFteklR9gnsoNlqB -47MuNqgI1S6BJ1JSxaVnrCKZBkqq0hhljLMlVVW98nCE9qyOJFUex2y2kMTxLKma2b+B9FJSha/H -+aFQWZIq9W4jlFFny0aq2uHb3ISRqgQTCd/LJSYZ76EjzsrPTmNJMJEq2VIJgI1/8QgY0kHD54Al -IJ8EkSqjfwRbGnRUy5bTpr0Hf/Q244iY0AmP9mEEqVKiWvbDvwBeUXK/kCrIH9/zI5I81QBT2CA+ -10cVcDYf0m6z/9L6Znv5ZBhOVr1m2QYsyYaV9lEFl0LjkS1jj6rR+/z/ngr6qx6dslMZ3YkXmzej -chf1VfyouhIoiIreIQcA28pHODyqvoNMaaEfVWwCfSOPqonL2ACpghyL0BkHLIJU2fps6xw/+bAP -kCrCzHtO4A1Rg+ACnALgmbVWHwDCAcAetXVP/1X8JDALloyAVCnauhvEibmQ2WhKn+xNbQ2pMucX -eM5q/mConZZqgbL1zyDBkp6zqY8qqD9w7XVWtrSEYvukPiNf9tJUGzjNHcJ4TT1SLdpywm7iqJqv -kqlyG1WN023dYZLC1aonfwioOkg4Ca9Gm6lGVd03dLE0sEiB+WfCg8vASR9DlR1fWaOqoqyAa+TS -bVR5xXxfjpCOi/QPtFGF2ybE8Aw8NnRUwReln4zWK/O44l1V5fbxvAGOi5+jKrSIrUu1ekuSG21U -IaEVF+bnRpXdKxdOvBEG0vK36D2Nql6JdzPeIdeJpXzhQNwJ3Y4iaSyAdTOqYEVI4RoDWNUCdydP -3w3WnVH1kd+BQKppuw+J1t1bJjKqSt7oQvGp16UlqnqTAnK+QpvimHdQ8tIvqy8eIUXD0xtiThg6 -bsh4a4/1v6JI/Ao5zMSi+eYq2StRBeF2arb8RJX+y5qaRFFVvwHG+QyVpxuGPJw6YWVGFT76o9VG -E7I+dBYaRINRdU69psuoImk4hymzTUZUBQVRTrGB3KuDmFWLKhy5q38dSFtUZcCzKdcfcUx6PqMK -MolQn2nKwcCo+t8Rsc7/PJIUgU+p4P7TqMKBwfPq8GACKSpY55hHMPMEpGvKr1TG/9/siQnCwCfP -NKpe+WLfUQgeNqoiULMT9ZHURlWAXwFkHAbaFIZqVNmIHtUKM3sRWApKwX0aVYP3ZritJ2h5VftA -sKhSyj0XVV+0e3iWLOOHid0U7R2QoWD5aZDYJoxRBWH0MN7ASxPw/0v/zL6v52hCLWci65wqVII8 -/VUuskyC2kDLwPMTXFEXQBdnVAEWBjiAPkS+EOmIMaLC0lWVUXV7YHOySKjOM8syKziA/YpR9THU -hcWsNKq6PM2gG1X8G8Sc3qlwDLOjymooQoKoxbqdylG17a9RdfagAwEO/ZSSDSHx7vrwwnXGJb9m -BmWOqk3qGAX0yrdBjio4McgNnVGajyZ4d40bVYf/b6fSaIQMPtyoAnGE1YB0VF01ibYvCXiXFvBA -ibL8jipgmLsUBo2DcFSZTEA1XHdUEUhj5w5I1bkTEyGFVAGjv5RvNjvvWYko16sKrI8qpEBkHcWi -PjmscwcilGfXgnQhRlW9h2wRG7PhVmaNqsPU1nIoyKQbVUf6iC0KRhUEpB3K6vdCFMcEe4yqegNh -sFtu5TKqenO0YaWltw4FjSq+acEcacSz2qi63Z6MkzOealQREpWEw5YoYqVGBUOjyhT15OwONUWb -RhUaxs9a2ZaX3LhRBYcU9JIOX53KRpU5xvqRlkiTA7ZRBbJsNvF+flZ7pabkN6rAbV1RcX/0Ufhx -Y0KX/GDYqMKCRVNODTiqVN3Tw4lNmaQmaDqeRYovgvGZFbEwhkqRKrO6ohT5B75VbWKjqlwkQNNF -UE2jSpE6xsJEfWLYMgZco6q18Wgl9K24G1X4bSPOog75/QOjiy1V94dIoqP36vAdQn6zbqlKhnV9 -XKrSjC4cVYAsUIUqMzJhezDqAGihmnzuAqC5zy5YKexx7PjSpBPKsNLRjlO+fq97shlbJBhszoFE -zJpP5VUckvGphBYKQs63lvfxIjEpaNlT9c7nMsRvMIej6EsWZQXsqWzk3AP37am69BPnG5+Mu/WK -UOX+msrPqQslMRDBI0chkFrYI1SheskWvA+E/dZrEBgQVB1tIFBwBr10ixCUihA0/UdCWWQJVVD2 -+DAeEqpQ8F9/hDgQqnymMJV2gb7BwvzEEsKEKmT/qlga5kKMUPVjIcuogTtPPsxjDUKV7diXorHk -FaGqu0LHNGB9/11oPiNU9RK0DQLFwGmJzEsCCVXlPLFExsyvjFDV+RO5oX9Hn1AlPKML6lhIQKgy -c5CYfEUQiwT7z27/hKr+fPOpnV1hA4RXQhXAtLeagNFfiAhVQg/AuFC6hCro7jMUHQ2q2kJ5sip0 -RHjICFVrMOPdmppoQlXlamgTDdvyFCBUWadK0qDW5kvLQbaYTagqJwENtKBva+jwxaf3hLW+TtXT -qz2/QS97fx8fjd8zZ2GvtmaG4rIXzlISC7Oj4RHgMOooMEVmJusygzi1w38Pv+8wWKyAllowCIyU -XKK89c60xp3su3rroi+NH8y4r8VxTXXYV4xPbYa6ohKflUW/p5ewYNf6HyHKcvanRmnBh/mQFysr -jzopIL2MfjyFF22N4ICImgqGgW7Ul6tgwnf1pbzlYJomkfVDi9V9bG/b+ApqUImY+YPQ829KojB4 -U9wRV0mY6EO+xMe5YJnu4A5h/FQJtleNdpvZvlhJOtMRmA18/uaSv8hVRk3qNoKBNJJUwfdPrH2Q -MgnUMY6Orq4WCLg9go6aV1mL2ItTgRhONC3kjL/LSicXxvPON5GKLZJVddR2iDhIq4ht8BD8MyQl -sUuw7EAfcX7n3ylxUZX0UGQfxZwvOnIdrcWyaB4G476Go29+P3KKafrLxEslhT9eOGgT+P9W93y7 -yEYspfNsdeWk7BSd7yUSArmclcRvfmpNfHRyTRKYZYrAPQDQx6rMQe6u1gGptxqKDrsdzoS4KH+I -/P1FPay/issilVXTgEQaJWkOZx+zC54fo+CMR6tAN3vH8ih6md1WVZprSe26uzwWb5HnqS2wSKme -2R4NAMuIvXSLQkIYgNY3QKeRhjhGaK8HZ5QHcOdSs8CU2A0apIQexBAkymIC83rQRSumqQy8hH06 -YCxDevgoHZHOOikvuEkI5q0PYTrzv8AmcrQwMBN1xJPLnj71POi6mRMHJ58ZwD39/9YKQeUTZ9TJ -wjTGK7LujhU2WI/Q0VuIm6Yugo+ROQLl5/+Od4FPoBlGRxFSCYSMAz4vNfacbRW3s489JXM3OVIX -kllLKMvJ7xGtULlg+Fyo6TkISiT0NzSOF8n4BKYCQBlYirYxObsbqkwOxLTNekWEmq389sdywhAN -feAkxECotoq/sPNi1n7JuZjUtMH7EzVbCaIHyAdydWbd/nWv+SVfgNiiCV9T7fmSwmGA7lFyjew/ -sgfmShTp4DLsxdzPcZgDl2xQBpi9vKpjYIphGKGrMos0EVWD2yuTaQtTiNpF6Q3Fv1IBLn54Szdt -+89McVCpOluY7+PVfdnQQUbrZgm5jVHIA4eXbGYuEjpbfe31ESMy7RGaLo6iHjDTeAPiVEcrC0al -s1Yu0T0Oe9VDf/G2dBs95FhXLCR1XRv8LNsqJV0diXnCncCjxC+gRkxpY5AftuJ+wLjw8rXqPzwV -bOd3aODq+zPDxYleA5gNe14ZRNgxBxhTrpKVsFAUXZwXDriUsz3I13EfGDGeZpNiDBRcju5RcTk3 -3Qk+60FVHQ8xFABgE+DwLgWTXqC/Ovo3m47dq6ggJZGkhWIx6BY9LDnHlChQBU0kxs1qF1g5fMt0 -AlqZu+8XvctQMi90ZLoekWyi9JgJaebsC1YRTJ+v0INUE/6F+wj/GtSptU50prDwaq9Ik6xzsrVn -aLkMdxvsClme51Jl36m6DTluGoXwy8D02ne1OK8VnIPoEH3ObWkYRsvBVk0RdF1h/E5/eMLx9Lht -d8z0f23CA9oz6QdJAs/Dz1r/BEUR8NNZRwMnjmMT4mFZsgv1tX3vte//46m3noFkIqPG2GOMCxar -RS2onMDes4vcV+q450iZNS5D4FtJqrnSZWvd6wf/FLKSwZq7GwacRsiJDnRVQP40WTskP6qDodbW -SyQzlWcu6ho/ZkYeBEehgCPfEyLLJoUzagR2XXIHsu41h8CAZ38mkkeHxUugjGfZzRAGxlsOdcdn -eGL90gPDCVbU0IJ9wdR8ZHBaNJP42JbiV3s6UAi1HRFOpvYaXL5wQ3xz/s5xdAHAcawQAuhsneEb -vzaFSYlTHvbc2sC9y9OJs5fDp80QEMwFf0lJeM48ebI8DfvVLabUM1w+NZXeb0RSSgmeeyxQayF2 -BXr2Aa5+onSF4YXaIpwy3B+Aarxfo29+xaDZda4WVJcKg7s/PX0jwUCdMHvftOzyvSoxouCiP1u/ -PsNGqtYHhDmvyW9DokzOkTcvMrxw4Ed+fug/hcC+iZdB0nr+VoaBwcnnxgTAVy+wH3pgvUlc6ZbW -Z20yRZCK44nOfgxXiZFwLz6nzJo0AyAsIBq7AwK5/ShYnlETFT+/3ruCmjyeAuKIyBITOPsIxfqy -xfXvzluW4fRCqAX6Evd0W/aQXwwAp7RHVMnwWyG7OJRywTTsilTwzrSVWlV+dic43cNl4RiSPcNy -UbkN6olBQC9HxHpYRhFHU2JMsxmIfi8ZUciuepReW7qLdxIIqpKB74Uj76sJMoMCoJvooI4siMUG -W4lwkbRt5FhU5IUNqnsnQjUKiglyl1SoLltZUFZnHykCxGKELlJeS0wp5sHUApig9aqLcLoSAndh -CJcGDi6Ya9Jt2Lr8pimoHeKcge2mC81Yhux2DhX6oXzMAonB2agga+w+EStCvO8n8I56Al4tvTPE -LChkGiP6p7dYBTkv235cN6rgwuhFjQtAukzdhB+M6WnAn2N0i6DskAggMkLMEMFd+QiNWutImNXH -/8H9wdVCu+42E5s3d99h9WPn3g2JCdXUCD0T6nE9pZYxLQFeNs1RTYpSMhYY7PHfaAzA6JEFARWw -9ut53r+cMVS8EgYuBoEDtP/F8sApoIhcMIAq8RWZbtmSPtMzFWwWrD+hW4715iRJ+vELKJmHag1Y -v7DRqkU0STbU1QlV5zwvrZq0CkufuQgRgIPYQYpaguaULLpJibo0Q5QskGKpnQJBdhjGgSw8+8Eq -qVzSWGvvaxOEUtZCrjNpYx8cwaGXHm6uu5OJTKU0myG+yz2U5BfQDFtGJqkw01NPvI/hsTtClxdm -nrFX/6PcPOPtzwP/1hwRITx6RgUhbG8mGpc/EUt/fXHr2HbJbQp0YBC/QaZLxvUJZ40pe/2K48I2 -NBcPnzsz4zwZLihw1HSa+zSK5bLJVPyN6sCU69kkFI6QBGwTLUnvKSUxmFbWhV7Wgw== - - - RExgcdWnNN+nsbCG28LHlErDxGalynJOca1Flwnhr8foWtdppi+5x9u13riUCFt/QorDcSWyRM7x -2+WofzxYhnn580yiQvRFiHge8rhYq7wxymNBfMjhHJPBzV1Dv5KTJOFQN22gRXHqJ4ykEawCmdNh -2jgQOwcSK+WOwuP7FC4QfV21WsK5FfZNtUZ57byL8CgDoLn9T3ZZZjy/wotUs8WRSQzP9rL1YY0y -OgQbJMOYMSSbXe+W6OHgWS/rGag9H5AtnBp2qYCPqnZ1sowBOC34z8ItC9pfA4IB1htCTWOnxfO8 -v9CEYxjb40E7I31DNwjUMBKQsZUeVtA8bRNyFZz6pJ3MxDpLdp3qIX/fknFKaVDVvCEIAkSCi0Lh -OLl8DnFcYnykCV5TPSYe2rkfYYaTQzktRUYp9/8iLXNAzy/aAngXHPqHl+sIH3LKMNeeGHdh3XLE -Ut5InlL6s0tAgxEn/8kfDeteo5SaobHHOOBf8BCqDmtNoDTFLJ4yAbd4VgYgbTT4Z0JAYdu4rERv -aR/TVUCVSg6eDLh6Gtx7c+pUwg+smGWCNautqI0vOkYeg3gBdAQBnjfjQJG69llN0A/eeJ4wHmIS -SGTmAhy0WQexU2x7Z4QXzE2X+znrgeUZ7ifD3Qz1Ugo40g6qNKTChQRwy9X37pHfG/5A8NGrPzdu -lzws1DERb0awUOjF6xYzGRsAU/9rebEPIHPcAFbQVqEgZ4xfaD5WPyUTIe2yJ9MDo8v1W+9Rgtgw -BVStzcJF5NZ2Rcj/yM9jgs3RMd2MhVVdHmsZwpU4LOokFnzSuQRBkGOE4pg1zb/saKtfxRcVpIOT -9JJfpK1HN3ZbbP9JDZzJ3rhg6s3KfbHJTAAZFx2ZtK004jbQ+9BAhjuGGEm/sksbL/Vr3KQwYoDW -ceFLXEw3PlSMv42CAykfeK87K5IG3Lf5vyNGqhfbCoIdkHPGCsAhMubwVXlH9cdF9AmLd7TzlAEw -cRwOn2caAZ9+++nGSUtWPyqumo2R7XtTl857vIACmt5YGA6wAQz/K/TELCKFVNtqQYMBgwF7ATMe -bWY8g7qL29aJDhfq+KwKg8hRbMGwOjQTeG5nu9BpheE9BPmsIRjUxjZeJ43YHHgJjszQl5fa5YW2 -XyMWooaw624kZrNxcGopRwJHnV6TOfYREc+hbGYabEe+pIPxoAkJRwiHAkM4OE+2MIqHPyrdjwc+ -xm5mouewY807Qfx8Dg+2R3HwtGQUmRpDmZkhJzIfst4nYSHFwolaI1RmQSQEekIIDqnDufNFg7Z6 -a5iHBTMhVMkk6+6FsG1fQboIWUV988n3b4InU4nXsIaRD+Ym9mKWKSyCQy9w8ydmKOVkQkVbJ1Fh -+zYVbiIzvAWpMgeGpKIi8JTZjYiRKWwGa/FyQli0DHsRi3URumCELiKqqDnGHzRxlhKTCNJUFx7K -WEPEb0xBcTafhBfMTeA38paghUOTh6DtYRwXoIEiAHaXWLDEFJSYxBSMiXVi0wdv3rYQmoOWAKzD -CIm+M5sY3kJwWqUfx8KohRgXVjLEIuIh08zwEg6SEw6TDXkrjfJu3JMbDSZDWVFYFDQ5FwUlLpL1 -I7rwMqKwRxQkCOKgkISzKu93wtVAak4JFE0SCifvBykCJ0KS9JnAUIhjiFJwgxYPS9w+xOwhQrhZ -L2TCPOpSpMDXUwkMQ4lOsaOQkDNcr4tiZb7qKyphImo8ODAohSDDKbJNRbIocCNyTCic1OpKVMO2 -N4bn7WqG1U4JTi0pzLiHEEjQJw3lEFWsmt8jUYWhZSo2hlpDKELosgmWgialEcORZlPxhyMNBdkQ -RLt6XZJyJS9e831TOy98pmEu3Ix+ys/j2s06rs4fyggiqeYMh+9Nc4YZZpiy7Kn6fFMJMss+d6Pt -F6kfoQnDL5PcmJHQj5SKxH5NtxCCTHjmTym05+ENwZdQb/gIfuVREzOXd5voyCqbRY7nocs8XpmH -13O3E0vEwx4JLdSzEMR883yhftziwpxuFR58tSILsV+kIWsltl7q8EvjH2kluBP1IsJswi4THjoz -pGWuqf+O5PV5mKBkwcxGMZGQiCBjYUFJCiYQ62U2BW/Y2uyRh7Dlmx8iHj+oEg/vJ3oWMwI5oV+R -f54/VEItd7zz12lTrZovvPDC2+aWLXsbDechNKYS9o5mRppP5qAC+YfLP6QPc08lSM0gypLnDQ2d -z2VYHlI7pUkCg2r520/kH9Lf7kzQI3XdVTaeCO9mTlIRSZhBPmGac8mNRzvxeWerlHl4x45QXbhH -aLi8yV+oPVvmYc6H+afUz+lHvWrL/O/MvG9FlWkZOjc7YcT/FRwY85B5rQlJHfPLbrwxv+xO18rU -ZDSP8G/a/Uinz/eGuad7+37E+GM6dqLaEGb/1444+mjlmZD84dYKJxtuOKeSVxTkYbEg2+OiP7P/ -4xNamfnVCWd04bEKHy7vWJxVpfKH9m74wUmD/6SLCEGTjv+k64L/pBupu6nEt+Yc/6UqgyKkO8za -cPuxLliiZTTIqIUzoWLVq1WRCPEgE4ZrCQ/qhFcdLjwEyjUPgdKFb/qgSrQyHsPXN9rAaUo+FI0w -XswYWgNlNh7TigaVw+aVJ79WTBQRLBYb85h99nijqsTnCw3ziVr/pgtRieIObFCH3xpYWhwj/9t9 -wZdyY8wQ/kDFQ7gEKtyMMKqI5mFQCEJKFkRS1EkPOYog0erDrgrDKgw9IajwYpTmQcUiSHHm4SHw -6oNJr+GxvhPy8FBjLnIUOKKylviEfwzJRAnhEyiRoCCjmBAugW0bIjycqkUixEO06qidFSRaKIqh -SDH08Kkh7qPpw8ucSRGdcDJQQRFYybAWi0OFZXeuggJPxzDESUciHIf7l34l1nH8qky6nytLeeZ9 -habMw6vSc4YG0bzjoO/M+KF0JTRneBye8CfUExNrVFPJ/JzhqebTiHAlLofEJY8pzxUObkX+uRN5 -mBtE/jksIq6tSkILkyCeNPzXZahC4dPSiuUxXrBk5mD53/rhk1YWAy1JDJRkzcsFWqRXhGKF8FMS -Xn8Cw7rQ+bAiZUIjBG5ueSSWSz1R+dCevLVadzNd2ATxrXnFp66rST7x0BiLO3LQIWSYuASlaahE -e3uu0QYAgxZwwBAAAALAYGAweBr5AxSACF8mFmYMBggSCgQYQmChI3EHAMgByAIAANCyUaEw/Lo2 -emKVHKlLzWIjTQg+uWtsVChwuglowdiCHAoWAhfTTojEJnChBTB+MgDHtwKflo+NCnkqIdt/jwSP -0bBRIe1h1HLaRgVjnSf58/qNJlICF3wDWKEBVMiUmMAFKybWzY9wNtyocHMpkPgsfRkbriFwoUze -8ryXF3TBxIVokFyptE4aykaFum631+fGSJvARZewU10+FK3eAOszVQjhjQp/8pTnPhG4gJxHIV7y -ongCPoGLq3M3GFblxDXDRaEznZUJakqO5GsCF+beOx5aZWfZjQpF0zMxT68teaq8B7jJHgpczPxQ -ozlJDlOAEhW6vT0keEvUM68+KTEcs4f8SlQo1u5dFyJXCgpcYEnHoUkrVzQqcPETEx8CqXtSFrj4 -nFaoC5VnUV9QwX3D9fQGBkBhDFzgZuZkInaRYSJGOgpcMGRQrwK1ftqU8xQKtfGT+KrQzENQPoRk -/XRZjXowc02T3SIXuODEwimJNnAx8UbKOs8e7KgDAxfflktaPn5DNgVd3iIzqFhX0ik0cMF1fVFw -2Cl1fU29c7UvcNExO4wGLVmJp2MKXU+wKFHLvRujW6vAxVix6ZDHyKFlAbpe0c+tNFGfybG4t32B -C0fQH+K9g0gLt5h8rBQO9EgPKTBAAlL2OI9VBi7KfJGHrZIO07K2k/wmBqWoR+mI4SvstUDePcXJ -f4J1bIf6wMU4H2RUeGPrHjVSiIqbOej+Y2Tp9EeA0/BMyNzqEvEHLpAlL/VOWt8jWmwdCR+4mHKJ -0f1s4P1Ilxy44Lo3Y6QgAmh93jlwMfR04U8TSHYJ+721UXA8vGrcgw9cdC227xdEA39U4W/Ysvav -UQY7cJEZ5kzUnwcuIJj0vM8GZAcuhIMiW+evnQh+By4EqNZJUgcuFCVFMvUQc38BxBHvu0IEF4qx -8FywMGaNl5QEFwr5uZxKg5E3wYW4YX8eq7KD/hRVVHCBnZ3LdITz6ALcM+NQ0FUHRnBEGEclOsUr -u+CivAX7hRgh+fBmbfbD4HMkpQsuiobEtWPXHpDrAQsu0BG3thsIDGALLmbt9hAvRQ5fjb5et+Di -TQcFuqAgFfo1Qpp2fh+DgkBwMCHOWUGjpQsu2MRYTgUXfT6Z4KKW1RMhUYILXR1aT/VNdQ+BOhgB -ChbCyGl0g+jpCC4EYCXEkpmtaJFZ7e2AhSmCi2+fjVlnHwT3L9TVqsMOwUWJ+Qm8lAguZlxuq+hx -kLbPDiS4gBeK3ENS20jOD8OSSHABWfvKm/4xcFNwUXibl08TG5O9/CxGbU/+FxONwO+UOpmBrIIL -Pfja/mUdHQ4/MYi4Kq2xKsHFZ9cFjahFXOvLFMOy8QRl4/rQllJQXhu+SoZvgsw9jKOfQHDxhb1K -QB642LqWmymzHHz5sRBt52M+nTHAI0CCAxclCVWwB9uBC8lkOyO7AVKlpOJ0AkEVFyhVQrULwUVd -+SPm+Gn8wIU4Vmti5tVLB6NXMyesmZY2AZp1ypAHLhbk5hKIdgwWI/9HLiekEGgkRQcuMH4pu+Di -BCcKfJ7V0lR+WZ48eBQxOgzOxquBk/YDHrj4IR6PRaWt0+pvNHkTKHY93gQXhUhiSRhpwgQXa62A -HFssR53gIqOShMbFCNUEF8zeJ6cggKO1Ct5LcAEjaHuSnK73xTYwlq8J916bQEtSvL9ppHw9VYTn -rniA4KLysDaMJJF7Ro/gCMQ6FjYEFz4QBu29CTiWF/ZJjppgmUTvPQIJP288jJrwMBPkvFoct6zY -/OMDY/znJHopoyboNkkv601mtHE9PQkuSmqBfA5O9gq2IQDBxUrMs+w5VJa4g8WTGjUhRCNQuE6p -7NYHTEbNACli1ATbwzduYQApjwMXVtc3t5Yt39/kuzpwcfNcQiGodUsfUKsu9uaBC+XNF5wzaTRU -Q5SkHHlSIRk6Z9DxecRHmgMXWncLWWUITgG0I0wNXEhFIiYYvPL7wIVJhpX/8giP5f+EYoefxAe9 -HLsWHcRyxiZOq4c3liBA88EDF9AiuzeCLx02iB41ITfi7LJa1hWsWItLmAbbR+OK3KvcVVoKamXU -hFZ3boBa41gU5p6Bi3YlN0l4YY3RCW8ocFFHpsPDbGqjyPrBoiY41RSaRKmxaARwCgMXLaWkJaTM -I45dckVNiMuQd0zLyQKYqAnCUy55RzdwIcSxaoiU22aBi44AKeJNoKxLClx09FmLLHCxZV7sVVb8 -E95nSNQE16u3AsQxERnT7n7njQKfStQEL/AzA4IKXGQj+buhec6W8t117biPWSmiRA== - - - 1IQipvSjNqT3m6QCQ80p0G/754vYgoia4HyDfBL/tRBXyP/54vyswMUF5JK49cyg7IXrfrpb63n0 -4czDNSQww8pHh04GqCVqwqLkbVdRTxs3asK/UzaG7WPEYk0wtgCHj5ogqlpohxnnCEmSHP8W1ekM -aN0vIpv/FjcdgieUeCJKSgAmeiOZ3YOq8G+xcQ9GgKdRlBF+rhRNE3wj9LOM8m+xpdd2NgynXFXT -hKVjR/xIPqCIrX/WvwVHNC+8NE24uDLgT1vi9Rk4tcPxfc+wv2n9b5EK5NPXjv+IAfb1M9QuO1cG -wIXX+7+jOES7O7IboAnlBwH0qy+aaFaVNXzqzoT4xbSfIjwSjLG4ABdm2ZV/pAxaA0R9oAxJiLPF -ovWr/aVhBFyk9KMGNx56jQ9XjoCLEQXcV13Jqsy9ZR0T0BPe9COzxT1pior1BVzYo+/AG+1aEPtJ -wEU+nLLJOMEsiQBJRsNn27RZwMUGgfd/vi5zgItBL9idQQBCfxJEc9/NCnAxDZnbVbHuouKACyAf -rIPXHoRDp/HygItPWrdZYN+S2AEX4UKHLgYoZHgCF0IW9emAYL8qE04LmAQu+H5UmTxvTkh+ejgy -iCMFLuIyf0mefgIuJaQCF4zT+9qlIIwAm1ALXNjySWw5VXuBcFQ/l0DptFB+Q80/C1yYQxyUGubx -71jPJcQc9aPVDwLemy5eCjrwz+WwLx4DLrTQGKMkpnzRAy4CnM4W43MF4ZT5XAJtuoObrut/rvx/ -LuFuGwvXxD7L7OYSXADCP/Bg6Eig4AacAhfjbSdSUIGLVWaN/4Xug9tcy9YO3yVvEwduLsHE2j8G -SSDiKMG6PP11PKYtcCFTNnU/cDEen+P8p6+NPXBxtXw31eiL7B+4CAM328WBCzH0cBiCrCEcpm9p -QXDBPcQed0Vw8SK20d4nzyXUVV/AtUOMjeQDF0ej5lrQuO1/DmTBcwneEBPASAMX72G6vKRxu7uK -5xKWWVl0fhr+uYF/G7joD8IzX7wbkf1cgktnB5iQ7DYqAIsMIOXXSBLuuQT6QeHJP5egyVEbSjbX -rwlctCpKD04Y+0649w9ZAhfA3xbKgaKTdUhsmb8Iiio6AhdQBr1B/AwwlgXwewMuKnt4+e3GI6bx -asAF0RVC69r7Sgt7LkFQMPy6LneqZMFLFFb4XALW5E14gKu6bcBFiyotMmTwTS4hzyV0GndbdVMW -G3BxVFlMw9Y8LBD7eE2HkcUCTA/mUc0lFNcLwXKqWhIkNanybhRam0tg/FWq6gS2qVri64N9+tvm -Euh1raxjEgekAi6qCbnWXxuneWOxaFjHVR+lVmdOxJcIL4wLuMjAg2ptzRHrXIKNjVPYyiTmKhoc -I+CiUAqYD5FMEnAx8ROWU26xnnMJKF89m3OJhx0BF0F/SBa8JFDpNOBCAjM4blk8oNz83iilMiFw -IWzEdvcF/wg3zKDOJTj9ljr0MwUXcDGMzh6W0fHAZlQhYGpLwYUCLjAyo1JNtUS6N/lr180lFFeD -dB1ABBl2KZweB1ysXOFYjbeTAdzmOT3girLx3iHgQiWFUr51BVKrWfwLMq1ckxN9og1ArdsCbFQL -uGCt8u4BF9KlBC7cl6jcZrx3gQudt0GWbA+gJcR3vswcZ4GWsMDRgTJ9CtrXekUiuIhqx1VLoiXo -AVFA6tE/UL/dWnv27iG4+NhxYhq0Bu+B4OKgo66MoxWWglPRk+rARXFMGAqRkhmXbLyi+t25/+TP -OI/Gx0ERKFrCJZgF8kxxIwoc6aVXprpAM3ChWYZ8JdJUQ0U/L1pCz85PgO+8SUgdbEqxP4Eu+NGF -az9DtIQhT1sy/+ct+bXkM3BRiP9UAOwraRnREuipZu2BgYtQzN4W1aYspYGLUzl7WDQro23gYmpE -b7V8FBYp81cMxVMIvyxKkH8poSNZBDbXg08ULYHmGlOgKQYscOFwnRliI6xV6fRf0YSqqpFD7+VK -8VbgWT4mEtfb4iAFAy5qUQEXB+q55GqCAS6OlLSz7CbgYpepDptaQ8Tl0zeKkwtwFIohzwb4IcBF -zplHR3uuxPlu8G7YABd0yICAiwNvx0/EB1wgovCGWBpyDaWFHaMlsL6K/nSBxd0J+INqiuXcPeUC -vCU8u6PK4hIQUY/ftOWN8goPxZCKt3he7lC+iMMcBC42R227onOD82gJP9Yf0J+BTentrMLLPU9J -atqkyCLefRSRyjT1N1oC18+9b7kcQ527S0YKbzh1AheTl8I+B3vJec5GS/BVf3lXGrlWlyYAKVZH -S0Bn2IPzlG7XhBMf4EJBw+UYrIjFNVQEnXpW+9SSisvSA1wsv0jXXBVSGhXg4twHUVwhqGtrvZNN -IX79KpqY/CgnOePC4C7rxi/b9B7UaAk9Uf5LqDNNTfPREvJLJiPI2IjgpcqN4I2W4KEtWIljzI8d -LaEcWMLjrUay/f2o56Ml5N4VYNHKz6KaGy3h7SMFjJbQPk0j3+OUd7kHg4Ip4Xj5TA9V1/KtR0v4 -eBhKsMctMW9CRQBcvNf8YohJKMAALuhUjWljWWUoSkGiwyUJsgTMDuAJ4J+YJgPgQu7jNDGFbV/4 -KfMQRPth25PqTKXS/xa1XFNIYvW6EhDrVrU4MB+IaEep7WwlXIAGkbOA41gJ/i7IlCqEXt/RM8b8 -t8CkBAIlz9Lrx0qoFYDEwIEj/8ZKcLnR72d02ftYCbfc+tkkKxERy7mRKMZKKKf+y83E0Tr+LU5D -5aT1pkpIfeqO+2CxfwsPJ4UM1/Wbs6L1t3htAd7jwwCFEzpKGCv2iZXAl27pt7POJlb+FjJH2q87 -k3Gf8POg4fkPGzVr0acFNvQ+ceoD7EP8XBZXcRY+7gp+2qzSf4tzT+nMKPBgWQuVQDgZeTV/5kRO -6ALr4uSl7BplfT3+TOSUsExGwTsaGUNgb7l8/O6sPwAuJgg3GsTFLPw+yCnBW4HQtsZ/i6SR8DAt -0EC+ubgO9jK/vjGnhCS0enmih6/O4VRPnRJ044YaCpNRjFxGhc5xpJdPVQJcVInSj9iOOLZQpXPL -C3DBru4U3l9V5JZZgAsB43U5X1woYks0wMWMSSPDL0jP/qVD5pSA/m8M9NlFfeqq8HJKSDLjxC0D -K7yBnBIiz5cn0uTE33TklJAr19+LJ8AFX4K49+TZwznbbcA5QudsY5PRzROFUsIn/qNDCbiQD1VZ -UfmyVFcX4MLkmTsB990twEX2ISaLxFxSAS5Qo/NkznKyFzrRABcyOU3kIQsCXAxf3x7B/1vE7xYG -zWiOkPpcgrDOmhwo+H+LGvyx9jtB4N+Cm6Iayd4MmeysrU+VQfeZ8W8xN1rYW3S08HOc+bcIvwRN -LAnhsn7/gvO0LKCSkE1lBBFOkF34twjaJwkUAc1FsvkS8G8Bg1SlNjFkuuDfIlTpSm/R/WSIyh/w -wv23qE0ouletfQyEli839PrfAiTQQFzD3AJjVd31YP1vsVxc0BkJqCyoQsxIMKHndc7YN5tXkGF5 -Fwnm8uRDKxH0Cu3sN/xb6EhpY901oP4tAC6RsNh/IWp5JDP5dYZ/Zk2IBA79ngnv6UmDZf8W8uFU -Zp+dTSc+i8/CnST3PyHBn6F1PpzCv8bYthBHhn+LYyT136LP1TdJ82oVhAsYkBAt2Q6VRKSwDYWq -z1l9ZuqFAHDx7RA8HgU5NS2YOmQ7++7oFgZwQSU9PCp0Fd7vGZvLzJRR1ogL094crX/CRXFPna7b -4mhPpt3Zs0S8Gc0hAReSTAhZJlg0Gh4h62iH3hv/kCpAJt0RRKkVCtqMRm+xIxzNL+pIYr+v6+El -azh/0Xh3UxXB8NBFARdfofsbJvIHXOgF4eS7FTlKvZugBFwYmvQUCo+Ai9OPHOrtrz8OpwDSkJRx -CQRcsHowfGPD0H/+b39ra51rFH3bhFv4IuAiIBJ8YNMPR1LMRCP4orHRhmhZR2SYM5kmBgDgApGJ -3wuktcbwI2WEftVrBOVnKKcZZIRgkQXAKD5GcBEJTjommxlFyeJlo7K2mW3eJ8MM4EKlrnwcIT8b -bAAXS/LhnfS8tdRQDKNsqNAKwAWjuRWUnhV1QbMIA4/haSR9ZX0iJHWwvY0G6H/TwQLARSGrpYcS -s/mD2wIgQf8WhxLgb1HuNVxjVtUIZum3mK3aTds/+S2ifrQxtehBxgKdw8VvEci3d6Xi/BbZGUxc -tazKqfsW4u/nlMgE5N/pWhNWJNu3aD5jqES0mgKf9i2AhOX5y4xYJ2L7FoeoniLphHXfosYL2mXB -rQeWACXTpa1oRVbR2lTvW5ilbup3aj7Jckgn4eN9C0gfgnZqRCDP7ynOfYsKwPkUvQFE6KmEBSAk -EJZuEt7oNbhPum+h/iz4b5WaRpAyeimdIKd1VES3oHTG0Npuio/2LY5U1bfwSPzSt6jlOU+lqnjb -ByRNKjgEW30CMmTcbHQPDslsWpuRezUgrnIIxzsIOoKDml/Gdr4oaiuqedQQIv7Tw2mIGkIUv7gk -f7cwQe+SoJGwtnVN6luwCO/z6EuKHKxv8YbI/pWsYoj3vE0x5V3RliHkV7sFXk5g3q+mYX2L9iue -DrrVYqEkEPP5FvYHcjCgNJa6lMhPBExqKJ+0LRpbT5dkxtKZyAhvvsVWSvwaIaqJ5oUg3twg7PSu -4edblGs+t2Nm1IRxvkUEGE9iY8i8BCLfgnKtlPWoiKkqBLQeWGgz/SM0TzoTt5QUmRZro83EId8C -Mo1Ap29Rm+9fhB2GoLjCWe5bfvyCK/QtmhX7Z7UaKSKCvkWPXBJ/+mjfVsfYZ43jpG+RlUkQsInI -P0nfQvUaVUoHNG9iLcVLsn8pHY+7v41Nx3JM32LZBYM5NKnoW1ScqBJRUH/jYzvaINSPqND6wfHg -s4z5Fmg7lq/vbrD6ZBCaU6dDbUPzxVZxEwMG7s/WlfBLFmk2pMwT687vFJuP1XkFIVqtsB4x0tBa -piBwsIbgyZgYu3X+HUrf4u7FMSzd+udaj77FXjZIFEHm6VsoEZGFQ49v/nNVxwBXp9RWrPoWhz5F -AKp0IScOBPQfP/2D4Qsuw8tSNBBCryNexmDNseQnKwPEm67HbQ9AhJmawTCekL5FC424DB7xgGDR -NHC7otWZWJYPYhxaPOxbANPVEP8LDiamHd8JUzRxKHdBunyjSMu+RSeBH7LufVZyuAAMu8tTkV2S -MKnsddm3QN8wO8JEI6X1LVgJAw6sCJX5Li7rW5T71r21DWq3pXCaoERYzhVu34rbHgj8ZgPiiJXS -4H9MpURgnHihZMxjN7A2Y0v4fO8snVQp+xa42lmTIo8rwPmBy5qQq1kZxhtQR6nqjtu3CFrxA63S -cb49VENJxxT4gW+A0SqzxSSrKX4LdZngUdb5LT7IV5dUs5MInP/jz97Az3QnPHYLV4iVfgt+YdIS -Mq0O1gc0j9Mv8bdAJ18oX348VCO1fBK7wR0/rPP6HnXcKtzHrKQDxXhzkPAiKznViw== - - - Fn3TvACNYS8bgvVvEYglOK6u5v23KIoYfugegBjpTnyQESsDXL1cBDEmSPobJJEKH/BgFYpJ5Opc -YhRhdxCa3Fl+HlwhIOvfwstgPqJb9vhI90OpSWbQrVQNSaCCuafQJGHlDPtb5EMKaweWKUQheBOw -RwNsu7/FRhTCXVpVJ3voR8ytkq11Os5AY7Oyido6+lt4myXwNb0AvExqRSscFVTNt1Fio5VZekDA -pE588H80zCkIFXbAH73wt1i2AgAUlKvROokiVyZBSa7jp+RrSYkIGol9DfB5EDUxyKkQhtM8rw99 -Pg9i8m2fm+LIW47lwefB/mkOCajzK1rg86Do/3z9o0oihf4Wft2zXvMpN56/RT2TzmSCog7TeH0o -Yw9BSzPDST+pzrXG8d9vMTtGzM83YtZz0841vb31R+O7PQWuzMFcZZ8Hto6TYPGELBz/gyfHZZOM -OdFGGH8L8VMHw3LOgZM+D9gozt02JcvH34JRY1Xqk+1EWUDxIZFRqECfB+WvsenCAMCbrraxv8n7 -ba+qv8V6nbe/gwDVvsn+O+3zYJmx695WYKgBcH+L80exc1tFTJoyKTwnor9gMABgAZ+mfpPo3yLT -NBOoVvJjeR5C/VtU6qQ6lx3b42gVMqQ1XLMvuVC5UcuDnJy7WrlkRN8dcS0PuL3+LVwPz7I9H8zC -vwUwpqjPthq4pM+1PEDUk0amOFoeqLeMGWqi4qYocKT/FuOb5yZwvf8WYt9Euon0BhT9t3idv/0J -Z3mgD/VsGC7vKHVXof236OWwQi/x8d/iBRzxcHUYiANwcf3jWKZg/wqju4HF2mWxjKammywPchvI -K//fIumQWbOcSmIZ6YYsDxpDnukbgl0WczYpqn+LP+05vNvsIepuZsYTS42JdbM8YL+P5AMTO/u3 -mAuEZaNkswocszwQhYID6uGNNHP+FqV2Bmhp+y06vz/pn3RlWx7Lg03EzyjEog1yR2YEy4PzS2su -4x+A5xcDf5u/hb63/57TM3/Q39+CxS3jjbH2R3Hwe/4Z5ttvagrLA2GVfhYFL9Q9cQw40wn5YKgo -DqP+TOl3fydbazv6r5tmI+W63d1pjGdBM2XA8oAOodW9idJ+uwDuAx2ovHMhbc/YAY5Qv7Q5NkpW -rp/3Z+bWEeZLXlae9ir2b02u/7dA5gR8759YeeCaJcuYcbAOXf7S/i2ArCQA6Cj0ls8HrTxY94ir -X3NBcKytPIjye9iNLDdckeff4lifdTsH7lGmAYgr5G/8W2ykxbBjy4X+Lfi7mFQFg1RRSbDygLgg -iHfyrRICtRNQ3vxbhCzdBq9iBBIELWIrD1LDz+dT+7fgZCQpPZiw9WB/i0kcVjlr97foP1HoOVoY -WOq7P3+LeM08TIp2WZUHgrASagpmJlnLTUnP32JhXxO295QxUV6RabBg1nNQdQGLEQ+7GyZQYDDA -wFz8LcAOYKnzyygHxudbEHkk1FuwZBLegglgptgtZiuYfG4h8oLpjFvkaDDd2wIp0NujbQG9Hmy0 -tnBJW/gBZwtwsoUyWUJB1mIzCPvFa8H6GizdUSVdC8u6FgpGmJIAZSWsFIyeMNamBTmFKVEtHJBa -xP3TQmDTotDSQpmkxWOjxUBP2E3TQ50w3C6RExZlFn0T5nsWozOID9KE5XMWwSjMvFlgVbM4ZWYR -DrNQaMJsXRZCLIumozAUTQhFYSGXEAprMBZLIwsXKKwlZIFnwbrHYlCPhQpxLFI0FqBfLGpMGJkV -i4uEoSYWFu4tDBya0XSwtsPiMKx6IwQtTlJhsRcwDwKLEz5YALZgodfAQidg0Xx/BRmFcfkVJisM -6Ss6o7CBrxg0YX29AkhqzisO7Sn0yVW8IkzBxLviwyQYQe5rwo5uRd3UDegK1pJ1ucInBcM6rvCZ -MDBfVURhx5DLq7BvWCs66K3wHreChLYif3xLfK1wb4XBViuKV61YV9hnWkEztMK1wnI6K8iYFS+g -gQPKCsUV9pMVo+n0WJEV70eEyRUrYCXfRrHihJ/AD1eYRoCHld8EVhxXWJWvIvIK8wavAhFXv+Lb -I2U3zEXhwuqt4njFN6xbBRC3Cvrkm0+rOJQkvunOHs9xhSlZBezvbQFYRcwV7aGk+fam1lMxl6rI -PXsLThXupAp53MQ73frCQRik3fXWBargj3rhzQjjxlMBFSJHhZ2ZChxdKmRUKpoRhi6p+CSkwpSj -olbCBkYF74kKoIcKtkKFsBhUKAMqkhIm9VPkXoQ5+RS21VOMhqeowE4hHmpv8suxDC7I4LrJX7U3 -w4LKjgIbQG8KhDYFAaN6nDCq7WMTprKkMCYthQUz1JYp7K7NfjUFJqmmMLsTBn8lp7C9mkJFg4Vt -fgpzDDepaoqKgAr7IFEkVmeVcArbmViYL8plYegCX1Zh1ycFh8dng8327I8XpoVimEwJ047k7zU1 -DIN3w1ibw9K8wwoZPuxZQMxxhRhtT8R25ojREX5JDI5LjE5NAecmFg0QBopZlxRzDnCBmpisZLEr -EjXFoi1mnqYAu9jMf7GTQIzJGRmTvZ80Y9I0BRiN1RLwWvH8drHL3lh8vLFM6RvbSKnYZ9w44WDu -dCxI6o7pjfOYrwMoZNj2bmyWpjBnkJFsvMqqh+zhJzLrGEt7IXsJIRlfLskwQhK3dZfMe81kUKYp -ej3gZAY1xeTyZOEYlCUfnO5nnVayPzWFC8TkcxeHs1QWJ5VZ01YZdlvZSk3h/MqQzoqpZNmxXOdK -Grd9KYCUwOot0YEcLlN8Uxm46N94YY4pvH8ZK0xhoxU+x9GtiZOLmB0ymGIYhr0wMvuCKaQsM8Fu -Yc3sUfg3mALKZyYOpFlyRs1S0ZqVNDbzVraZrXWzT/tmkDDFl+GsCaaojzPjwJx5pit0ttuqM1nM -zsbEO9NTPJPjzjMo17NrwWeRwBRDPHw1xwjCFNQtIkHzswmmqOHUZxqYQhM+k9pdMEUX7BkSpvCe -Z5zcXITxDNE7W4LDwGAKlZTxLPERt3cmfIJDUuZOCGFFeZh1CFPcpDzt7EjPzl4K7wwHxTMWB7E5 -5fbBFIGeZ1oDBIM96/EKKXzmWeaFKQ7UZ1WVe/JgAFOWhimW2WckUytyiClOznJ9dpah0hym2CYy -ELVEU30dZ3YpZOtSLIvPji0FFw2fSQNqs+qzIJaiNT+zWSlCUCneoxSj8Ekx1qTAsaRYGUkxoZFi -iEiBE0ZIUX5ZbvePwvP2RzGWqEdRyJ9xY0fxV1pmHAV3VBsFEo3CARnF3UVHgPxZhCa/KB5/lmuL -AmH3lhO3oggjRfHeRLHfZ68kivlIRMHwswdEwWVhOWLAHYoV4C87FC51KO7YUCyModDAz7yFwgC1 -UDTvMyILhdVscltY7Ago8BQ+TRwsKBJ+pkdQSBEoPfeI4fkzPhAoiBzOzJ+VAxQnOAVo/a+btf6E -bIFW9hP44yda2ife0Se2KNAO+sSYQOvxCRigbXzi0BD/4iw+8UnPmMQn7gk09BOACLTQKvGAlrkT -feqBnvDkAhKFyxN835lyPKEXnkg40Kx8J9SA5sydSAc0VTuhMuzEG9DGY50Y2XEfA9pdnagLaCCn -E+WiEyGeE9hmTtxVTkz/7A85MYb/LDJOoP7ZNsQJ8J8ZPZzAHdBEgxPRfhNvehM31k0sAu0obkLN -NoEJtAn62IRKoJkUgNatAFrJCdzXRO2ueZfog8rTEJd783OduPaRsNbETKA5spqQCZocNZHMQVPR -NAFiQms80sQXC406ogl/DQ37mSjzoR3rTIzUQ0vbTJiuzET4oVlcJoBTJiJcMqFIyER1QztzTFBh -TDi/mAA2MSHWYUKmMBEHRLMWTNwCJuglc8L5JU7JH4wbGhoXGquEZigOmpEbYa7hS9CWoOGePgfN -C+JLbEhCg8LboL14+0vQFJxAs3wJ7qt4qQOgOZyj4ksExH74OIFG4Ussl7F/OXkvcfrPeTsGESd8 -iasEWs9LeN4l4mUE2o3a0atLABNoEa9ZlzhrLiEQWC6BZAi0THY0gcaHuQRQmksMW1yi4C0h9GyJ -Q7XE44lAy+cuBz20RNR/5qZ+pmafPXvQEmN85i9LDI19pmb0ffUza1hC21dioStR9p/B1kq8/xko -VkKSVUJ1/sAJVokLsko0AFrlBNBGrBI2738vQAMSQGOySrB0Mp4EaJIXaLtVwkYDJRr6eQUaynoB -2okBtBeuEur8/yZdJQZUJRTMS4UmkEIAza/gxHY5+lIJNgjQMKYCzSqVAE3QPhSnUdB+NK2g7Qm3 -BW398OWOCGh0qYRbiakE3+9lZJFIQMZX7s9Y6s/UxqkEUeEs9OfP5KcSWIAWiUsFcVdOJW4KaG9T -LgFNnkrYfhIHaGQBWunwBmgaqgTxIHgqYe1LwJxXDTQ/WNC0BVWC+lSi36gEsNNAm0JAc3YDDbsF -7fSU8PigQZoSFoXGWynRzjOZ8zV4G41La9uh9Rkl6ohoKqLEbqIZhBLiVTTRhPeb/qIV5e5K0WhI -PQleHM2zk1B6NHOcRHwP0vQRNHW7jLSSix/Ji3MPmQT0J22PjppvSKUhXBKOLI29kqi7tAFTEsPn -zhU9Xk6Y3CLxZtpOSYJZ05RFEvs3TRQkIdBpdh6JiKeZcCTw+rTwjMRNNlBD4s+U3EWitlDDUZH4 -KdA9SyRAR20LkWCZ1OwcEuOlpmFIKJyaPSGxZg8SPKgGK0gUSrXDQGIsqVpfIGFPgETeqon8EaKx -mg4/4jkfQV2j86r3iJmd8CurpXrEN/MI56qF4RHQslpbd8S51XjsCGtXg1BHdP2rzZ+OGIm1iOcI -KEn3VI6IN2s+4whAWqsHR9xqjdQb4aetgXEj6t7aBNyI4biWnI2AQde21wjus+kIGotpS0x2jTGN -wAqvzaERXL2mdEYM24PKjGDxDg3XNV5lBAQN6gZwHfXoUMf20fuacWFzECMwiO0cjOBIsQmDEXMZ -m+4XIcqOTSzBItr+7Q7V/esisE22Ji5i8XARFmOLaPVZhFZnEVWxiHN4RaysbEsrQtusCKfJ1qoi -GKEiVs8UsZHI9pgi2EcRnh1bH4qAsp+I17GtdSKmIVvCJgJnso1jImiVzdYSMfeyOSkRqjObnSQi -/MDZhAUJ4tl+3YgYDrRlFxFgom3ZIoKRniISEcSmbdwQMU5qixoiUKvtRYigsLVJBBHj12b/Q0jI -Nm8fIhttk+0hsLYtIQ/x+yuvezOc8bDbunQIdL0tXDnE/dvg4BBOhBtK9aO5A4rG7eOGWCM3bmO5 -VVVza5rPzTRwdIPC6LbZpxtyG+JfrFvEDdEJuzlo7aa00d24+24rNryR/fEGBcybFtDbmRtCn3qD -aNkbxA2BuHtbfOLbZ7T5NrCwvrmDnNwQe1C865uWK6AbQsMNMaHzbbX4FrJl+DZUyg2xBZWi1lNT -3RtHuTcLhG9WNwRNkJrtkpS+LbshhO2bRFk3BJPfJtF+O8O3IDz/NyIcAedqBO7NDQ== - - - ITVwDm6IXCM4lV7BEaXBbXsPLlAj3KEnnNnHwoG5ISoMZ5EaTgI3BKMFmi/0tZE0oBl19VfOmIZQ -dYYY+XBfyhDqYgjTh0uCIWA6XJkX4ggXwqjDZZ6FgJwh57xCILu7qiqEiymEMEMh1DohnpgQXLi7 -W0oIaA33QUJQOpy+CLHZIURbEOI3P4gtfbjvg2DLgzCIB8EAOggLnGA2d3czpicB2X24NJPnIGCO -DmLXEHfVh2uqIc5bH45KB/ENQQfxciY/HCY08T7cVg4CMPHDMfweApCDEBbiptavHETwiZd3AUOW -SRlxqzkIXitxS3niBq2MEDoI1ikuebLiiXuNpzi464tJB/EMVJyrpqaZn4OYYJyvgXziiA6iTE8c -uBKnhhKn6p24n+uJo+wjp4OQTtzD7p+DmFHiLnQQrEyjdBCKxS6sthm/cLGyBpFciXNyBgFL9fQs -BjGpxI0YhF0liIRe2ShxyAcCJkEXxKF0LogedReKOOq4IMDq9JsijrQZcXwgjHgLQpvlT4krkZ5e -AG8KEbgggp04E2OKU+3ynbqKRLONi5NEYIJnKqqcxn3IoLVX3ZmKG5H8OByoIEeDQ06Li9z038GD -tCRng0sOCTe5cS4I2U+OEKScShOVaw96eAxyRyiuC4JMlpMAmGRbzqG+QLscKgRB5A/EC4LVTeiw -fS+Ix1KOas0c7QvitvnMXIVoDns1p7ppc7ztzS2/IDyQyBdEJWa9IJzvDh/Pq3VOI706B4O+gmvb -rXMXXhCj7/FknJavwu+z49cLAiaxLwi2zZxRVbJ1bT4XFf7cIVO1x3iMc/8XhAch0e0s9DsQ4gJd -hMm+OMX+CHTCAhgE74BuRZQJdFbyBTpYbkEgzReBga5sQcQoBk/z54ikgycpbAUh9n7uxvRBP4dn -ifNzNQOR66gesiZB4IoggLsCQUwaHD93gCCCIJvuc6WCICAXiLmBILpmUmxoEel9LmPCcdl+zfGD -IHoAdKLTbPY5n8VXhXYYCCblOBCeJWggVl8gICBZGULnLJ3qWoF4bD4854x4BUL8BoxzjItzQfs4 -eZ1zsgLB4loFQogw5+JU52gqEHC8c7EL8pznqKeM4XPcBwian9PrgNAzoPPLgAgGnZsCAip0ERAQ -h4cOvABhJzqwn4BLYHSBOMBfji7g/+GDdE39h97aP3iNy6vkH8qZ0t3ehrDh0gXpD+HLdD76A4ab -rkN/uHY6evzB5k/HfT80RN2r/TAjdSnWD2hN3R79wKM6teaHZdUpkR901OoEyA/BV6fDD2hBMPxQ -wQzVC1xEnUD44VB8H9q5DzfVPoy+ujPsgwPrAwcWuY+mxK+OED6QtKz5sC5g+TCPfFjzGh/GiPiw -5Ks7wgceKBI+eJaYP5ZR+OC18MEOxgk5ePnreijPPXD19iCr9qCBdc7sYfCvzj/sgYEk7CFwcz2I -AQfWw4DFtrodVA8AlKbhzoqwVl3plYcrFUIPnnPa8zDJefhN8xBGNA+qLw+VYnmYw5OHyciDqsdD -NVsd4PFwfnU448GeKhUPLAp/5UM85DudM4aHkpQJBWAD1iEZeICQfJLu4BGIa68ZQqk/ss132Kt3 -IEAkG3sqoKyLzA7xHBy5A7+PH4wJ7hDeUCfrdvhDR+7xKDGtg7UOdOiQ2WHZYCM7XEvssAJ2uOJd -h8mtg1rWoWpZxwFXhzmnSe+pDq+an+fjKXUoS7llXXtQh2Yxul/WMU4HkLy8dDh8nC8CTDpwQp12 -dCA2p/WexFJYdzLQodoD22Cfw9zOcyBY5+CDkwIIFjOWV4fmED/mgOKEddyXelNAB3WnLwfJ0AJW -bF8EPA4Zs04hKQctn5nGKIexJofIrFMkh5SHdZ7IAVdYFy11PA4B3zgwzDhoZp3cxQHdrHtRcSDF -OmGJw0aIQ2us4xwOSxgORoHPqwoX/4RDhVc3y4MDW2JvVXCQMHBQOgGHx/6GjfyGiukb8DbwDY1X -B7ve8OnVMc8b7I2U5ggpUPFBe14B0LthtUBjXWg3JIt1srrBLbrh4svcEIc/yA3UEDcs5HnW87fh -pt0GoG0Dg2yDVpJenWe2x+ZSLbWhdta1pA3WBNqQr3XqZoN63zqhAYKh63r8QuJ1tHwNBLxTbFjC -ycKGQ6zjAhs+V+yQRgDMYxfguZ7s7rCGBmbHvTVUc3azWsNIaNdj1oBHcntYA3XVzulqmF47GatB -W7bzp2oI2nYiqAZalxoO7HZ3gyvWb3f04jbc3TQNFVA7qIE1U3oaGGvnxGmYT92pAUgquyuRMYSc -YTIaiHjnNGnQ1bwzmTSErHeSku+dNaQBhI7E3jjo6j9+V8pouPm7nKJh1yAaTAK8jqEBoMCLQGh4 -T/DwgQbn4KH+GdoAoT7D0Nh2ymbPEOY7Hc+QJTxROwMCrb2LzoAkvH/kDExTneZvhhkJ72wzTOOa -gTd4szQDR4PnAc4MQ+92nUIHPw7e2cxgKeFhBJzwaCW8ncuZYasJT+7MMD3h0fbB61SD8DJK4Ymj -8IQIJcfwRkuGB54Z9j02kN0phscjtEqH964zA9Mk8Xi5It2WSO6KeNJiBujEe4IZOFc8zPjiaQcY -wW/7zfDKIOS952UQqWrkCVf68lrySlE/eQYe9O5ReVG8DPCutmN5x2hQYpe33mUoaGIe+MR1r9nM -C3wUC+93nffklthlYNuHD41MOGnMM7miR5F89JaW0osiM71lvAy3O8VMK3kZNEU9XS9DrFNPuZcB -iNVrTVgPt1rPoigvg5rrORGE7LFco94LXgZb2EMqAFOyrn7EZY+UgvbOsFJ7Rbxfr9luz7zLQH8S -9y6OzrW5V9plCFn3XPK7p9xlALjQe4PrRHzRe4HQ0DC+J9JlgOv3UjfgkzGDT4MqfEA8fDsvFF9O -dlSa4fGZapHvUScfPuHIlU8MMJ+ENJ+wLgNaOd+0y8AjZx9rEKCC1bB6vnaXAe6g77PLwCkYffJT -hgTwIcsw8HxqToI0J4bDnF/Kj729YVTOb0ep4N199kEp0D4KD2bA9QF4RjP+bsoAj8vwMVoG5StD -R/vAVhlu0j72pgy2jc0bUYaxnQy1R5PBXsmQ3yMZGGkfCsq018gwK9rXkfwhyxZ+3btCCu7sBKJL -7P1jcH8/Bu59DCLwYyg902wWMRyDPmBjgP2MAZ0xhhLtQy+GV8YP0a2Ki3E3aHEVwyuKIU20zzvk -u7TvNRLTPsohBkrtc/0wELrHoBY3DJNlGCLjwqCqfZrCMFLCsCoIwzcOhilq3zJEo9pnR97aBxdg -QKLA8Fz7bgHDfPRlBTDwBGC4wr/wfr/wNb8Q0e4LAtxn6gu69Hz5ggjg0ooIX8CYPsm9oCv2wqiJ -bR4vvGF6geLto9F5oaQwdkV5QXv7vHhhEMELZ96FaeEuBHh2Qbp9zuuCTmPVBWFZpgu50mcMXSgg -IUaTK2/f3rdQIyV5coG7FD0uWFj6qOKCLODE+iJGzRakBFw4jG+h9G6B0txCad0WBm/fuS2M3b7i -tAWgt2+rsgXmeQFksAUc18IdC8L/aiHc1QK61IICTguzN2HWRizBmOtob4kWLkALPN1ZELtZuCiz -ACAyC7NjFl7OgBSzLNgelAXcAXCyo86wPSBEWCwoOHslNtKwcDil4/WP4vH2rXwIFg4zvfB2+7j/ -K0ALAVzB1l6BvNs35BWs7QpC6QpUbh+TK1Ro+wYAHsx9GUq0tg+6rSDmWqFu+6C0wtf2kbOCCJMV -vIoVcAVWCJrts/IqnMZVYKJVMOargtWqQt9UgQJRBUPbl7tTARZ9VibPn+2DoqWly8a1fcOyfeay -2c5IpgJj+35jKrDtHTu2jw7NKcQq60e/WaZCcZRBXUseU6FyYPv2YzXAVCIoXe5sHzq2cnLxte/I -NHaC6qDBDeraN+5xxZ2R54dQTEy+ZfsSUNKxfeRiRmAqgO4nrnTt8z4JEOu7tfbF9EuFBJcKIDJr -VlJIS4Wr2leahr4AMPpUUe0LDlKxKgrWvrWrfWrUvmM8MZYKxzAEWn3E1CUJ6Foq5An7pcIfwbSy -DlMB1rSvQndqH4lX+5ha+27gVPsw5NCofQ2mAkhuTyq8xBFQknhU4I0+BTa+osK19gVDBXsWKpyi -2ncKFb6WUIESU/saiMtkMFk9XaFCQADY+k/t0xa4HF79tO/ACxVmTKjwBqh9M6mH24fNtE8uWcM9 -QoUICgECEypIDUaokHxYP6HCCr5Q4X/S2KmOBjMh7TuFCmzQK5rjNixjVg1CjvahhExvtVDhlMHQ -vpfHgsvVWiKFCgqpJSooRoCsT4YKyO2BIkX7vAaZsDRUeAbta4wqr8BDBezPnwZ9xQ4VMuShwkhx -Wp/mWD8FWX4Ky9G+o3kKENgTZGmfK3UKA11bUzoFsuAU2NcUDJ0pVBRTwPJSaNI+7CyFHVUKkqEU -kpgUWCyPFDrUPgJDCt+kyONdSEFxtS/xUTgHaiTWUr45Cm5WjYJbGEbhi0Vh+kQh6zVHQLUvox1r -3xAjCoOIxbWHAuFys0LhSYRCmkEBuyAolLWPDyhM/CcIoX/CLP4J9vyEYrUPWn3CRjshU+2LxSfM -KHyCRvAJtd900rkYa98fJ9QK/lqs9HJ2QlJ1gsClaTicGV5swsBxAvnaBwsnFFXyhGK+CWPt+81N -2F5tAiVsgoY1oey1D7iacLB9nNMEi6YJEoZpAsnShOdApbsRqPwS2p5MqOYxYVMxocAwgcmBCWt9 -CSPbdxovYf8kEugS/N8SyLV9n7cEbtsnVkuoMUuohiVcpSuhjJVAQZVQhdzHg0o4X0qQo6WEmUYJ -IkIJ656EVctJiNIk2MEktF5JmHaSMN4GKfc1IoUiCSjECnjMAvMLz9KMBJ2KBNwhEoSU+xSGBC0w -uu/6IIHvBRKm577zR1AW0UcwkD0CsvEIeu0IbCEd4U2OQED3ATiC9zaCfNsIlrdG6EgjEMSu8EhG -QM99WmKEU2hTBeIvh+7jYvE+6XcRWDQMZZyqxXcfhBdBq6q6kWbOjHJxhZgXIecgGZE92YYXYTg+ -FXneRZiodhHaNK1Svd2gB7CSJLmLcIb3xW4RULwvZFmEr/qpkXI7argijOJ9g0WT90FXhIUqgnCd -VATbCOkk3qfSqQjykyrCQt63zBSBFb5lDUWQ0YlgHhPhKFHkfS8RJQJ5xCZmTyLcPSKwoA9bfkOE -nSBC+30IZvIQ9ukQYHAIMvS2KnxD0Mz7DhzCD/Y3hIa3qsn7AAs4BPrzvlHlT5VDDlHeR+Mz77Ml -DsGXWax01OV9t9E4BPy8T8ghLNsQmPI+svcUYjxNeJ9HERFJQ/Dv3ZfrjoYw38/0O7wv1HefoKyR -hvBIEI/8cvfxRBmaaQj3eO8LlioqZO/rhFVWWe8bUvY+81QNwZ3tXGRtDaGCyTl23fukGgLS3ldu -FOy9D7eGMJ7D97nc+zbDGvQagm2pWUOg/Gb7a7uGMLCGgKUZwupSPURKDAFnFwJEFg== - - - wpIKYY6gECYxIWh8n/EIgYAhhLIPgkbyQfibzz7LOQgINQiQMAj6fJ9hQUB8358nCCz0JAa+jxxB -uGx7AWh/IIRsIMAtEGKSQJjegDBJQACUAKEBgPB7/yCC+wOXtz8Y56+1FNt+UPg+WvrBz/dB8gMv -vo8l8INGE3ol3j4oXR+sKJvLY+R8sPF9/8kHZPJ9lnww8X1e4gMd8JMAH1y8ewC5PbBd9oDXXA+y -qQdcpQcygh70K/Dbii8EzoM58Gt4eQDFeRjq8qBGyQOM48HfiQc88ONTeOAEPNBR8BO+A7x7B1d3 -BzHLHWzH7WAGfsu0A5fKDsBgBzDkOtB/rANJ8FOoDvJPB+NeOhgHfnd0MK7RAdqEDkTgZ73nQPOb -YJdzAFDgJ/zzfUa/pn+yP+fQHJR+OWCelYPtKgcr8HsmB6sNORDdjgMvHQeliHFwheIgAMQBqfzh -oLBwsAj4LRwcLLvAgYm/gTTfoLd6g0l4g0PZDRhBN2gCP/y4wRn4Ib4N7AQ/qLZBqLQNwtUGkoKf -ftEGWiZga2gDHGYDkscGBoYNlr4GytI1uNcarIs1qMhqIHxUgxupwXOKBwb+NJAoy4yZvCDep8EL -fxq0qN0lO6AW/GbK4EcfqMEN7uapCj8NWAa/+Piq4DdUZwh+J4AasB0JEswvQQ2GPw0GwQz8Jiy9 -sTtQg5HiXLwViwt+L2Hw0y34gUEN9OE3+FlWqMHDcfAjQQ0kPoOfwFKa0oEaxH4amHDwy/XlEeGH -bBo7+MEBNWhuJzT+pwF/GwGRjZn6I2ctDeTB70gazN9oQBr8JtFAPaEBRoAG7D0DpeBn7gzwlzMo -cDMogh88zWC3MgOhYAZV8LtxGfi4HnjOPWVg9mSQX8kAy8jAeZDBpRBkAOUxuILH4I2FgmMPRsjg -Fw1O8CvBjcEC3hjUK0EI/DoJx+DQ/8Yg0Bd+ExR+irPHv/AbNgabW+EXrMnuyBqDYwyK4bezMVDt -afhdcvgZs2Y0/Aa2MdjKfuGk8cbgzfCbBcwzRpoLOByDUturVw+LG4NSxY+WxcekiR/3xsB6FcXv -9mXQit+MEAPBMWCL38J//IZzYzDZG4PIURCOgSiRBRRSBn/6UT1+1MUAv4rBCSYG447ftsRg8Sek -gqoMBxjsQQwau8PkhhYj/8PgV/X4wSLhMh8GflvuvMb6YXB3XKI+fgNNpFXolXdH6V4m3nePn0WR -CjKK/GggBvXfGG3k1wtiABdmxo1RkjhaUkd/wYchBuQkYmDEz48qYjANddI1YnArYoBDxECRR34q -BMmPS8lvGpNfOoeSH7au+yb5GZcfYvAZEQNuixho0D8DzLvZMWKQAUiAAZfff8F55LdzzyJ3hvmR -/CyQRwyA7tJM8yL/XyAu+SU9DCCYahE0+fEeKXHlBdyHNAxqnfxENDvKzxOT8ru+L/BSNEyh4rrf -i2gwsCIYIAkQGEi3NOX3OGBAQOV3kfILGeXnnsCA2VMOEBgEzE1i9CZTkUS4AgMjo0fsc7VivSAE -fwFm2AwH13yBf+1iWJQfeUGTdy8Y9tPM4b3ANF+l/E6scVCpVX6X7gWQY9wL6vb59oIFWH6bEreV -nz2Vo/ID5QVG8IKnlN/y47eLPQIkSGAXuKcLCPRc4K1cwFjHBZGUn1+44M63gCC6BfbXFrDFFkSV -n7IWVCTWAgblR1wtKHJaMEr5raIFjAtmQq8zcdTemwnzLIAXY2bBWlDu6UOphCzoYywQk4sFkfJz -hwVxPaphAb8YFhhbWADpwAJF5Wf6CnBCx8GUn6IrIH8rKEAgG3sKRPnlo4JYcrwKeDLMKtipKoCY -UAU6xlRQSfk9HhXwQGpIBZ7VNXWkAm0lFVQ4SoedFTBIgY2bAtVlCpBcCirlB08p2AVXUuADn6Qg -JYEUYMhvFHSTyg/D0APy/35LmoY7F1hS7wTrgoKuBRSs8hOsmd/CJ6CfDFKi/XndDKBAmScQ1XcC -LNYJeuZHmhOcxAnUcDhBk/mdbgJP1CYdMbEJlKAmyD4TkHAmAzK/F1yrWGfNSjDSDyb4rZcgEZdA -OZQmhLbImF9AEtzl9CmBXJESiHJQglwn9G598TC/oSSo1dcHSXA4nDOD4jdJghK/GUQCx4MEFf4I -pHoEE3YEV40jWDC/XxsBE42AYGQE0C8CH1sEWK0I8qdV7jdkqu+JSGJ+RYXgEMWCCDy8dQQEPQQ0 -kEPQTUwkFMoC8yNLX69dIbhffu2EgI1W9mNFCOIBC6BifdH8H7BWEHxIFQRxCAJcDAS9ufxgCAQr -CAgc/g9UX35rf4DRfkAgP0D57QN26QOQ5AMpl5+AD7zdHmAxE7LSA96cB+LJA9RePFBbfih4YJ13 -wACA5MoW+JAirwOZrA4YNR1IER0YKr9158B5ZQ4wK7+lHGB4CSHIgV0uDsw+HHg1OJDRb0Bv+Tm9 -AWHdQMXyA4kbMLMNyEEbwMaxgWz5mX0NPEKUhCOTaEkNzJsGMEoakCcaEDRpEmIu024GlDIDynEZ -KKYMLCgZWLn8HmSAt/ykOAbWWX46jAHPEwMRPAw4QPFh3Ylu+fXgBU7qVcGAPxLjWwQCDMCN4QZ+ -gWWaxIVkuZ4WoFAX4Mt0gbpQq1wgUHABessPyC3ghS0g3tMCGpef7rPAl8sCExwLXAsLlPkKQM8V -SFAr8BpW4GvmR+d6+eVTgdeoAE57CkCuKaBcfm6WAm7Z8rcKGDg5Eykg7/PyS4U/5icjBSwkKRB2 -d/AwP2PL74m/Lj8Eo7nlFyspoGRuCe2Jgprc5XeSFKDXvjvL6jCMTKIAl1CA7PLj0i8/rrB6BQBA -AXYDuvwS/E/gPXPzszGy/AlgOL9G9RMYP51++WFViSa/riVw009ADv0JELg9Zus/gVoBFKDW8UNO -FlQBBcIIFDCPCaocvw9QgATVVPhPwDSjJPB3rbnOEqiMP4F4PwGQuf0JBPcToPATEL5PgAD8HrzX -WCLq2I4NOy35bX4C1Eh+M9x+Ap3+BDjQT0CfngC+TiA7Mfet1rXk1+Un/aHt6ztXKWAfL80L61Ew -yeBvB7oTiefFCej1HweZYaBHJKgoToBPPX1UI/b/otjHQ0yewNBOcQIFPZctwTrEuVSXASXQSayh -CdTCJmEZjglYGPaVBr81vS+BxxHFa3uZ6y1oLQGk9e/IuY6VADgUHc/HDx8lECOiB21cY+voSgf/ -d1KTQOXA/mec1P/Z4p1JAlUeb2oXYbpSRQLTJEHJeW0Eof8FCdT+N1RWFbVG8gggdhnxRVUA0x1k -sNdIIMJHkMJ2gJ4RqLjaxFpm/70IDIaUOLkIQIqCSV2LQH9bWThuEeCtgXJC6cA3UsFXmt38o3d5 -Ft77LYZc+5sABQKfAlAHeZ2wl4MbAp/2JO1C4M2gjnJz3D+iuywhABnooqNtE8YMkOMgECczQYC/ -zNkUCGROg+MDUjqAQB19QELYJ0WNyRgnK7TJTy3adcbQRup4kyVdEi5Vav6cC9c8oA4rzAD3D3pr -ft49oPteCkBYHq4Dl06oBgCC8u24b5Q1DCY0D9DmoH+6hUpPA2gaRFqTiP29pkwLe3fAKJ/GopgW -dU1dkh1QTUtG0pQ5pODUAXhpQPuA2EFbz3bUQAecPHxH5nKAQl+P8XDF6EQEyzpLxwGjRMIggzfs -UP5xf7U/o1+y0QBPtXBuAHOw9Zu1wqfagFX7pfgpPaRXrwLJqn3DBmjCo26wAdGH4pfM5Geo912+ -qwG6iABFR16lcKvgNIBvFR7grS6nwmJI0YD4P2Ktpa4QfSz+gO8W1R/dkDMDeuqvMsCHuiBZC3Ta -aLS6RecDMXe5rYbpdMjUMQbUFC0eQAwYXpKPRmVp4eZ9Ws/0djBgKLxgXO4C0tD1SMEAZYQxPxi8 -lF0Sv4CaV2hclsddGvzlL7WM1XkBWRd4fb5wMZe6gPJV/NDnjRZ+64oJFwB4EpB5GR0jGraApnhU -TVJQcO9ZQEgHIpPYQU6DGAsoec+BoHqE68PQKwBIqrQCDvMjOssItiog25lOBcOSqACi4zbCAl+Z -vohLPJvLFqQAvRNglw4MBYjL/wE/TAGC9AkYRL4/dcyGsEjZhE6Ato2ahQ6vQIp23MMOoW5uWBMw -7yRAZYFUUxIuwpmxCRPA8HomYAIYJb8o8IyBl1gVvhKgdY54zs13NXwlTgIuVeFnILRvkJ6iwqjc -3jQCnF0A7TA8AvLlI7cUKu8I4Poup4uxPK2mK7+MgOYaO0sK2RjGOGykCCjo9yOnkuKMAiKAV304 -2EV+xQsBHMsyyya9pZCIh1vL8ivx4Zte0lsludtBgOcJwZsmBhsE7PQRCBCfPDVu90ANNLllP8BB -dm3q1A8A1yUMUoZ+r2gfH4A4TQWnFUvLClGwQmOGSbkoMTL23V2WvJEUbFURix6g1QfZb38HGJMS -qcbmnpkdM19oOlsHIAZXEI29sSHIcNzDNgfIDg+9XTww1WL8LoHrtYYDwOnwwggHYCYpRuhXM37J -gXcx/QHept0bOQ7uSywZ+qnni3qO/509/TO8BhgRJBvmBhR5M9MAbUkA0mhGszM3by4OpfIvygDj -REAWAzDJdV/+6+diwQAHgK9P2ZHMsl88ywsgzF6SdohlUxOxI2w+FAbhNH8Q0x+9QEHzJzH0bjlZ -DelUHya4N88C7NM/QtFtJ23FdqMzAAs/wzTdZBJLWQfWkDavABAPvVERH8yv4DQfAfJ3tbj8PHBs -P7kyU4BmWjoQBJ5EfyiAiUK4dAJYA4ig+V1T+HgVYgIwhAUCZFxGto0vFiVAGRvtExctPwKsVQFa -JZ1oEYDXRbgeObfC44YAUrw34UbCz74WySEIEHvhuxynAVkW1OwDCB+kR69c5H8d+ROTB7BnWuAJ -oRDNWYtMB9CUq0MzxZeBaVG0drWRUG0gsQGwhubo1g5lKFgLNIAvf8vxmv47HgOoFHXGuXsiQZOq -qoB8AUwcdxzfbRm1ADTPb87KlEbsWMoKQGI7hhpF6+tc0PoogASQD3rknA7T54KWJgB3np9rxVQe -BRIJgAxzQyryJsaHYK1mAfjDM2ZV3D/dbwDKYIkIvblUMIt7v6LX6yMBAAmc0sIqZkDFC1fx5fXM -tl131tOpSAArzWjo1VaclMZCRQLg/Opiic8zaDDW4SoSxhfbsVjnIhIAhhBpKLHFqrqhaDIkgMZU -86lZpbu9iATATDofqlo9qjC/qxVEAmCIktQwZ3yMUpSFBDDy+BgShwdhnFYazL/lcaCkhgSAZB94 -ytunIcGm7TINCSBb35nIwgZ8CUuUQAKobWt+htRN7s5HAHZzEAbjBTDGZbuTITfPtFNEMz9u7QgD -TR4BCEvETHYPaHwEsCTgAhJ3CChaHWsouDdXnzz+hQNqMh9LkkCeBFcrC30EQPTQ2L2MVeQEjwA6 -TNhm88JkcVn+EcBCQcijItoJaawJU+O9dOEjgL7TXG/SPAKo08bRA40H02s9ArDxbw== - - - pJk4srX2YZ9begQwbqZYhNsjtj5rUdkj+pCIs/Lj9BFlRe//zAAVFA6Rd1RX33VoZyvs+LUqt4z1 -EcAq4S45i5P/vbshA/6W0zid0lG+4OwjgJbVvZCRBTxozFzMXe2S5UcA43NbOZPmTP4fAUBP1sjF -rxqsyiMBBl1o0026HAGM9DluJYcACHeg37/D9/VpOwLo3c+OkFH2IxwBxHc/R43D2yrjjQDoKYLb -T5FsByFniRFA4/IDNDPpwB4jgDJQHIGh0IyUsjYZoD6AFVdfrlEKaCPkMtEcRgCJN9xcAnTScJl2 -LAII0Bk5QfY/T1V2ZJhQ0N7OjDcPyst8/6xQiwAG+YpEMCJXTpw4Wp7+5/pTEb4IYJEMn9LTfXCX -XQSArONqiB5VY+vGD12H55LGyssigMWdWqaWlYLgdhEA5QEtEdqM2y4RxAkxgG18wK/eYnKzHUJB -BIAXyS0QGQEwsjSBTUu9wlwy/1uJ4T/vCnFCcBOIQi00W7FaihkBcKn9mwgsbxqyYmimuUYo7gp9 -HILjKDICqLlYfJR7c1JBZDnBP8ERQOId/mCHwxSiPWNrNzOZBF5G9hHA0E0Qr4U0xPpHAFud87iE -g8qYmiNIs5QNMC0JfYCP1W4sAP6vUrS8EpJIFRKAPZJEio8A4DYcS/EfH3biuqj3oZ0wuPERgB9L -zvyVpdiw/X0EUOue7FCDLndEhH0EME8Jy88w7xRxV7A+AMM74V46Q8bVVNQ9Ov0pNx2AL1oQoX6C -fMpV0wEI94mRCmsAiNlBDUB2TYsOpU4DwCNQcQMNgL+CrKQbNADHSPiPRixsHEzIpiQND4cF3xEA -Gc1bUbRkrLYjQofOTIv60gCwhhjNbI3NazUAZaH1RG0tM4OpBuDEHj25o/tRqhqAM5c7s07GPlH2 -EKgB4AVyGleJrQZgIAVw5RnTtjnDZ0QNwKe6zss1chx0nxgf7WhBDcCnJP457ej5NmgAyA8IwaiJ -B0tiUak2c4Gd5ha4H/TJ4ZXQc0jZDutcS7SnlrbeWOYZAGYqak/AC1RmGr/jWtJQ4+b5uyaEUAJa -0HgYG3ANCgf41PbYtRVZ8DMYmZKUKUlpNL4ICtNDCGEBZgGnAZeYx7lXdSTmFdPJmhG/m9qcrVIs -NhSj2IrmiuXTpvahaRE0Iom04LBcBxZklvEqjfzW66tvrl9NJ/sQF6kYjK1OYljCtJG4II5IjiPO -Js2YjbkQrjKpmyWzGd3manbjYnXWNfOpN1pTWamI4U1Q1V/Wq1gz67E65sQWFx5DghNDTrQcj55F -NpdYCMl+SlSCSB+nEkOff+/9+ef+3u4t+/XSa0YrdR22z9lvdfypitBI9NL1S1Khx9D/tw2aWL1s -1aeNOrlFqcyr36wZlQl2perMxsTYJxsrETf/WfPvP9Oe9LRqpBaeE6yFLdfppdOJ/q+V6L92Qdan -6Fw9Fa2p5G1J38qHas/8MqXf7c823Efb/7GaHtNo52M/telnKV77v2KKnkVktXqwZDducmpjn/xE -jcUfUvmHes4YI+nQtNOx/hk1TXxSmpHp7+lf02j3U+/75fadl/6l5ApFp9SK380CXO1zj/fhh7Eq -y3zTj6xP2CupcVDVXaypZU50F8Mx19+hkhLvT8zKUtHVyZJIzUTUdG/pp7ByCVIulCD9v9KhcnnW -3fWu43rXPsjNMSJfq+JafPGud/1Xt5yR/x2ppVnbKaczLXmW8iK2Jvt7KoshUz1XF/OOTze7GdmT -Ivb39GuFMg2bXhlHnC4yUvJOF5nGxLD2+REjQp0LdTcJkVQmxQXxjBE5sSk5PWRkWCw9Ga83LRr1 -p2L/VSoFw6/NiMeRiPnrodB+0gwNizJL1VdVDnNht9xq1ZQv0ikvhtWYu+2+vDSF6W1dqops10+s -7MKXStJdfrflk/vdl7dieofF9NqnN1g6vaN+m6ia4e1NsKxRWJeNdBj35f0f++tOXLbK/ql7QdxU -2xF2UMecCfvzkiuLWL012UokJ5opViZfWJqI6T3bd/Zyw+WTW21jFqTp5jfmNp0yMSH6FN0goSB6 -ybT6O4TGAVIRJrRDj3dCKxKGTBowYFDACM8YqTCeOAxNmCGDpWE8BgwYLFiFOhuhpMEuJ5CLakfD -V6IRmxqWklZUoAdvpkSoHOMIUt0zLvhfYJA4tMqyhbZCq54Wh6jCmqhySEoc6Ox/oouIxGiqZF6s -wFIgmSOXAzssZ4I3DwezXKB8t4rcsNs1m6MsXIOEoyN1IuRUBIdpQSpqVUI1umyphJZJytCeQgKp -j6BIzQKhwChFYBtIjyXcqqbCVS3EiAPdQfKBFkh8Qfq4/od3Xp5PT87niOBPZBiUWkmECrbEkBKh -KC0n0P0C9mAHGDBYQFFLJWZKQaJAs/DKPA2/hPtUC1Q7XKISqHMPGDAo4JWPQyMQQAENGDBYoKAm -GGyWUFrBLlAwr4gCcxRIgAyQB+QF9MDAAQU9MEAgAQWrAQEKZhCBAAoqgcEECSiYgQAKZgAAPXBA -AxFIAMEAN0X0IUIiFNy2QEPKoFTqNZr/frlSWRBxpF7prKN6ROs/yih1LLGf88qRkXYzgq0Qac6K -xu2kk4t1Reu+xShmt4TMxgx3ImNM7o7sbgYnI2k1ASI9UDDxEokwqYaoEunBRIk0Jowy5FKICnZI -JoxKIYJBmhpjzEehq9VDeMJEmBrOwmyPIIobJgqmiziRoDhkYQtRrilXPyXWTkvF51EURhJGjZIU -N1Yorn4JJ86LxXFNJ6LRA4kGmaiKG9hgo8rJHW0PouKBIdqokRb1QKibIB03Irh1CocoWdVIuKM1 -MQL9HoyEN9oeRA2rUWxDtXVPoRoT6sH3Gk+FdEamajoMUg4ydhCpTVEPOlIVOkGiETpCAwkCYMCg -gCiq2YToAcsMQS6GLYvojrkVVnNPMYMVaGgG2j2qUN6kwmIVi3khfcSCC4/PI9zl8MuEsifUSr4F -UZxYwBQhKopeEQ5LiBKS/64JU5SEo7NRcMoT7M3EhGxUY/hINfg1qlid0idU6y6aQMLaP1SBRBiX -NpBIbWpUEmGzqZja1CUaYhYOJEQ1gR7DSesMnFFgcUHFKqoSDh/y4fOFiFBrKWHAgMGC98VLqKiG -8ooSFaEibcV36XwKhxaFeohCG4stioqCvxhqzZcFpimoJBucpFFAAZMXCFBIFAqiKI7DODjjehSA -BVs0IHoUCAgSCAQQOGIRA1EHACACQACACAQAAMYXrNgZL1nmbHqGK40KGJ3HlcCe56r4+8FebtTA -lxlAgm7jm0Ei5kHzwRxnRP4+qiQTY++JphLNTs/T4C7eXfhw6Imk65KOWtx6gjCQ25Fhl0qRpLsg -v/IEEpviShwjxsPehuIg/TrQ+rQlEYivSDUZPAYE5nJ9ATVnUDYV56twz4KguIpsCThDajuNMS6J -YKuvKEbYhL1xmVbWn48BIQjsVJYJwvM+8rG3H6I7OpvCj2iVgLTgrS0so6iRKXkEQOdRo0Q/wipd -EAz3ytqf9/mHRYjSaVBDMqroBFXvuYCcOAOh2EB1bPLqRRtTTBMJjCQ1SZeGcse7UGrFJ/6ij/nU -iBxDDb7+BOZGT5WswdJ90zC8ymA/moDokwiOtgbS3meIMc8YJDFIRYCom/HupfrpunwjMmOfA1MS -yXY3W3/X2kNu24x29MEdJvFt4bTG8q7plyj14YnYQkz8uM6m/ljm9mV6cG5MVleEPEv2EXVbhXZx -QrHOLKiHjKjYDRyErt7cla6EGtXW4MQQp+YpcZc8NIdG9xsKIFVV0fnLGj2mEJjqgRlsn43Iewdz -WpvPuye7JNdQgxrd49eMh5z5NktN1sLp/I9HR4iUvJ0Sd42N+wS8u+jW0Tiky6Jyn2B8tBUVQvBK -knADHVD1nImtg1b2AFsghaOVMctcqlD+joX0vmJL0RaaeLPo6rabkitHYRbZwmUEkz0EXBcRv+q3 -1LohxKXoKvxdrQ2uEiwy/A12iubJA/d9JbdEGkzDohUBdeVzHzB7XH6T3YKbgabdNCHSoPFVnmIm -TtQBMlqznoWPHb174u7P2qp4Bh+GnHQ1YLeixpikAv7xetFKoFIby/lmwy17/OI1w4Z1w727qNQV -WnNv+XbehxOnBO6r1SQy8P9Uo2Db+j+kaQIP4IYeVt3KPNztxJ2MYlUd3J2l1CmckLLKhgdSPUA0 -cDLs/NOmuovuqNXB3pvXuxflcDzuGu/o6zfJ2bqvdbhsL+TyIljMzWIyvQfbU0BQ2YNCCExmhgl5 -3TjzoAwU7LHMaRKKgucEa+zQJxWNa+M6guDKy8pINyVQFBkcyO8mespPcPyDRjtvUwxzqsHxEviK -6O6L18AeCwpuo2eCVW8YVkLmPODx1rg4eQP/g1VJJgpmUjc9hxQBjGS0omoeWMuD1lX9EYIiE9Q+ -dqDwlgdmHSIlt4FNXYdWI/AaMRmKhqA+WwkKTTO/s+s4x/TKorHvTGKGdgrZ0PXI9ioqfOKi0Uhh -4Hgkaq7X5GnpTfJmYefMpW62EQ3IQvCjxfQVEYGOfWXLsp1ZPBf7dWaynpWJBBNHTxgC4p/Kia2q -vZ8DMczfWEaA48dgpE+FH5wsuAs1LlGrR5sFlced3lOfK9GRTDuGbMnLavguKE/Tr6oRXY3DiNdz -gS4xyMOB/VzM6M7oyQdm4t1JUPfDxRUaaX4wBi5+sR/4ursxqFmO0DvjkXW62mVuMSSBk70Hkya5 -AcPQ3emPpzHsUXMML+Crewum4K+E9FWtGlXcfUW9q+netcPMsBvwKhWBx+ozrU7YIRV4iZ9HAxtM -pmtdeDvLsAwtbJOwGYENTfTLe4Xwr4zbtp+l4Wyddl4CEJJCAGMRcqeux8MrH5MVAwc5mHWSxz5w -GmZSrDXqU41hbrkOECbDAsaVO7iSXvZPqh+xof5F8EbsGawH+xmNzYpkccGXHvNQb54T6O3EZYuR -VaiSgwU797HdK5XAVAv1+CNGrYcgOEHf2VO00e0NIHEq5wiQabrq+rUdFRCLA9MhY59NFupMlvmM -3RzNTEkm13jopGQYtD7chz5FXveshpdN1zi1Hm1yCdVH1XFmaL0hyLRKAC5YqimurE1Q2DftrSVr -IOmvNL78s3lEIhigbtwStcLMCCqIBfOZ3474QPcQanUkIGjCMvuiLnobly0SLFsObjgWPEyCV4ul -L3U8w0H0PSPvQyiewtYCoM+VMYqqOw5VfPA4kWgER8t55sMhbwbHUIGZOA2Lqva9dwNrQHHvBSth -uCmwXBixY2a8ejdqoIr6OPmcTAIu8dTtouYlHi6YoaUjSIeyTGePQZ5p2DHQkh5ttQRd0F9UD05e -7f1GQPTVCh4Rm0sI5RwXyrxl1d3lJ74LwFCg9dLxdS4VLB2KwCdSb1uUZj+qC19AVUl1yIx8VAUo -IAqw6XolhwxP7QOiCDbREVGG0aXjbYNqxyiciqZEhRIXcRE/z4NJs2CcBYbrNWV6Cw== - - - QRLAzB4fnm/JNP6lkUXEBoBuWD5yHquVD2FYRGk0iktx0ijkHZp2aeK3vJL2nzgqeAoqttOP0Zue -0hdyjPZVdqq1O0rbIjdRAe+vBumE4z9N+UnhnvtZFNSRBFjFH7ghfAav9PmTYRW0AMDkJgPnQBGF -3bfVXbty9AZ3cIPDwA+f5EAZdAvYSCFYHJnDQYQ3IBDAJL/egvgrNWAd+AgK4gQaHQnVM+c+ASaZ -uuoCo80zVTQgL3sRlhKwFYmbs24kdPx7hu+6OmxP/5Fg1MLYsYiGu9D4eyOCVFzQWry+smSSD8SR -aD32kUrSUHaQ7Iz74Wgcg5M8rXDXB7f6AgYR34jZex1UecZG2LN+MK9ugsNrHzVFCL0r8zwoor48 -7V/lwdS1s0s85t107tfjGSmztEkxbFgIu3ZqmTeEAPQcEMFuZzOAuSNM0nWA2yTL/iKTvlNt/HxO -BG7Kh40E5uFzp0ZfdtX4EdYpYP+T081QMWjGyfSJZz54ecyVAz8D0oIowfWUnmbvqgwnTWpNFIDH -Jkl7OsWAbII3RL8F4oypMRAfL7yNe5zRisy6yTWl+9zOQJXRZs98FAoWrSWUpov27jgb/xxQMK/T -rd4Svq8OVgP/GaNu4tteSvikRsUkbDsFS3RSSkwK561iF5ttSj3tHkYOYCMiHa6sC5DOkNJZJV1j -YTIQAR1xwiTngsNmKBvfc49DuND8BLKFQIaa2KprsrOoN9INqvEWYPl4Bl3cB2+aMGgqOp99HxXA -c6CAES7yZQ7LDY5fDkIcRITmnp950Rh6VEkimcU6eqx36rnUw4VwQ6TljaWAkhkTnUV67rRlzsWa -zWLxVupWe6Rb7eyEOww+NSecpQZTl1EbHDw5E01CKbvwfVJR/uP8TS+5y0wNf9NtzMujn5ln0B4k -mFDFH1cPbfAQmZGhTKkAbAWmqNytCNIJLWgMt+81zbsFOxQhTFbNSde3B5HZ5nlAe4tRMRs4jq40 -BXci5RDGyzIT8ZG66uq3mKGihSdNIR4jWomzBeFMlxLX5YVJZUVkumpcFelJfnxplmiAs4JvlboI -7jgcWpURWdHv6p64w312iTRkj9qFCdCOLsfj54SO5esyeo+8CJRLGpZLuVYP1dpn39UoXbzPaX+p -BKon4JHmf1I7b3Twbq6lUl6MaFOlnm8Gs16JwUEKbMXYExkXkCroPkjqoyBYauPdu+rFB5nzk2kb -fgX9PMXYDMgVMGJyCZ+aA/svqABqQSnBdjoZRBau0zLE4zK4ZMhw4mMQUXNk8ADtRddezK9lXmud -OlIc5De/luCqwtDpK05mRv5GFDF1b9x+Yg7cnIab/BlC74PZBYiBYEM3g/jUZwbUEMx8a/Kw4Esp -5Mcq7oiI4PvcakjmAYFPC4AwvCZKIikuS2FIlbEOGXCxHRg5TObKhbB0WCH4KypbWhx7EZOUh5nZ -4SCjgBplI1yWTd+EIs0k0TQIIqkuBB0I4Vz7DoDgZPcdmBzA18V1aFYVq0hARHpLsD5tcDBQzC1/ -fATgajHH4L/FaFS0pRJ3QLW6RG/DL5Wyu7UWh7cat2avZ/Cgg2E5DJh5LtUlErh+QO1WNsbpnqsl -DZ4fwQOb9ByVRgz7BJkKS+dkHLov68aAihxzjJx1AToijjlDiQnOMluABlTrWqTlqcLR5HQUFglL -/34SrJvaHGVAo7XWIqSxcYL2QRE6ZVyxhRZAzXmDwzEsc0KPJf6RfZiDc4nEgP9UwmUjIW/jviSh -i249qwAAn+oh/fQqS+xEYbY6n79eSiTA/OgWuApd/gYOpj2qPFSvrzO6Dg24G2w8kjOegwqCqIzb -MIlvFeJ3HJHhl3esKrSN6JKFxOP7V3BzSE5xZ/cmFX68EHA32JONd0ktLZkO7bPrLqAv15L5jfFg -zRynmzBZKa3uLjiB6z+gmjsvLRR/Zx66QcRua0y6eK+iJ5ZE5xKY2WsDy3XxTDdWnOVqSePictPA -W6nhmQ/4X/MbpxiT0SunJdSbCaLgw2O9gfFEmX5eawxsKnll7VBWbXuagW2eGzCwLCOTgkkAqYzK -xhBsmev6tTHe46SoHLP61zzmMIFlUPSX2f3B33GbKJmMDQUmSl3iYEuND80f9KZ+mg0vmxRVKdcn -sR10doR0MG2qCwEq1iTo251i/iT+2HOCXB3lr1SUFrNhSzHSDuHyrOpwEb4e9nQ0j1dvnmTYApGH -E5zKHKzyrmOhjSn4oEkqqPvb3/i4XLhP5cS6+Zi/ZhrvVHjAFSjz+e9NhkNx4mV0yBHMaPzh3naL -ruDwzjfj3oxcYTHUmBLXjuHUk2tuk67trlpOf5pgPlvv4WDRf/7IivDaa/O+DckiU8mAwWB+MLsO -VPbx9f5cykEz9tN06BD4xkeldANT+GPcyXN4RWcOu5AzOo5pUJfiKhepxbsWH0PwE7AmaDK6r0aq -NI6YldWiGPIfuvr8EUg0rwI7MHU88/rSg81gk7IqAGUPAu98hb9J5HOWJd4Y7oQ1KHWFZmRLDeIA -u9wXukYDNidMoyswQG6bgNK6XJsOrZNCSGccXWLrb0rGAJiU2WPWMRnAukdaYvmmF/ulm4xPhAno -9jYYAE1CB0w8HrL7h8VpYQla2UDOi4D80hSQsT2wrxeJ/138eCaA9H5BTl/DtHhkzgF/QuR9w0kE -30tCLlnzkmLqNfySNUpCEMQHqUERCDj3U5aHmnPlpdAhI7ieYLmIx7mMQdmGVGiD5i93lAQcoRh+ -mnzNfXgeTYkRsAbNqK6g0V0c7RSSaht3koCeMSBGmlzdzBshPIbaL1Mh3u8770qMjshWyAQPBZep -WcxyEGB/gzViI2e38Lyx+7vDgOHTCLNCLx6YiCNpoR8vJDtKFO2DAvJ8n24inyjiTmqIs2HgXh/u -upObfLJv4zaMMJGQQD7VjvBw5Io+fL+HmBaxW7cAjcgzZtG+1GV1oR+0MidHDUVpMEH1QWiQTCwE -EmbkSjBstZjBcJpss5+7PDWSaeMfBWbo3YXQRqjNex9eGSVjiQLNHwxKDzYuoxd4gSN/QgfwdqkV -i2Q8amuH81+3Pj7v/kHWJu2C4HirLsO1gVyLRe0w/LnOcDtLYkAgtkZvOY1V+UAK3Eo4DxpH9OZP -4YCyrH+Gh0DHNK+s60fKit/CueK4Myp6mKBgaXogxS3J42Z4M8msaQMMHUwgWB7ZKDd7kCTmFaNK -KLKhFy6mFMjQcUcSZa+qMIe2OkjVHvsdD1MxdHLenBG6nK+Mfg2n7rdzSW1+EMfUvPvL96SmB2q8 -/DJ7Pvrw4qygbiMhDmO310CL+LOmjMJtLNyb4jeInH2h9xFxaUCHdD7fgsLVnKyZ1DZEUNwgwIqZ -3y8qMIyu1jjPAfp6nDXC6Yo7eWUoPT/5Ap9X5kReVr6xhAO3XGqxrLRsBsBjFeVqtEi88HTly22I -K2+a+FzQmEyDywg4Jz0KnCFf9DeDrq6zQUbnhL+mbh7Paz044SjuwkHheNDF4lK43Jcko88C/RIb -ejEPhiGWXLoyIyOZij/SpANETNbZRsXywX8yUV5XxxPJhunrYF0EatoYxeEqD1TNMB0w9CT2A64Y -5t72/fSD0YS5VXOM0s1mucJJpqyQPjd7mgRzb6zOJpU9yVsoCPXtOezxsQRX+yEt2r/gHtPG6yHk -4IqSbI0YJfcEkHvYynRXHRfoTZpar7CUQRqy06QbCNILG/KLajtmDuPKLEPdsZDwHfYSRhcximHz -sWCLM+tX12V6zvs43GYBV3BeVsUSJBGM9dD79Ojy4INLry6nSmMirl5oiaOBdskyeIVW0W0/1b4M -CJytWjsalVlya/RfrpS8nTxAXs8hc/V6NBazVY7YJ2yMHb8XIMjYqKWPwBHkpWeeMH2MZxfc+VTd -8EEw8X1M3EY22oOpzFerZSQC5Fk8AYlPNRwaJYJsohxYgrHotYalkqX6b6t+52zBTwxuLghjE7qB -j3f/Af1/rID3r3vcVbpjQ2gcQsri9o6HrlioZFXogmO6Z0Dai3fkcx1bScAVUqCYYd/VE/7xMBv4 -Xyq2wsJD4LmU5MX/VKUR2o+e7nlL+NKqOkUuE1UN/fHeEuR5fvhN+Avxm3CZHcHR0N11VrAE13/m -vKLxdwWR38h9MMwZTjjRPwllCrgjThMoo4W9x/AU9f/NQNm+VzNTz8jdgF0oI/jzb/737FocwYFg -WZ8E23oU7EtQ3tITF2J+tGIwVXm7wyyjBRYpf7BrH8KWNRI2VU3YF8WFHoU1Ji48OXHh4VhhriQ4 -9t5yAw2Qab8zcaFQC2M3aMQXJgk7PIYB4luwoGF9JgRIoEOx5Vt2jWH6YpgRYtijuDgOEv4Pw6wy -w3AwNnGRHjkMo4YTF26KFkTR8w2QgrB0ktHHNhj2I12YWOClKNj2YAqKi/yJC1yzDEN/ZxQXrENm -GNhqmPOZYa5hGHkJzkmifDCd4iLhWJ1q7GFY1emrC6s9GEYYFvUuw76ihnVfnrZumISuNUzKwTUM -A9ka5pJ7EAz9r2FeJ6tjYaatuEi8W+poldFP41f4ihFp8RoWNVArSq67hgW1AxtmbDjserFhaQbD -YQsoFhdfzr7NMvXtXouLBEbamfbCbIyuhYnuxySE32CFsRQPNt33Li7S1Ha1sBPGxZiwx7feicm4 -kMkXBsU+9MLQ6P4o3z6NizwtjJ5xoeU/KfLCIHdCpGMrhm1MQMSw7TbDct0ZloqEAs8wyqG+jAsC -aNC4mOJ8AztDaNhxxgVzkQ0Dc2gYiAe6aVwg8KJh9qUm41I5ETRMLdowBzZuw+g+NewidGsu9Y23 -5LbMhkrY5Hr0cljo7jBDIxdd8we1H2YBBrGgDzE1MGIOD4lFrhIDPxMzeDyxp6IYsIc7xb5exbaM -NXC/iQ9crXIxsIIL8Ypp2xhromtcILGMlWxc3H3GoKLGQi021lU3VqMgw7HzmWOUApriPOIzdmse -q6Q8dqzPY+dC4ik2oxqTeePCjT8Wae9hIEMKQsayg5o60yGP6Tku/BrZLHesuo9kX4eSHTs8BJCs -2zXZVaaTZemTXTOU7TgubvNRBmWPWCggU4bauCCLyvbNKlNqXJj6vbZxYcsiNy5igbIex8UpaBnk -olXPMhxn2XWzrNusZV3fslajy+aq8rKm5ZdtCW7yLIdn2d0znFYzHBfI8sd1K5nbRWfmsj/MqDPN -LDku0lXNaoHBa0ZQUorjgp3NNBU3i5p6syyDsy3pkptO5QxNz5kC09l/42KDr7Mt3JnHgmdT2lee -Fen0jM3cs1W2levmPjPu+5mM48K0oOXclkDD1XFRj8tRUmcsOgUpr0bik4MW8Pu4XM5xQQq0jAPi -uCgDaGjjgjj+7PX+xoU5/PvMhflMQIYBxwV6+D4rX/qZz9BNVSJULokzPcYWJNPPsnuWcbhnIbZ8 -xr77rL/Lv7Hc942LJP6M3aARATSJjKcCzbfqNS70BE1CCGubgO6PpXExV9BYJE2IZQ== - - - XGTvDxQ0UJh/04yLgoEiI6F/gVajQEviBE3tHDQPJOMCxSdbJbRkImZcaFulERoREWLMYIRpXJjV -WBG7QUOEJgnvIbQ3EmIBiUEb0+bsvZE+Yo2LlEFrjmkMmpTGRf6H6UaSg9fF1b8MGjV1sBGhgeoK -zT5AQ3N1KCqfoV1laCsEVRbzeH+2iwwtBcRYFQytuvTkQvJ8hijohvb2C+22MLSXysILjW0XmoBu -GlOY0IA2LpYntFUTmq9BgwwDwNBkxO/8MTT4CbkpQ4s7hVbpKjRT4yIVuounYjVVBaNaXZBAL0PD -Mw+Nq0U0g32iYaqigW9cUOpF2zqjaTguvBktmhsXt4hGsxRtXPyvaTDaqmDeT42L/7A0GtRqNGfj -IieNBj0YDeWKZutEI7OIhgQlMxfeuCAeZS7SPyuB+hgX0b7nxgW7ifbOEdECzCVLmVuGIHPMxoV3 -2vOqp9DScUACmhTYMjQPuuAODW5cZCRebu2vhleGdreNiythMTS2Vvc3LlAyNDYZTY63cVErMbRX -jYsuxzK0Ldm4CLnGxY6hmdR+Ci5RlZF5d84Y2isKzUE1LoSd0Lo8aEgVNBpn44IoZqBVFA1CBU2V -PGhojQv92PqE9gUKTSeycWGyQ+7uWSk0u6JCY+AgKVZoNBWaIRenoJScZPsrNNVoaH/GRcd0txjg -c4ZWFHOFRqMyLvz5yO/epjypqSyLCg0Q4yKWrNBsYoaGlHHBeGg/CV09NNqGfWinI/ih2dWGdkbG -XIxxocyDcWEwBsmy3vxsMAmt3AgNKF1c4OfpborQ3i0ukq/QEhfkqA/x4mK50NozYC20cHGhb3Fh -jmShvbhCG2XAQju7uIj9tKQHgou3XlyYrjU01WxowP+hoYWLi0W069rQJquF5mZDi/qH9uVItPzF -RYmiWa+mYNSiJW0ymg7GRWujdWtHc7sfjWlGpCHLRNLE16RBeZQGvLjgstJaMC6irrW0Wgv8pTEx -Lm7INHAYF600zZVtWlfktK9rp3Xb06L8p/U2Qq07olYrjVr24qL1SI20LLUNxsWc+zQ1ufvUoDeq -cfqpBipWjV1YzXOcajWo5mrsbq8mhIKwtiWMtTtBZa2m4FiDxoU1YXesdbqsmTEuIj9rVk3UGpKM -C7JsLbbdmjzjwk3iWkbjoq655pW69uW7a1+Y15YCX4uF/NrsQwHb+RVskkzY0BoXDCA1jYv5r3V1 -sWl4Y3vPuFiAbLUm2QQsZUusLZs6MptCxoVhm43Kdjbm6oyLHoXMvSNpXAx/tioA7Wz/Z1zomNps -gJZxYZHZCAuN2a4YF7HNVhdKmlDUqbNF97NpZFxYhzaqIW3AZtowD7VxLVWbM2RtnGpAKYPYhuZm -m8LWtmO8eF0e44IYui3aeJsF9G2RB27AM9wMvuL2n3ExHreooNwcgepjdGXiG3NDN1HGhSnTDS+q -buK8bp5+dsNWcDc23m6exruBMy5YA2+tjItUvHUyyhuZOm/bTG+7vt6mA/eWJfi2Jfk2OtK3LLdv -6xgX9y7R7S5aFqHab+jO9jeu/f9GhAcxLmpkEgAnQvvDuMjM9zeh/Imv+83Ok/0GJwHGBTEUZL8U -OX57IX77cv2Wv7goh8/fwPZvoosLlxLgVv+LC44GXO4tcHD+gYPAuCCh4OoYF3E2d0GQMAEO/84B -6eBQFBdMQ7hOiouYCRcEVDhuXbhtmOGy8IbbxsN9QyBuQnFxoohTZRJ3I8WFDH51uSb4GYB3gVLc -V8WFe1dcwE1xl3biQDo8cQtBAb1L/BNnGj174gyLi2QnroISp6y46EYnzjr3LS6a7WWKk+bo4mIn -YR7ksxMH7aa4PnIvLh5zcYG/4mymuNN+xVWY4kJaXIxrcHGRuVuf4nTXZKY4/IuL0munOIkqx7hg -CDBXXCdZt7jCty0unf2cx1oceH1xFjnGFVqFH9A46K3NMa5boHG28IujcY8nnmiOZYLazKJKNA5q -br/0UKD9HpBxKh7jzIx4gqogIVtA3wU9yQC9uKAa4xAtOHgNSVlc0BvjbIsL/wRdXHwvbrXFhVvz -yOKC+imJlouALS5a6Lsv7llchFyYPnZbYC9ukLdwiRosLkon3OKC9C4uRvoSnu/CeXFBgNef1ixu -VWtxxuYlKeNiCBu9OCsJKEtJl6ExxgUY40rPMy4JNo5YOM4PBOa1WEGOHwdOA7iCtloa9/uSXCgu -Sni0m8JbByjnYUW5JU45t1c5AwKWu2FcDFoua1xOwqyXezaYs/niImld8Q4UXMtbvKNl/Jnj81tc -gbstLhpss7gw5XLwFRe1yfEAUglckeUcc+qcwO7OLWueM4s9b2d7PDdAJ2UAnfo/Bxrln9OlFypi -7/8c3AC6VEbkuYQQzgnHkxXzcOjISnQCOD05n/Seq+fuPncCdNEJkhJo9ZFt0Xl0xKLLgi06zV10 -U/eiu3CAsKlER3uKCqKbVFwwEt07R3RYEZ2d2eYjm+LC6TgN0amKixYvNUNxwZAt2dxkaUF09KUh -F8rYOdPERTBFx6TUSYryfE4uvNHlu4U2KI/iIjIBKS6mKtN6J/k5A2H6Ki7GqoGf+w4pLuxWcbFj -8p6jxT23naHzus+5Allxoa2tz0nAP/ewuBgc6IoaPIfQiafryNAp7Vu0J6JLqaywzqK7vUYn7qOT -qUc6qlA6e8VFytJtiZiObDXdkeKCp5vTScKn07JQR3YcdZJ+qcP2qTMfVQfTWJ0WXZ0HxUW+Yd2J -zDpt1bqo7K1b9bnuTlDJ4sqxurcUF2ASP53rJGIUFzrT0J4LRNcNeAsHUbtWE5BITXERjcnP57ri -BZzpCwdScbHbSrJtAYlCCUmQrlODrhOJE4sLQm9xEb51KRdIa13MlHv86FnaJxYXw7+Cbr51jaPr -wkx3K5pAdTKKTde9S2ZfeKAvI1JOxUXPhDN/5ed1SryFmXhQXHCFmbhgV3VhEheAC01I5UUS/DrG -3eJOriIumqQa4qKr3x1BXCS06HU4r9cZaSJ6ndLEFJChrTof4qL8W4LNX1kFceH+cHG3h4uJDhf1 -n3iKMHjfZ3JdZ0aJTeWSVSf4cFEnrZ1qYFchetbhAsCuyxwuGruuSyFUz3K4kEDV6wK7vS6h7joE -I1jyXafEzPdwIaqzw0VqHi7s5st9ua7z4eKWOOidknpkig5kYjHBhd73cJEv16FjKrj+hwsuxnUT -Dzd7uFjmhwtZ5rrpKY3rXsdcJoDdD+IiBsKuWgGLROyimVdjB+3gsOMhEqYXf7hg++xKCW5/tBPJ -a4faaTdrF3SxHdvaThIz5Yrkt1N+uFODuLCOO+SHC46Wu0LERcbnriQccXH7OERPd7QD4+uOaN/i -Vg+SxEUsmyxxIRvc9SYuoEnvMjGgyPYunXX58Ix6+84d2O8c/L8LDoFnoriIYgSPTXHhNHg5ios6 -yE57ZDYO2pY0QiKt8CAUF+UMT3s8vK5FvNAFbbmwPvBgnXgWcMWbeKxNvHziIgNEvG/igjw8E5gh -Xo0GcT5xcaSIh6G4KCeeXwmK1+rEW3NPXDBPvIYmLgKKtyQknjY2iddFirclLo6J4uHHc1q80bTF -U8FHgNpqtXG6Fo8IHk9cKDfG22Jvwo678STe8T4XkIcmIk8Fg4NsR5KLF72VN4ji4tqgLQ8+20d/ -eWV6yDzsth1bNE8y8fJZm0fgdkjJea8UF8naefWk4vfdnrewBb04Q9GzQDgVF3E5OcWFmHZetT49 -q4vUe1GpHmy5eqIoLmwemqixJy6CW48yceHc9fJLXBQT2NOi2Pt6sjf5ZuKCz9mbLtCdMM+3nuyJ -C89cexF+c9szVAXuwUZyT4SEdO/ZT3sWiotkykHfcT908NVLVmV7L0Z5TcW+B0pxwf+9qCL4RBQX -zpYRvoCroR7hwwUN35Li4hrxeWXx3b7GN4U+vtFHvrAR5bsKUhUhZT5luPkMuPMt0J2Avpck+tQk -fS+KC8VNX0Y9cdGP+r4Bq+/0Wl+UQUMTF7VQDSo4IfWCATa0r0hF+2yhfwvFrAf2/2tK+2BMN/1/ -i21/i/3wb/EBpn0IjpIUIvpbrGVvhIvJhFFzUrZ/Cz8pbt/bGP8tYjyNqCnt69D/0z5BEoraF5Xb -gqt9vXpGLPXAAETMB2uf7W8R8oZ/i/YZI0Kqfa7b2nfqta+NUdi+bEgfGnoBEqIY7tOX4KxEMn3y -v0Uf/xYXwl8R1fPt0/5bNEbGBBlvX02pSIrF0ucC4KI7iEeocd++q4koy+fSB4pLdX9T2X6Vf/us -vX2WyWBQCZh0aOdNKOBCtSfy8KX3fdl4LRAh+/ckDbiQT4N8H0F6Zv+uJl2ljfz2BWG9wwIXdytH -b18euAhvn+/2EZLg4ua2b2KRuX01276PgS+4aBnoFmravrKCiw9oUrSn2fZVgos2ep3aPjjDB+jz -ve2b1fZpwjEgzfYBjjNEqWqo/YJECAAEwNGzJTlDgDGyfUDcANBUtQfStH2RxgrJWmyf2umoBH4j -lFkA22dpXXhXeWLwyqeEr7aPm6Rn+14ZYMngQv+Wng22r3WKoqzP/toX0TtrXxDYA84QUY1mNcgV -LMzBRbL2pTE9uVBq9CGz9rkR396gdzME17WvrscYa1/Xat/LZTeEi57z7VOYtR8vJTy4OOY1uEDf -MLigtMHFanZwMeaDix1qn/1kqfb50tqHu2vfq8/aJzutVO2DMdGZtMLRZ8k1enAhvfalXRBa+z7X -CeFiZX6KE//g4lrVV7faB5IiYp2f2ofyHVxY2hjVPjTU6kKuo/bpyA8uJiBhMQQBTQN3DcgEvR9A -uNht5h9c9DS4sLnY0MFFYxn/PvRpH/Hgwt7zly1A0L9L6E/SPg2OHGQQCET7+k5IkIxizMHFxgfJ -ZpOlWpHI4OJIU/yQ9oFwScMXXIRoXxtQ4FBLcEGXjLCRYYCCC1BHBXKZvbTv0SexfoKLf2B/mvZ1 -CQEKLqpShWpfOl05u1WysODirbYKfZgIa59DjOsgK8/tite+9jxkfx0YXGhrX1K8ngUXgH4pVqoH -ka59qX0oI9Icu3eI7bu5175MJm1BsX0Yz/bhyplXP4W29Dj1/a0B1/YpDnZu22fd3L67QuUYpMGF -sNzXwgGESSTh6fFqmx2b+wwYXKSFvsHF9F+qXepz0tyHX0/3CQcXwg3oPsCDC/0OLkra/AYXLH8g -3ce5AvszuLhMRYMLDei+tiYUssFF31A1YrqPOfI+FXJwIfW5QMWFBhcXEHifhDq4WCmtOt9Rg4uj -I/k6BXfSzVs6PmeHtShAxE/PzTm4AC0kfv9NrTHedysNLjrG/Vpyzn5ged9/J8/7RDo0G1zoLAYX -ZJ3lfW6vwQV7DC7mCy74eACCkzTvgxAGF4BfHffZbHBhysPgwnKv71osA0F/gwuE3ocxuGjp0OBi -bq7/vE/2Mrhg9L6Wow7mfXIFF/6l90XWFt+Zjtq8L2dIggul9+W9zvtK5jUbfVe8Dw== - - - xZ9rCC4YVXhfRWCCC0BCeCfeRwu8r6dV8SC4eOS7L7ZcBw9cqOD7um1F9b2PqyWgxt53dO59K1SB -iyxuPsMjcMFipvN/jO9b3/uuo7vG95HK91mH7QNNSonR8n0tfJ9QrjkXuEj3wfahogYuLH2+Z7LA -BeedmGI76lH0Bi4Yij1wgfp8n3cj/HmfBi7+fOBi9H3uMuTyoVOSBsEFrQMXKU1fSgOn8zdwsZUe -uBj/+B6ir498H2/1fbJeS8Da5vuqXvV9Ufk+doGfzup8NRBpnj3weyC4KG6CizwEv5ZpeliEWmlI -VnBxohZcXBD8JDXG4IfBwB0SBD8ACsjgYnLBxVwo+Hmo4AJeEvyMeLtMcLGwZBwFFx/h/YsDv0y6 -4IIbPrtYwQWRe1mCCynwIwa9mQguxNpJcKFq7oGfdQl+v1Lwe+UyCil0iOBCH2HF204quIiByl3H -ZE5wge16mZrHJqOCC/0TXGgACvVi0uD3NBBc2Ceegx8m2mH51jb4bY1xwa9iBBc8JgmMkpADF9Rl -4CJN8HuPG5EUm2ZQWRc0+N3awW/V4BeOaIcD8eCnTQtcZFwj/HQGLvqAgx8UdeDibFoEF0v/WzwD -4EJH+EXzdjPhB505/29hMQ/gwiCXEtWGgSPCr5AFuMAf/EjAhT37zmzwg5ogBT/fmRuDX2HABUd8 -ARdzIW4SuMCybDRvgYv7huMkiwc/gGPBzwEMXEAvcAHUTAM/J0HgIsvFAhdbkeHX6sIv3PFGhl// -pkMI7gs/aUqK4CKNUIKLd8w2/M4RXAy5w++tD79rMMPhV+XARez0uV9b4GIafjWNUABCUhG1/x7b -e0/gYrf4VSkjkCl+jwEX8hVwAVPxm86T1OIX0knfgIt/XfwiaEWQn1YFLrgELq6xhwMu7HeRsLEY -fPycwEUT/Pf44Q24IC+ZSCovObst3BlwsSQvwrfoClwEBd0fv6+EdHDd33s0/Pit9657+ddJo9r/ -kgjyA2ayVxmi5D6Pmfr+6+M3FPLqGyM/Sv4smHd9b2IwiXRosJ4ZcEE86xUEXPg24OLvCFwIU5Kf -A1vyO9zkB4yTnyG5yW8t478lP48pFbjgEbiQYcDF5o0oaQfyBFyQSC53WxK6LXiSX52hmVy2yEt+ -RT7UzheY/GwLoTqCJ7+UgZ5b0Q736QAXJspPVqX8uKn87GTiixIIGg/ggkX+UflhA1zwlV+6yo9K -/29RONOW8nspTXnBGu77JoEOPnwuNLf8R5NuFeUWDu+/hcICcLFL9WZ/nvLLzl9cgAuBfmUGABfa -BrjYUan8kKBPeuUrv3jikIALZjDlARcTLb9yp2NZfkJNiK789h9wAffF8AIusqPMIZhUfjEBgAuL -gAZWfnuEkPIDqaVk+W8xp0utc6j89PIZD2gDuNDlyi9qlMqvuf8WekyfzRdM+c3bFq6i3n+LUoMI -4AIvfX4D3Rsf4OJtmFKGnAnxgElflR+IS+E94AJHBC7Syq+E4y4S+OtRlwdcqGlH81MxT76A4fI1 -84Orlc7lUrxNAlzQSojqV1Lmx3Jb3JL/b3G1v8WM/RZ130hDpZogpd/i4/MGAB78FtpZ8nDfQsnR -Y34Lcub0xfBbZDwY+bpkqSTzQpD5BWwLdpLYtxiXVN/iS9+Co2NXGPNrLRkHO8wvQbukSWffYvts -afM1tuhbqL786PMt3PItlodhfmC+ha6+53eXf/kRFkDf17fYUFiD7HD5efoW2atv4Wno/rVvUYCn -lZ8HqG8R0+gxiD+sb9HE8ntnS2Rcsm/hpzvR5Yf1Laxv3yJsyy/MRuHF5fe8b6F0pslptiWcjKL2 -LXjLJEzlJWNabf2SXn7wvsW4/DqOhYYV+Vp+KvsWJim/Re7ot2A24FdohwyXH6y3xY4o536L1LKC -kfO3wLi/xZgTk/CGx4cJhERT/y1IDsAFcvlJof8tVj6AC/nya/tv8bFDosRQU//B/Gzl3+Jw48ww -4svPsb9F3ngS2hjOJMz/LdZ6mN+d/TK/9m/R5/4WXy11zO/wtxDt8iuNHWv8LdwAXn5cs9/lF+tv -kQiJCzS88h38W1gajruJ4eXX+mF+xYW6NvN/CyIu9PITCYALrSacn1p02P++DOycXxWRJWB+UV3W -yQ90W+QHuFAfwAUdzr7EfwvC+7cIj1/tb2HC30KuTE07foD9LUJie/v9W+wBRRPQqOV4zr8q/lsg -FsAFPqP336KDHAAXM5a2Bi2rveNtwFp5Jj/836Jc8nPJ/FvwX9/0t3hXLsPF5GfE5Lhl4NynrJ4+ -tR404Q+dZfhh5Vc7v7sepx/v8JOPT3EI/sWZyS0Dimnk7QPtmFuGxdKoXUZFWdGxQL9NMoYKLO+2 -EJR/8L4IVUlNWpj+LXg1Ll5k7n0F4c1fdH91/xboPf2Qyr+F2pzKQOpNlLs+PejM6oT8Wwivk3aA -T4IBXSflv334t4AHAxTKGQdyymLH32JC+1VE2t+CPKEMZWLs50hR7YiGMfwtzt/q54u/xd8xcSYd -7bTjjeq5hnZSUJVXNH8IG2Qf6HS24szfInSC2ExPauRPDgqU4cpVIF5VYwFPGQ8X+egZ6XTR6VHb -QnrHu7wYoch+Qf8WudZJjvxbNC4yeKhUYxgnCvY23CbP1c6/hZq0ioMMDinFrtxYIMOavDKofVUE -qTRYdUxEwVFTFmv49SjdvwVTpijiFPpyQgtLgBovLiNYBg//Fj4OpgjtpzTXeiuTnMFR5LTwkHDB -JIq/hamMQTnY46Xkb7HKgieWAJkujYuUgqdEM4XK36KtGjm5II1IR7kxc2df+1uUrHzyYTkpfn+L -ux7zkXrOJKFhejL6f6jQBWBX+DJ8V/X14G5BGRaubjGYDjBGITBFuPi3GCTdbcdL9OYFiqOY+reI -0u2XFCYkIsm+Q/r9gUujBKAjCfSHqWCX6/QYsqaWL+bfQka53ftsV/hNqXcFo3+L5IuTN8llgWRs -lfZvwRwt5f0tApAze8SM/KEJJeeSXvP8WwDKplS+c0qQFfdv0V3JWjuNxC/VeSViEnaePWGGMInH -zL8FTC2popT2R/rf4nbDkJ9oIxa1ABOPGobdeogbA5fUxAxta3tx5uDNIh+43f5+F3rHTwIM98Ln -vwXFEsGtqKtOYfCrJDBChv8WxA23UAqUUKIPeiJpE2aCSfJWahvBIMBF0vL9Aw+0l6ekXBDgAgT5 -p7nGinnB5CEgZg59SYCitw8pXDFgJlGACyeup68XDO7gbJs34oyjfBKgJNdfdWaAi60Shy7YsNLA -Xlvq4sUGuOACMxVIReMhTq28GuCCc+r/UApwsVi4GDKpdySPDjB+4YOkmXyAC+NMLOc19QFhFTC0 -J/2PiszCJP3cepMBBgfWaGhzj489GGBovHF7Zs1sTX02qJ4sVt6kCnAxuGlpvBlMIsSwA1xESao7 -n0W9MW7JsTJl7fiSlDLV0Jqi+IALuAiaJtnCfJLy1W2xqgKTNrxe3xQ3YJRuE497aV37GZFB+LeO -WdsEXMjELxWkf1QrgoCLbTwoPywE4CGggIvE4GFMK/o83wUFvGHihG8XcKGprnq49IPyS3M6NmIy -BFxsDehhp5GKXZ+zARfOe2RDeaxY3gdcJM0KgAlkT7Vx+ynVl/mAiaZNaCZwwRvyPlvmcripBC60 -HEkYqdTovdAQbF2TdWzADj22SkpQQ3AXlpMefNlAVnTETQMfgcJWeE9c9sm3rnQs4EwE0V7gwofB -CjqRogWz0kBzSbBnIOt8vVAGJi74hHg00TsoUQMXJIe6098vhGXKXdrABQr6IrZnRyZy9RwLiQkD -F67WQjKCi+4t9qXZpV0Qn4/gYrnxaiz6eZHnwt9glnd/BBfwniuE6KUBRDwuCq4tCi70Ah9IdNJK -wUgruAjVSIWmNeBdC179VetNDZFUcIHtnJc6si2aggtbKMmaQCXIAr2LWRMPkd6eruf4QRJcUBmt -Xl7ukzVxtQs0kZ6mNTY9M1IfwUWxsBFma6rpDalYhl0o7gpZeqhTk1qFV0mI6yC4UJKGHp/STWYi -uChP7AO/AHjjBpmFIbjY5Oa5391kZg1ZUYrgIvHDzdg1+bUMrCMILgwP2h1oZNFS1dKFulln0u92 -j9F2f66nLoILWX4XJnON6cH8Ft3ShVyyN9RdKlKlPRNgBOIV20EHUybClQCg/HAxqMt7Kjud0dIF -8+otBQQXzMPmKoQdc3TszPIILh7caCxTYN0SOX4ILqbr5tbdt7p0oQlXPPrC75WswB4aog0FF0tp -E98P6UhOfU7+ds8JLib1pqEikyW4FqJXP05wQaGO1GURnJC8LGEquChuSbjX9OuEFqmtiq/tsfZ8 -0yq42C0wVeEBR8FFJssCHVLwKbhIXh1G6gwKZyKYSxfo2QNFw0ZRrnXBxc1w3bX3jOvBQgElXrrg -Kjo3pIHOCOG18QcjBpcuQFeNv1OLoHPl6sQVMoHd7iJSBy64mDb4HU4B6IoTPrVLF1p6ESvCPX27 -KigvuBCOl8UImoT5vfp7wQXZ9xpKSq+aAMTibhc46I/VAxYXpT2CbMCVklxsCttWF1YaVzotuDAJ -GpY17jCAE46pN9KT0oILdSoQsaWt3adVW3ef+4QFF/3jUNXT+3pfUXHfa0xM99KFjNfiAq1ZjxLM -A+aP/tIF6zNPxaMa8FcRPUXfLl1wQKLpclsGc/ejuZcuVFNOhwT/in3YYcEFISZzrYVCeZC/mF26 -EOsQpq+5g4R9sbngQnNFJg9Nl9wPruRYUT7cGh7v4rzIpQtdKQI4SGGbEQugX7rQPMJvCcUNNAqS -V/7tp8zShRq9WPcjCXzS0gUVNluvKgsuVERyu7XxYPfzFlwMOgzgu5Li5tpXIVONwQXYNF2RHFIV -G1wkcNdhYIsGFwNQaOpZwZRvuhUVLV1w5lFrhcUBLGRYDS5iXKN3qn7pv1xoCNU64JCWLjiIG6lN -LoaQYKY8PdhWANPa4AI2BcFx9TIv9QbZ4GJn5RNii3XylKmUBhdyGDhaQmLCOZYDmK68KFWw0gX3 -vgtVtQYX1OJ0ufa9sPii0oW+IFeAlsfpFfIY2ZetfV/nkJJPl/cPLg5Zz4byDgJrjZcukFirXXzS -WMK7yW3UUVUsBKcLgQ04zB+CF3sLHlzgskmNNCavKBkcXMTyEhSUCZLIK/7cu1ldutBkGYWFGxqo -UW9qZePgYkVuIK/p17h56YJbwKililZoF4+Di+a+eOAA2JOTNVfoVLRI7jk4TewvMbgI/SzLZXZe -PZ0p8HDpQsGfgIQ+NFv4Cy4GogTAdKFDLrNIztngIt64QR2j6QIz5VPlrlH8R2JUxz3DF6K1hKYL -IoBGiVMMewtp8SBncXDRBPDrh3gWUGI1P9B0YercQflMrHBwobHDEdFKo1pNnClbuw4upvZJN6h+ -k/X7QEaU58x0quI7HFw0Sjb5r6FlkIVhkWsjMYXSnwvQjC0yV98nCb+szyPinwu1zg== - - - GLPANX3AZN3m1J59cGF8gM6F3MvWMZ806MGF08ASj4yhzuk59WEFg5NMJ1Rl6zumc0Er5DPCxAAq -OJQ/BxfaQueRsWw7Ohes3YzPaJEsyrGODJ0LcuExwqz3shvuBhfLHg4tjeBPqhtcrOluQwYD1p4O -N7iIy1YE+LAOMOhc0H4iH5BokfQLghpcAMojUkA/U0HfwQVsGkeApyL45EsGUq8SvVjOBactbvgJ -FHl1dhxcWAaHVR1VLWfoOei+l3PBnqEJlTpNYAadMhfGhYMLVf4pDE9UweLgQomMtPFe4bVmLOdC -dWqG+ROiaUukC+W+2NqffyJFyI/KtEyFvXe+2GkhXMB6YCLnHoQLSBAeYXOKyoxoECBc4LzrP7NT -p8sWARs3PMhi2zlK85VsbbyR6eRMEx5czJ0yCl5BJiulpFWwckSnw4OLX3QFFa4NOgcXJYoIsS9F -DNeRVXMuOGtklMXhXlipO7igqiUpiZr28n6nJPaIb/NDDAsrSQTgBhf9psb6G7hkFNGiwcV4SaPh -Q5Cx6kPAnAts0Qnyar48N5ZhMKjKdRKgQucCkRMWGHNlp3Pe46k4uKDQgx65FsrIuNC50Ak6SrzB -R578AObgopJA2MUFDi7UdVdoAbA4uCgk7o70iIj8BMjVDS6iT2U0Ibe+jAv7uw9xfmhwkV02qBtQ -8GIriXplLSX59YfOBRH/4xzqSOQNLGtwEeP/37H9iDBJAt1MDWzoFWqAxz/L0oXW7Oe2WPTHxS1G -bIeucVOhEToX+uVZgMy6gv01bZy8JF4QanCRVH37OB1blMxXbXCh2Qqm3Ga8CyT8J7xz5A0ulmLh -jH+0RckGF+tLeLeyhoZ12uACk3slvZjFI5jBGlxgCC4Q+nyDC4XDBx7u5lxwXFBnth7/OmfwEypO -S16QchDSOLvY4GIphbrMwtLK46opPUAo0ExMbNTiIpFqlB2pXKaLWwAbU5uGpQ6CgzkXcp+1UzKy -4Pl074yic5xDQpbQZO5OU1M+54I7iCeuG2Ho5lxYuGNSpb9tcFaUgguljwGdsY3T1w9VcBGD1KqC -7wqXq3BL2IK8MfDLo5tzQUAjgeOggos1nAwFZvui/y84OBVcKJFnQrjP9LYF5YXgYjc2EvNhXZU/ -C3/Ohe4GdgAFmUBBSeZcaOJElODUQHkSXFCB2YVLbh1/ujwp//FPCtxVIY05nfaF8lZWJ7hY3ZMm -wkZksiFVnk62M5I5F/5J0nWM6869QWDiw2bJR3BBeT8jMmDeuI8ZPb4prU9bL6EFMt0Q9DN+I4kN -mmFRuRirL0C3nnwIrAioEVwsORe0CzoAaFSCC5URgTI8ZmGblNLt1hszwQUuXxQa+vg8KcQKRoQm -OCF3fcK6Hl9YqkmCC+26pn/7AWGKSSP4zvLzvUM5CS5i1TntBl3whx4MVblQqdg/1gMe1UlbFFwM -limQPkbGUjCSggsCSwWkl6LM/4iFTAUXxFSJD/lWmsPXLVg/MGp5ewUX8DUexMPaO6aCCw0e1YU4 -s3QKcGltC2hSwiKhGr+6Wkq1CjMWXd+B0FIx6EMq3m/x3dqCU8HAtaCOEWiK73ZrCzb3FCqFBFxw -cfcw71exWobbggtObKLoxoSLWA/7HzxkRRdcjNbzDQpKghU+XwEsuEieJsJNX0QjF7AFfjXCNrqf -sr4NpWPoM+oFF6EYvMo2U89kZMHFqIyaXAUZqyV1Roi1gXH+7P0FFyTc/Sy54MIk4gfYpRuG8QmE -eFQL4Y3Q1a+sMQswf6YV8CSltqXgon7SWL1qpzA2m5lHzT0gB4OL8L4aEbBSTjdaWGy6Yi3Ru9yT -aBoyGylY9gmDi+RNrCxPB6TkTUY1tqcYXBCW/SWX+LqcjQvE5vtcxErmCHsiprqCweAis1ODfMi7 -ZdWGM17TXebmZ/MKGfoi2DGDd73jMhZjE0aVV4wjVToMLtLIk5Ku2dxpKcAbGXXbBORYhpfDGFxM -UdlrAI8A0jbINnFv/NTxkcIr1L8tcMonG8Tp5i4eM7gAPso7I4bMm+q/ip0YXBiZG+mrFusQ7LXn -wsMDGrzADC7oLJAj7wfdQ+VxKBYKCdUKH3jBQWv6MP2MsrWc0hhcTDwTzVWSrIbjHMswQ+EYcFg0 -FUTr1b34GVyAw2FXOjgMLsJAaiX+dgsusMN+PEn5Qjp6BzOKwqO8q3SFcuCCM9T2r1BP3CHCHyVt -+hXKL9t98UcvDrKLl7bggsIWkKRX34CGJ76Ce67PKfBdCDYLLjASHBseaNgx9showYXvShtCTRqE -vWTD3jwRpwsu3q8FZ7TnK8q679euYKYFD4Hhv3FdgSveAV7hc9vI0RUpN8EKuPwFFxw+JGFwwTAy -UxptqfGqRzS4OJSB1nsq65K+0eZcgWItal9K17CJvp5coUjB6DBIygxfG1yY9Uj1Fkw3JJ7Wa24K -ETxCFTLNj9bgIrEyBlygP4HQYtWLo1JIl4MLvcK1mXlucCFizvYw/QMVOfUf/oTBBSTavML60RsH -IVFjYFW3WToDgcEF6/ZG8xAlxl+zuA5AAyvBh7FAD0gPIPTRFlysBv2XfVrwQ5aAZljAeWJacDFn -IkQvZan6BRd5pjw4ASmFNtUdl8HFxExhUa1Ioa6SyeBi4EdwgNIoOl4F4mia5BrIPAhPqeA5UXZ5 -3qm7jaD/tF2Di5UWvbBK1WhfATlwFfTOPLOlpKS82OBiU8QEbr6hqSkFXIWySZZEiaQIK2g6GlwQ -9+sR+ZbQ4CpYb2o5ssBV0L1or7BL7AtXwUqm3/01uBDNAkQSshx25lNrcBE/yfv+V+Qut9RtOKsD -5wy2h3AV2q2hPDOSz8M0g4sN7Y3dUD/JSQMzg4tBU765x4swz4HBhekVxOfpJu2GVtyHVdh+kqho -LxTasmohTwlXgXMrvi022iG8jXVsxSQlE+EqdMCHZ8KaGFX+cBVMkCJkNFpbNjAIGh2owQU2RYjk -rmyqsN7fBhcUWevSoGG/YsQaAPJ1gws8yukH1/d9O0ve0cMzHuAqfJnaLF200FLZ16vBRUGw8G9h -214VS/+3CizVEThU5tujQ2K2ouE6rTS42B13hZ3X8z8Zw75xpPdCwEsQ+jZQyMrYDyPRFakRDY6R -MQlncEFkadW7/EpmVvWqkXiobxWqT2GGBsz6HMYwuHBgIZcdKWLw4TO4UIHCINbxp9Vx95uNwQWJ -9JGV2RBq9TerUEymCCyG1sZdsX1MpxYbXDB53oH7JlwJeRL/P6s2fCeKVeg/Ykh/ljQaXFgPf9hi -U/LyHlivtnAZEF06yMUq8ATLpVhSrAL6HYOHY3CRRRxFinHuBRIYXCTWsjghi8GFvHlhEf3cN97r -qmA42AmX2Og09HKaZ9CEaIzDGVzEqSW833uxmVS54MJmkhASseBCkaf7f4tKoZZEpt9VIeLjKaUU -hZ3bVaF7KneByU9GKgK64KLbmhMgrX6IskELPpVVYQt7EU8Q+KD2gouQ0jhqppe3vp3jrbfegouo -yxqlSTNt3cJUgRBJKkwLTFzTowrzwBJiFMkQzIrNjWYjWtWXMoIAyymPKmwH36DgSYUDpBdcjMuP -xtuXkYHlt8F93fneowoar2c+NYiG0KQs4Gye8ng6IGSfwQU8jnZ9ROb6eAwuZk5TLuj3eIuI+cHF -5ZpIvZN6wcUxoClEQ16x2ShsKqzuVFjFBTs+ChtTYeJZQWqA0iPZReABHGS0VIDF0pZPcJQKwB97 -D7ix9D0H4jp5BheywZJB0d7CcEDxlz+vp96RCo3IWF5WeD6ekA0Dg4uQ5ZpFyq8Rehk4EUcqNMkw -SF1aWcTZbh6uStsZXEDMHo6do45UoBVIAg9ey5BdcCGsaX4KE7D9IhdcjHxOhAmZ4qKyIxU8krr2 -O90DlAjbLbiASV45bioTNgk46UaOc2KElQMV2SPBxa1iEP5/YUqitQQX4t9qCxWTM5mmIxXau1NR -kjBbbk9S0CrN1vFIhQXP1/5SWPNNoP9Eut2RCuMqEIf71dQjuJCZp+LImZKvHalgXwXUKUvAS3Yy -I7go8dLzoni9b0sbZ3fgYt1HBc5zawg/59nC+vLPalRooTZizh5pdT5wkVZixUrEn5EhYeDABYvj -gjWODQRcZnz5gYtTEAuD+Y91heReNcYDF6ZsmuXOpd5CMf/H7Eu51X7goocxLsKBHpvwNSpgYCdF -cLFRdETmXXJUo0J30R95QwG5VaNCGQJJCP/lD1MHLgie+pQpW93KV3vgYmEsBRqgkr9PU281KvRA -wTl8Q4hzHLhgo9GRW98boNLtgnTgIqWMNAoBgG/KPXCxNAgpjnGxBcLBuOEk7QX2Q4y0jOu3EB+4 -UOVnwbvJxGUD/qlRwWpOom/tQkgZuFAlWNUhEZICFxGOJDjkqEaFtMgXrPnF13TVS9uiRoWywpx4 -HiSzf0wtl8y/6emHXgKBC3PBKOaMuz/ggmyW2qUkdirualS4hrVvjMb5lHJHbcDFS209OOC7BwMu -1LdruyX1np6EAQzABz42EAc3USAeEfHNADwAD8AD8AA8AA/AA/CIOtAP8gf4AX6As5x0J91Jd9Kd -dB1Dt4gtYovYIoB/4B/4B/6BB6Ojo6Ojo6Ojo6Ojo0vYj6MoAAAAAAAABIczXznBOKiYEyiFSnTy -0Vv4HPv517/XIGHZCFnNlH4VT37S3yH4vKrjU/2mjDwm+/W4aAvVKAgXk5MPfwLiRzy5aWZJfDy2 -1zIukQqU1whIl0GighGCgjH5KU5+iud+1W+vmql9Hjl9Xj3u4yTFBI0YHiwhKr8tA1YK4sVLDJUR -E/0msaOFjhmYGCevIVqs+IApuXHyskHCevE6kYA8ITddATOxwAIO4LGCksQMmCBYqNhQie1As+KD -CpYdYE5eRh/XDT9ACB0EwEEDhoiqh0rsRkw144Va+ewsOp4/jvSiQ7xg8UlJGRFPgyWC8e+XPt+R -QhLbc7fTVkS8Dk7gAZiUSbSaKn/egkWaOX1QRH3s32kxpEVQxKJ22IXQsQWvJvrMctUUi7ZIhYaA -IUnBaZL9bgEGFEAAHTCCaMFSxAuWFS2TCG7XjhvF78vn55L0qKSNklZLyGexEtUwUcGQepV/N8Gt -RzVfey0jJYQAO2LAIGnlYInpYBFp0TKheHDSq5Zk9h5B0Hr6aDFZ0SrRIGHtsCJCos+pN1XFrMlV -Y1Ci1U3DfF0HzAoRNGiGmCHjwwqVFjETi35JLJoC4n+IoSKFarQjxQUjhoJRssKhEkvZc5OK0l53 -i2SfprhZrmjYhklrRKdTmD4mfR3LY9j9lt7ThcMsI5+kr0P02cS/YU5/yr+r5Jc3R9nbUq6qgvTb -CFHBaJ1cRB4Vjz6CzyI5/aJfVw2PWpWHSskMkVYLV6nFq/RC8qRs2X9XGyVVeC2C2dGr0oChXKxG -KJ48JK9bdVyCV18t69GL6bWrjmdUIRonLRmUSMWDp/R2in+/mDwpnSYZeW6ojLyE+g== - - - GiGlGiIlHCQnGyGnFVAfctcW7HCUnFGFRHbZxJdpTHxMCJ9ZhUb+3aXbIhctyWiMk5YRMFKkgPgY -I6sXsBPJbofwN8hdPewZatGUkF6EixYfLSUxqZDJJ0+xCsWoQq58JvnkP1rE/Ejx8gAeNZaAIYMj -ZKWC5FHpbdGKyh4XYs+XkmgEn228Ti1OP0t/u1wWZJJ5+OUheHLVFK/WyM+P6LSLFgmHScslxKN4 -bhVRj6Lj3TxvUVy1zuckXf5cR0krRvQxyemTfEa54x/0RPC6hxYyLabQDOonwgVLD5YQmRMIttcj -Pd6rZ8ppvVrG9psnQRScrliFaFSgFpEHds8elLzHT+Szy7hSJD2+gkWKEaJa+XdW3LZouEXDfjl6 -zFJFJCrB7SuvYXismllX/ZrcNaSeK0JSNVhGXqSIwPwdptMxKtANldaNlNaKFemEt1lAO8t+VbBE -RKhggeE6tYh8Ex8vwWuVu/ak+FFVvSTlj2vdMQ1L5CLyU5hAMTyG4XEJTkFqiZJZEryS+LcLyeNC -8sScfhpUqOXnbxG8x9Bzln5J4qBXatVcBG/QC53lqVVFqPmX4y16rRoOraZKZlU+ugwKZALiW7yt -wukcNV+wu8sw5JZLbmp6VdTLumb3NbspvN3i2VdxS3+aiD7vWCEx8fix2RWp3xI8TuFr06uaYlZV -xzGcVmH6V3DaitUU3y7Z7dY9/+qZl+LHbfWzHNFpGyzSDCiPIXlgeu3C6RO8ruQ1RKdXRp4dLSU9 -VEpgQr9Jf6/olwSvoTbtz9EUr6mZfeHwCWh35TJKSB/x2COeW+TPTXeMwmUaV0kGBTLpb5E7htUu -y35B6/mjZW+Oq5hFzS2Jf4fgs+gsPWNISk/Wy3rKkA49VD2XeHKWkafE10vvKmJRkquCVhQfR7nj -6q9LwWzMhmNI/4rUKWbXqFYlmaPOZaTUNMHqyUVXqEBAtGiZYdKiYYlgUh+WLfNmOYffy2W6GIbS -sic9lJuuWJFWqEywWv6c5E6GORl61DKknrFbHtHpFcyuYPY1v6PU9MsR5jaX23STTMlxiD0/KQlK -zf8k9xEk8eQwqZHJ6P/dlU9LEU/eQvJhN5zy5ysfPeXPXXbbQupfwFQjuo2CV50MV3EbYsOruCWx -qi568bYRtWYIT6N4dJeQP6LPMRtGwSwKZk/wipeh6FVjen2SXdKrsmb3JL9P7PpBz50cZ697tUwX -QZjT3i2bPa43yRv0dvEbrWjqXe+P20UvVsssIY8KqE+BEq2EPP+q2uVok+BHNW/x488xtJ4jt3yC -yy39vcLfpfXEQy6lt2nEWKgYJsHlFk++0tsrPB1Cuyp4HbUoyU1bc5uLnccMXTYc0+kQ3T65q06G -+UnmqGlqVVebtt6U5aOjfHaUD0+y2ylX9Utw1KYqXKeV0Of0sqm5Rcns645FchoFs6iX9ZzkanZf -hLBMtIyS3ZYNp1CBXlCg1B2DXtVEvyraNfHxEX1ezWzJj6/kdqSe/Bii2lTVOv6Kjly29bYj8DtC -w7D5LannyGV5NbVJ0VTLMPi1HkeLoR2CnnOkvc3NNjbYpeI2H71PWrpuXGXjo3YdoaVqRU3quYNe -H3ojOU0DO6Xw2bXXI7/OsunRuv5lmX+g3XX+KNKdhm5Q6KPokueSmvqkuJMh7W03yOGe5pPixyRD -aBk6y5KajtI0hKY0+OHiOIOh7Hk2+MHdtpPhByXxrzutqIuGUXHLm2JOgnxa9igZUk0Se8ZuuUW7 -pNUcqaVvjjXY0Z7GZh3PObroN8SOPaV4f9v9ZX0Jklg0lJ4md23VcuyuRyrKgtsTm+5kqI/hR03h -r5NDDxdBj1mSVnSkmiPV9JRi3XH41+UiGHdaX4q3+MneJnPZX4ofMszBzifFkFmSUDTVqiT3fKLX -rzo+xW2Pkj1K4uO3m+Fuhiq5HammaT1RLOoxw1SLvvh3ym7351ji4ym4/aDjCB1dsCpCuyExy2pR -0Tnq5GeC1xfSByW7p3cVoWVJRUlrKnLXMXoWnWRpNUNwGeXDv4g8JXutelcRWqLglaS3U7H7SU/X -LY/cVDW/qbj90TKEmn8pntpUZL9rcezNMeWqLT/uQhVa+XcWDX/WUwWrITl9eleRvm4xfVQwm2rT -TzniH+dmnHfb4s67P0/1siL5PYLbI7YMQs87/Gywc7dsBEFBbjYnp3NyNvkI9qQnOscSWp5aFQ+9 -mNPYrBNy3b0c6887vexIPfUQrLuu9roQvP7VdN22dNNKcMyb6C2OPVnGWafmuJrjUE6n5HDgzlOz -bM0ynhR9MfzHkAfBNsvYDmfuuLjr0E72m+jHPHlR9Izkq2koZ4N2OGmH83Laq2U1t53SdPW2oXO8 -O60HPbvj7g/kSRLNOrG33WGHe9qnDD9nmYvf3GlulrlaNnudzGn51/lkuIve7W0hkwSR4wg9QyxL -g6INfj0JjlLT1bb/KN7fF3fdu2n5GN5i+HLbyV1JqemLIO5xs9YRqScKZlNxW4efmnVODgi9ZSHv -+oJZ0Dm22SbWspjb3m6TQQ60li0efaSOPWSoh9znJEdsqo8hvGVw1qE57VOKLHhtxSzKVX0y9JQi -7W1stqHBbdSqoRT9lCMMdlOs6peiDXY6KdYimIrfmBDIBQqlet0Qan5M07SmpxV90fIphj9ruoJd -1cueWlWknqLURL3sJzX3Uow9Tv68mxT/tNRFzy/FEFqOUhMPPZ4M/REUmSHMR1/pb5KcXsHs6lVN -LCpaz5C9XtUxzJZLdnv1sj341R1He927ceZmc3Y69kh6zNMfxV4Mf5L0RzH3OljLShAQbwAnuAEM -IM04M6fhHod3XA56e/jlIDh7Hux1J2djbkBabis5m3fb4o2jPY8fx7WTjSAgJYdzjye44XQgILHX -kcqSD8P7+/RQLDecTYcTnAHoYHY0viz1EMw/D+a2c7NxO9ndeWgnWzsPhK65OMrcpn/fm2lsJytB -QEYQFCMKFCQKFCyHI2+c3W2eEQSR4d5xe9fdXXduOONmI3+dzG3o5oRKblHw+59mLn4up2OCgKQd -Dg5+OgjWXmd7XA52KrZNpSr/eXPXtdsWc9wegnUI9iL4jyEvhjb4rZzNu2n097Hb1nKb7HX315XM -0sWuMEykF6bRb44up6VZx+W2XQxF5PgZw5BJhs6SF0M164QbkHCDoj/HU6t+zPEvRR30PKUoUk9d -BFkOCMtBUXcayBxDaClaU5LLfkwS77ZY66AbFO3GscdQBkFQu8pgrXLQc7nOy3X+09zHUaSmIXe9 -smm7HEtuC0JPUXqGzBHlsiYZJsEwKE31UfygJqpdPSaZi58NdjPIzZ9Xh6EdhvXnwVoHBz+PSXpM -8gY9++vgLYO3TCWzLNoluao+gqZWRbUpyBz1MbRD8JOapncVqejtdXXH0V7XapoJAgKeQAF3nx6S -KIcDb5pHHPsw1L+O7jZzsyFBNqumzd32ah10c4LtbPpRPK1pil35UDw7HVXTVk0jOZxMhxOrprWa -5mrZ3HUrp6NyOieHk2ZcpsMJjg463KeJgu/zxqUdDv19J6fjoQDpUICYnUzVtHKzWbUM7jqVw1E3 -nJTDCUFA1q2Lve/sdFYtE6mqzHltJytRoDBBQNgsOzecEwTk3HDQzYbutvvr4qwDdzhth5NyNnXX -7SA4b5y5OZFCZRLh+94saW97s0zldNROR+Y4tdNBMw7cbbPX/aRZOk+PGP6nCVLV+/vyD1y3zfa4 -/eNobqM9z80y+/t+87TBkOxwQBAUrNYxoSdoFFnyC7NjUFrqpHiHoNx17MalnQ4OfiY1LaGovGVp -h2N2OGjGocNP1Tqs1ulJUeY0mMs8pvg5R58URScpOkl+BGuw409T9L78ONJaB++4WMtiLnO3zO24 -X0VPdp3NOLCnfdCSpL5PKbuLIS6CcfixXxdiV3wUY4/jxU/Enk343EXP9fepGUf2uP80465TMw7c -ZTkJ5mJYf6CraSpnw3Y68cbFHCd7ndxx9ufd32eD3n+aeinOYSd/XW+Wu/jhHkd73vx9+Rju5Sh/ -XQiCQuVw2ixjswzdbF7Oi7tPzbRMBx3Izcb+PHjLdtBbwS0rhkUo6iHJ/OvkrYNyUKQdkJTb6h/X -f13+fbdY2qN5drLvBIimw4k0004OJ+WA2J1ngoCUICCfDifEDcgHgsLMsn9lPWfqatoNgiJV3cMy -3jpX49BM23Q4EW4267atWQZznKtxrca9XdduXNnJPhAQM+P8qepu3fyBoBP1xdHuPJTT8XQ48elw -Iu1w2CxLOx2562aOg7OM5WzobZO1rO48NeOQ7DkKjuNugznNzbJysxk3mxEEhap18BH0y5HVslbL -/rMMrSmpdU1uq4egvGlzx92g12qdtLMJrSxPovpoekz0BsN7JGPPu0FQD0XZ42BOIhYt1Ahe76Ro -e16rZSGHY3Y4ewj6Yjhv2l+S+yjC3VZyQMTNCXID8nIbql1jTmu5jkk/04Q8LthVrakffnOnvd2W -m2cMimeHg3+d3XH0ltXddoMeiV1N7Wp/XdlBEXJTkfvWxZHuulbLbhHMSzL+QDkMyU6n7bSSev7l -yIvhPoaz18HdpmqcNOOIIChMDsgdencIphxOvGl018VdB2/byumUm42ZcWKOy0HQ9jpY67BZJ+1w -1Izznyb9eWln427ZLYq3SMLclmact9vsL3y1rdW0+gNlrjs7mogCZAQBOTsdmONgjlszzi6GLzgO -nWYOfrDWcTsgccahu00HPXnTdNBTqSn+ee/GuZzXbpzb0VpOFp44UYKAoBxOeOJEd+LEu3EgsSyh -aKg8P6JZd9+IAsXseaZV/cUQ5WzKzSbNMjTLWG1rte7saCAISGh9d3OlQXHNspDDGbOOynEsp81i -WGoav7IpeY9zW5xtaG6rPy8HQQ9JulkWokCBZpr9hW4nq7ftD8XSmY5QFeY42dveLUs7G8952mDI -blr9gXoI6iHYhyDeceYGhdnZeFS0T9H5616wq5LbsTkWoWaabcQOCpbL/BN9ue8eydec++WZj2XM -cWxno3I2tfj5eFnZocXlL0s99EhmCSpJD0mmWHVEinPGiTltZO/dbWO1Tg12/1mi2jYPwxv03i2L -Py0GSYxFCdZ/nikdUauph6DsbarWSbXO+3W4GMZa9otfC15Z8Fta1b8URWsZatH9JGMRLLXO6WVT -bDtCU54kXW2DvQ7+PDr88PCLOw6UniJ4rYvhqnHMDkiqdfLxC50l6CxdToO7DTa/pzR1te3cgLRZ -59U0uePqz1M5nLWzycEP/z48BN9NgzUt5WzaLIs5rt02VtPWTqf+OhI5frWNBEFhbjasppUgIHs4 -/uKYf6G8cWtHA1GgCFGcsD8w1ca6KJJU9UXTfxj64LeDoEcUSxQn1M5GB78368wcR3tevHHqhuMN -YADgiRMoh2NyOtkAdNB00EHtdPpPxDvPI5J457Udztrp3OD3l+XcdauW0V5nfx7oNA== - - - USWabjogChBxw+nNFP7Ct/NYr/unaU6SvEm6XEZyQMjOBidHUqqCTnMkhlXmmbWm9abRWwZnnFfL -WE0zOZzwBIpY0/Qw1MOx7jqY01qtE3NZzGXspoEbkLbr7lBcO5xYy/gw7MXQQ4o4+Nnh93Zb/XUj -cwyD3b8cZU6jP67kpqd3hTtu7Gxwkwylq5ttaKdDf50ffqnTFKmnfor7Sd7hF0JNE4r2IEhzmt1p -urfl3baD306SaIeDi2FpTT0mmYfgu2W4+LHg9jdJU9zuZolaVZV8HqHhvxzrjwOdYsoNw+i03HHw -pqlYVGR+a4/zy3Blt2GcQiE0bIfgymnut5Xk+6dM2awTc5sIPVtue2rbH0XbLWs5TcSqI/h9g97n -HGFyS+PvKnTcWtFe/FZtc5ehyK7/aLpmnX0MX3E8Ms/b62BOOzkbd9s8ZSlrm9vJVA4H5rZSmvri -SHfdmmVpp+NqWsxxtdeBJ3QQQU6knc4IAjKCoECZc1BIytrWZhrK4bDbNnte7YH2N66aFlrXVm3L -GxdnGZxlMreRICfWrDN7Hdvh4B/YZtrJ2ZQbEBEExcnhpJ0OCIKiM4ABcCdOrJkmb52aaaj2dcHx -CDV/UuxHURfDNcvODofuuhwE+xAkleercWq2wV1If6HJydyNc7mvhyRv0PuUYz+CtMfNHmd/Xatp -MfiR0HRUkvzH8V9HMsnPGN7e1mYdc7M5OR2Uwzk7HXbj4o77T5IXPxzk6o8rO5wOBMTMMnXjQhCQ -2es8I/mPYmpFQ2VJfx3scTXohdByH8M7/O7P+5Ti611RK2qHn/t1eCnaYlhyOK/X8eTYg+CHFHl0 -zE/xw556KbbbtmbZmnXiTvPH8ISaKNTsQVDtdMjN5hbDvhzbLbs/7jOGMdlV8fFD5ymLHvtt+giC -zvEnwxz0/DI8ud8Vfc1CuzoZ7qUoQssQSrIZxz/FElte0W0Uq4bW1aOmMciJVjYPxzXruFtHBz38 -4+6vu0MQ9jgZ7HJS9JwmT4otvt0i5Lvg9ogMPaHHj58NdvtJilzWFsUZ/EaqqnrfXQxlLqO9Lva8 -2OvwUVQ7mZtpM8fd3ycqzdz73ixTOxy101mzTrkBWTUO7XFyx5kbTjeAAZAgKEipy3a0d9tM6XqD -4Nxx8ralnI3J4YAgIHAoxmBIbkB6EQSVZNxx52ZzbjbmZmNuQEIq63qg2enIn/dyW5plZ6dzdjbr -lsWeR3vguel0KFDg4VhaV78cbY+jO07mulbTZjCsv4/mOHjTXjaOh+O7dW8Hpp2MBNmsmnaD4Ox1 -JTZ12e9TauIeZ3MbzW3tpqXb1nJcmnH+UlyhZZNp5l53d1s/ivgH0h44bjZmlqHaBn9f/XWkFWXR -76hVW44rOx2SwxE5nJHD2ctyzTow14kZ9Sj3XWJX0JrSYFeLoMppdAj242h/HSk1USract08DFct -AzmbMOP8KzuD4KplMU/v2vOTPiex550cRc7m24CInE3baXO31Zx2cxu9aa6WxZ9Xh5/rbWjGGann -E3oOkWCLRUUmGUrLD1q2XIflOnG31Z8ne9sHFUfuV0akw4g8rznmyfDdOjTY/WjJlyBLZkHpCVJT -3iRZLnM5TfY6mNtmj4M1TsxxQOu5qmlPevYnCVJRj1n6aEnC16963slwxKaiFUXBbUhFb/HDyfD1 -uvjzaBDERdA/R5bMnui7SF1vUbRHUc00ldNps87K2cSbloehLor6OLqblnY45AYF7HG9CLYdTqtp -dxjiH1hyOONmk2Zaq3Elh/NuGg56ILMMjWO7cR/IJhuADiSHk2phj4mGGxB2y+BNo72O9rq00xFB -QEjOxtWyVstEL/y7bx2CMqe5mqZmWatpqaalWcZuW6+iIjouUlNdHGkPZDfuQ4Fi3Gxgr2PVdz6S -q3kmse5/qp5Tnb2v3bJyg8L+PJ8c2Y3zr+hKnk+rW38gudmUnM64AZG5jQfBOvxyMgSlJy+C8Zap -nY3a6cggWGbZBwICojhBozL1IAPTuu2Y2+aO08MwD8Ha6/IQPDkgNvktccMFS67nr6O/jtU6txjG -IEiLIdxx9xiu6rk3x1frqJxNu2l6SbpwmxZHEAREHj8JGFEEyl/azbFHRx4lZfGLQe9PzRK7kpwN -DHKvWh6hKv11OiniIshumQx2KtbVPW90gi69DYNbE/lVnWardWSP48fxL0+Us4lhnSpQRBAyqBRp -PXsS3EnQY4okvO6nput1Ri9qg9/8baUWZfnssDlGrexflnkYwpvWumMiXMiQeEA3Keqk6JtkT44e -0xyt616WL7j9gEE5xfAtfnopzl9Xi+AcgnQYopzNr54yJ1EIbfMjSX9fLYJ4SeJhKGvbyuGcG5AQ -u/KmaYfgy20oh9Nq2qtl/SiWVtRDiie39c3S1TISBMT1wLk835AMOZ0ULZPsOS+C9qadHI4IAkJu -QFAtq0Gy5GSsp9kwERmpqatlbdZZO520k6WdjrnZqFnnb927PNUs88fx/r6Z43owdLeN5GxIDgh/ -lisg0B2CbdZZs067aS+32SAYStOcLGUQRL0xT5rw1rkdbe107DC0QU8PwbnbVq7D0m/SG9MfCHfd -2enAnvdynMrhlBuQU+vQoneLn+gsWau6g1+bdU4OR9yAgChQhChOeFDTBL/3KO7juFLXXxRnTUs3 -ICgHBOWA0CDHsuUX/PByBKnnHX40CKraVnY4HwiKWgxzk4Q9brSqL3kGnaYoRfmSDEFAOhAULri1 -CHmZ3DgFqzZCUjBcKdCK7qbYl2L9fRwIit09XbhU/WjaodeSYRb87mLIiyLufS2Hw4uezAjEiyIJ -LV9uC0LNXQzvz4M3TdycgPl2ECxUvOw8pa9nQH1sfkvrGULLGuRw0hvRZ5Ga/qa4guTxAVuV0DOo -LO+vk7ut1TonefUBc1Lif1CwG4LXoVXty3InSTwU2W1DuQ4PMiqpFzaxaczHH6knDXar1lGzjrlB -8WnRFCpTb6I5KYJSNB/FOgRt74szTeVw0g6n9MKyKKZaRoPf/Hm6OPLiuIsiiwikjyT9ebPX1Z93 -h+FNnjJ5jhrXbTYjIRDK51N7ncxl7tZptQzeNjTrnFkGgqDIybCJGzRUcAxvm5tla6czbjYhChTl -ZqNmmQx+6badWecvy9rz1g7nzbI146xblmodt9v0s5TBzv46mdv0UcTB7/a8HQxZTZu/kC9NksNx -t63eOLvzQijKj2LdcTG3xaG3wnOcNF2uw0kyzTJ229QsG1GgSDsc+ONq8ZNBDmSWqDS1vQ7dgKxZ -B+64d9vSzubtNrfb3I77z/MXR7jDeTsdWdNsz7O9Dg+/WgRNLpNDLx9D+/PcbTs7GcnZjJzNPY4q -x5kZx8SyJXbuKUldBGevUzXN9brcFGN4nY8hyjVtsEgsTKS+FGdwg7vM5Tppl5nsFuXjx94XWs8V -fheZ6fv7Zm6DtaztcGiPK72t3HGoVh2x6/8s5W5rNU68ZTS4reY1xc9B6qniuVNyO3SSN8jxo7d6 -U5WdlgHxH9TsyzBFqI/x8DwJ4iDnj9+JRUEoKWLNEg9ugl1YLYfgtV6Sb8e5nBZ3G+xxcdjF9Lon -RxbMyvj6PoKxp7lbBndbDXo8SpJi1/W60Gqe2rUGvXbLZK+rPy/uNrjTePSUxXDlNN4k4a6Lu07u -OHfTRLCscp8siqgXDqEpzHXfhtNtNh9nk3Jbn6Z1GLJaR8SqeznOX6d2OiCKE+QGJO1wPKTYimPe -LHNRdLPMBAEpNxtW23RxhDmO3TSRs+FQnIA3LeVwyg3IDYK6GIJQ8z9NdstIDoj8cSHxSzrRl+Na -LWszzsxtctf1pVmH4oYChctxfDjOG6duQF6tA2uZLoKl9+XT9exkr9fNIKhq2apl7ra1WvY5S58c -7/CLv44nx/r7VC1LOSBt1pk9bu44tsNBOZtWy+avqz+P1bJzAxJvm+51fhjyIChz25p1YI+jQe/l -trPDyUUxF8nZ+9JO5+x0PBAUJAeE9jheJO3P60nxP80U/JJWVZSifimmGUgNbi2ZRb2t7Gl+KX7O -caSWI/W7wtsmVkUzTk6Cq9flR5HVOp5y5EMQB7+Xy1itA3dazJZL8Jv2uDvsQihJErMrtLtiwyxX -lcGNN0O/HGuw+6SjSN3CMP0yPY5a0VsE7bAryWmRm9ZLcAWvKfi84sOzXLU3w90M6bDbTVEvw5XL -YE8rtWpJbpvctegk9xF8uc5OfqpXnUGOJbsnel1yWVDL7uhZl6Laab9Kql6W9jg79E5vq3JfFNt6 -ylH+OrbbXo+zRZDNtFbT6M/TRzHcdDo6nAg5m9jr1qzToTgRiyEIdlPwy4fjyeF8J3Q4OyA5SlRK -+N8Gv/nz4E17NW3tdNaMc3I266bR4NdmnbbT0b8P77yVwxlBUIwgKEjO5t22j2m+23ZyOPXn3V/X -i+ENfuymmZ1N/Xkst1217dttPCmCzrIfR/r7WE07O50OxYm380gqm38g/nk8CO7fx4Pg7XVnh/OB -oJhB8IOyuEh+TJOEovwo0txWc5pnFEer+jnPeNvarCNzW+xxa9ahve5jkrnX/R9Yc5sIcoLcgJic -jbkBOTkbV8t+kSyd52tVR1w2VJLvto2bzbtt9Qe22fZmmx1+oNQssSkeguVmU4ffq65HqUp3nJtx -2mxjfx4+grj43eM3g50ddip7DpPjEFp+TBGEij869uYISs2Su74e15skSQx7RLDuttnjbtDzT7LE -pvsIxlw2OsVUSqLSMeRVT2h45a526PnlqI9gDXaq2DWl5+tdRWa3xI5bcStKSdNa+uRHotM1XKiS -nPacYSgVUbBaclVV7ILUkz9J19NQcRuj6ZKa+iJ4d1kvfqKTXLUqC7/3o2iC2yGzXH/evqYhGe7X -c0fH0Wq2YPcGv9ctv4hCo9XNxZH2Ov8cUe+KatXSqn7Os/Y8nyxzUdx00CHkcGgR7M1x1Tgtt5FW -FXSatNeZIJtxA1JyNu7WIaWrHo43+IFQcwfDmeNaTVM7HXfbXm5jtQzlbFgOB/c+N8vYTiflcErO -xtxs2k4H/75X29Ysw8EvD7/V63rKkv66nRRFKKpyWxGK0l/3MUlSeuKgJ3cbP4p7KMbbNnOcvG2y -pu1hCG8b3XG31+WgJ3dcmnFebqM/sNU2fxR/cry9Lt40u9tQqoqC66i19ZQl6Dw9JTl/3tnhpBnH -3TI46/Qcl3dd/Xl+KdbexmaclANSf54vknXXicxxpZ4ic9zD0P6+eNvSLDM5nHvzTCkaArugcpS5 -Tc04vTnGbttjomuHM3fb/XUlFB2lKP1xLpfJH5ePoF+O8JbtZagS6mM2XJLPM1gnE7zuS3H+OhKr -hs6yH0HQSbJg1yW/pDUVqeh/ln4pkkzRA3IqvR0jVWLZcZKb/pymHnr31+kjaHJZXgxZ7grj5y89 -boLToZP0SXAPOROdZoEijdoUVa8xQlAzYikYqhLNxwMyyzr04o9TCXn+M6VBL5SWJg== - - - NUwSuyr0jFLPJvhdf17JZU2v+2od1eyufDyvuz7FrWhFRerJm2PMaTSjYvlq60FRmAzDKH1UePgW -q4ZQsydFXgz9kky17B7DX0X/k+zJUM02dRju49hmmcnZuNqmjyIINT8m+Zej7HG4CLriV4Sif1n6 -4zh33LtpaoeTdjhqh5NuNmqWjRsQNsvcTGOz7NW0muNiTWuzrNU0V9NkbgOdp0+SNeh9TPInx9BZ -fsqy/jp/FD2k+HLZ7HGnND2l6Q5+K4eTgoC4nU7teeNmg2aduNt6crS/r82yNuu4mgZvW7xpbYdj -f179fWyHk3/eSV1DJypCU9PK+iQpex7LbaiWkRwQNePonvcZRxJ6ks7SM4K86PWhx4egDoZqxim5 -awu/v1yWdJo5+MWapmqZqmWxtsHcJjLJDyn+ZumTI6pNS2tqg2GrZboI5qCngx8vhroIhtRT5aoi -tLTBbtU2J6F9iRozRPC6JbcyHz4lr1OtGkLND2rmJKiSXxdQiOS+Ve6KatWU25rYNWSS+cfl30bj -lYqxar3il6SWWS6LUlFY7L7kt7SmtdeJUBO1pqS0hM0uqlVRbeqKWZfMltxUP0UXJCwE6LihImVK -8fMYHX/KEYSaH7Rs0fHsebspnvA3zacPeduUeppQ8zfJGvRCrCpq29rjYEB9Ct+jYNhPy94UPycp -Us0SHoftfZ6uqTh+2XMYPoe564cMeRLcR/A3SV0U0S1bMSqFzpPtgKwZyLp1dJKEPS8EQUFyNjgY -+uM4Ok0Uq6bY1FOK/Rj+5Qhvm/199weqHQ7KAbFBcCdJeNtMEBQhCIqSw7nBENa4WNt6UKw5juVw -Vg7n5GxKzmb2upGa7iQJd91pVT8lWUpPl8t+TPIWv5broNnGBr/663YR/JSk7XnztrlZhnI2HooT -Zmejap3Z4+zPi7cN1rJYy1bOps0676bNXrdqWtrpyBxHc5wOhiDzDJ2nhyTfbkuzzOx0Uk1zN03u -Nhz0PGOYWtGQ2CWJ3RA27T3O7XDQDsjIZVWu24Nf3nGx1vnHURe/O/zWTQs5ID0Z+qOIf57ddbjH -4R63j+F/mroYwltmf50oTVNti2JVUCmGyHAfv7fruDx0AnL8gNW2q4ZpRL0KkZ8C1JPY8ucsZZCL -MY14oJyU4DjLTV0v23pbDxniHmd7G/5tLPn1oOo+iq13DXlZk9g9kV3XmoJG8f68XRTnjhuxqMvH -X+F1k5tuvWuJPe8SzM/QR4qUCPxQBEm+q2SXNcOjND2t6gg98/Bbtc1uiiU93oLfvxRF6WlSU5OK -glLzDj8a9HYRbGESpeD4HkXQmr7qWUSGVSz6OclaFNvv+1UV1bI9KXpGEFSGMJhFrakoPfWSZMMP -5XDkTgOZ4eplVfyfJ8tysxE3IGino2aZuQGpva4lwyb3HNKmoFKcO+7dNHnL3IxzdjYoeW7VNsg8 -8a4DkeOnHFFqunseiQLFmmVvpp0gIHko8uJIe98dhvXXzd3Wchscgv95wpvGi18qNT1kSH8b/XH6 -GIJOMxdBkorq4Edz28xp8qbV3lZSURz0WC0bQU7QXRdv25t12A5H3jafJHEQTDsdNtPgjYM37txw -ZK7Tw/Bjkrwo2iJYg19fjn9JvhnHzTgxl71ilsS2cfEzqWYMTrfSs0SKIRLkR88GuVz8fHLEwU8H -wZjbWq3zcprsbX054uHnl2SJXV2w26LjKv7e9brulqGdjV6OJheGu03+th8lXZxCPkReL78+gtEU -DZtgNYbTJXn9o2OI/abo80t2SyxqelcRq3pQ02OW/BiK0BK1pi+XPaGn7nEyp8FfR4Me/XFyt/Ej -+JMiqCRX7MqHoctlK9dJ0e8Jz3vKEYSWKXh10W4KXkWrubLfVl63blnGFILdN9x1ugiKUPM3RVFa -flJS1Ka5CLLoGPW+PEnCnPZy2V+GqlYVoShfjjTYfVbUxctlauF9DPPx20vQN0ka/GKvYzcN7rR+ -DHnx+5CgP36ruB3RbRK8cid0aOHxilIoNssiFP2UpIccR2m6i6LLcSVng4shPo66CJZK0Be/nRQ9 -5FhrnTfbqFrmUdf+PEsrWzJN3PNyrwONoYgkazBcty0EQSGiQGF7H911rZbpY7iL4m+WvlniYohm -nZGD4kfJFh2Hve2oFEkl2YcgP4Y3+H1M0/Y6mOuSwPBKRVsq+nLZvxRnjzs7HJTDMUFAVE4n5XDS -Dmekqif3pTsv5ra1k6WcDptpc+fZIUiDnx2CdPjFn4eH4Nxt6gaFq3XoboPFbUlNVy770xGlhk3l -OBrBX/TqL5M9bR9BfhRbLSs3IDDH5WL4kyKsZe6WsVonF0PSqvajKDJHVUqOTrEVsyZ77ZrhXBTr -sDv59xUpFIuHf2ESqeT0iS1bNcuqXRX9+qqJo6EK1khHiGoHy1Riz70Z3uPnq2dOjq/H6aQoKst/ -FElm6Qk/UDnypDiDXstpaMahQS8fw3wEP+bIg99pNU3umKSWfxTNSdFlzzFerRB7TrmqSTVHq/mz -JuuGU/7dBMMzGJ5cFmXHYzJsSkt/9HwS/M1RFcO3KLLbZpdkb5Ytuw3T656yXDeO/G0qGr5BQtKX -516WJ9hVzW8efnK3vVv2dpr9eTkIwtsmd5upRWFEfIsSiAW32wkdZKiMMIDHjhJ9L6kpSl2r3PZJ -TethmHY6aKcjf17LdToZrtrTQ4L159kdJ2cc3Otmr2u5bdUyPAxrrzs5m30kR+gpMk0bFEtOJwRB -YXI2dde9mlZuQHARVLHtynVJaXp/XwhyguSgyMkwNscnFfWI4C+CH3L8mKUuhjb4wZvGYtmWuoJE -cESKqfQMleIufu+mlRuQtMNpNe3ccFAOpyTXUXR/D8Xa6+Bto71v5rx322Kvq8VQL0v581Qtg7uN -/jra4/Dwsz/OpJohc5w/zoOOnzL0xc8fwZ78QCkJSs3fJPHwU7MO2uHMnleDH+1xaWfzctoMerkY -3uEnex0/gqi1TK0mzWefYQrFZFf2Nv4EZ8RWP05QRilqWk1Va7r4tguTR4WnUzA7jx+ejjVOYipK -ohhfd8Xuf447CX7U0zfLGfRij2uzDsxpu/jx4kdKTb8cbdCbv07+uhn0aNCrQ08XvxJavui1i5+H -wW4+hnkpupRAPri09OWYkx5JJWExO3LHLH/uomG9HN+u480SlKKhs0ypJSotXa4aIsM/irLcxnLb -KJb580y1KopN9TGUP+4ev9CKtmgaD8UUHLvmGYSiMrfZ3vYxRZNqfsgR/8B242KPO8Es7JZT7cqP -Yft5rz5/MZlKLYti1dJ5hshRZJY5CK6dzrtpctedWecOP1Bqzl4Xc5segv44fsjx9job9GSPW7ds -3ICcnQ4dii7HzZ7Xm+demrYosprGZh2UA4JyQGQu08GPJ0VU65bWtQY9+/P0EMzFz90y++v+ksTB -D3SaoxTlRZEXwxz85m6Dt47oJEkneVpPU3rm4HeD3/19tdehnM27aaI0zUcRH8GUvh+trB2C8LbV -XgdCTVTLklYV9rr4605vu5LhOvziToO5zAa5kCme3HXLvn9K8T9L0Zr+aElSzw9K5qJ3g539cR5y -1EWR5TSPevYpapejLIbspsHdhougBy1D6lmLnWgtYXIL48lP9lrFt2NE/Mhd22GHj96PiiT2uyK0 -u/Q2iU77qwmHXM+itynupliH3qhFWXNrkt+o19VFMe44Ovx6U8RDr9U4PyqG4DNpRUmq+Zvj7HV5 -CIJOUtWi/yie2BMlt0NmmfW2PCmOYhdVz/LH7WZIak3Wq8Lm9kW/pXflUdP1PlPT0E2zQ8/1riW1 -RLVoyk1Z9Mu6adLb+qpai6Fvlr056qVIh14ddjoZitjU1K6rGPbPcvY8fhxDZ4lqUxNa/iLoKckf -RT8q6klPewzp0OtNEgCrlAHUdn/rpC+TQ8ZE4ntN1uRN8jRJt0ghaVKna7KmbdKFxG2ZZhkALIUk -pUZUzLjYocI0DyCVQtJkyw7ghoocOGRG/LqGS8b13d5JHK8xImvbtved7/F912U9r/W8v225z/E+ -72k+72tdvnsa5/We5mOaj0k75/d9ADL8TtN4zdv3jlqXeZcKaes7Ldc5meM4L9s9zfPkrtN1z8e4 -9Xvfax7vaV4fgEmt47Ze1z0f73I/w/Nk39N0LROLoec3bfM8yFymBzBKIen8zm/ezm9+r2vbvm2Z -JmsS53l87/Nbt3nc5nOZJnPavnd7z2+ZZAAunOfxmidz++bjAbxInORBviBrkkXWAxilkDVe17qO -4zZe43R+4/p+8/iu9/lO6nx+9/QARmYMwHXjLp7ma5snc74mc8iEkDQzTjD8apT2AzAZwIoBlO47 -v+1a1+3d7l07vuM5z/e2vN/93dd9neu2Xtu6ze+7bt+ybuP2buM2Xde3667pu85xGfRd3zuNyz2f -07qMyz2P871ey31P9/ad2zLsuu9pW5f7vufpnq/7Xedz/t77Hadreb9xfqd5frfvHd9p3pb5Pqd3 -PJfz/rbpXZdzOrd1uc9zeud5msdl2rbx3KbtUt7ffH7jNr3vec3L/V33Ju4AVgygVO87X/eluqZl -u75vmb9rfOdzmedxmcfr++ZNZG3jeZ7reV7neq73vZ6X7Pzmcz7n8/zu+9ym5Vqn9Zqv9Zqv5VrP -dVrXe1u2a52Xa92+95uXbZ3P8XqXbV3Pa/nWb13v+Vy+9T3He3zf7VzOdTvX91y3+1zXdX3Xc13X -dVu3ed3GY9nmdVvXZbvndZnXXbzO63yPy/Wt17Td2z0v0/td23JN73Xf6zx98zXf67pO6329y/S+ -03d/83Jt2/Uu2/Z+77aM7zjd5zvd57su070u53uf67K+3/W+7/uu7/aO8zXN23V/13Xd36X+5vX8 -7m9el28al28a5217x3l7r++et3Fd1nn81mUd53me3vFe72+97++9v+2er3Gdj+Wd7mt713kb53G+ -7/F452/e3uldtnmb72le3vsdp/scl/vdxuN95/l9t/kdl/e9lncej3le32085vd633Fcvve83+19 -r2nZ3vG9lut6r+36xvd6t2293+k91/Wd5/GY12mblnPdzmVc73s+l29dx/ldvm08xmMdl2k932k9 -53Oez/le3vn85nUej/Wc5/N8z/Mdl/marne+znO+z3G6x3H93nEcx3Vc3nF7x3tex3eZz/GSjvM8 -jeO7jdM4v+v3beO0Lts7ffM2buMxX8s2zss1nuN0f+e1TOMyf/O8rvc3j9N4v8s6ft+9LfO3be88 -z9t3fcv7rt/3LvN5z8u8fdt3ffP1Xcv1zee5TN+8LdN5Xtu4zdO63NM339s9r+e13Nu8vfO7zdt7 -r/O9bfeyfve23fO7rOO0ves7r9u2rfP8vde4vNu1ndu2rdc1Xcu4Xdv7bfO2zcu2XeLl2tZzvr51 -Ouf7XN9veb/tW69tO891Ga91Xr7vvZZtXtZtHNdtm67rfqdrnq/5Oq/xe+dxfad1Ww== - - - pm265nu573se3/m93vc+52Wdpndb3vmelnk65+lb5vnelvsZHud7mu9zmqflnu/3nqZl+t7pnt5p -HadrHo/l277rnr/5G7/lnq9tPK7lu6ZrXe7tnsbl3q7tmrdrHI/r+u5lHq/72uZ3PtfxWKbrPq9r -na/pPs91usfxmu71Wq93Wqb5HY97vq77mubtXqZxua95Xu5rm6ftXu5rvbbxeMdvet9vO5dpm7bx -/MZjvt95G4/72uZzue5rHad7me5t2755+Zbv27bpXsbl+rZv3Lbz27bxWsdtObf1PddvPMbl267z -3K7l3M7tO7dtWbf1WtZ5e697O9/lus/l3bbx2sZ5m+b1Prd3/Mbr3M57mbd7m9b7n7lmOU+0qil+ -r4LlFSyT2Ba0rqqmxeDHu3CNriL3pUmVTHq+Nc8iVc3JEYkbMyhAgCJKQL8IhkV07YlpkVzfZalu -Wbpp7Pf1aqt64LlxqKb16cqj6hyOtDiSnGztPNWdf9ZW1bY+VV/7roKVCtFzkuvuZ1lqWfx9IJWd -QTD+vLwkc9PMyRLNMo+zYcMQN1HYCzsdTpRZ5n7ebpaqmWYBgVhEoJHbyuBHA3PtQCMjwus0KREP -LCI6TFivXfa4qIwSkSFgvCDVtMoo1EISoXz+kyyf2mZm2gcCYnY6qradmWaPZU6aJPcFmadPkvs4 -5qUpk+OJydRjxQpSnten+a/pDZUSHlzQiHj0k5AfkmGWJy+CBw0eLGZmQlhBzGixQ4uZkI8vk2PK -cXAYtp7nWdU6DOuvw0EO/7h9FFEt24ph1OvuZip3HElu4ygJmRFzvehZBbsnt83N8m/VEczaIwjD -aZLff+k4DUqEI4RFgwLFeBpXyRszKkz4wGOFiQhJp3E1zVNWDke442CPo0Vw5LZvx82haGbayOGs -3LaXZm+aI5clyXFphpvgQYMDSwxRASJ4YOIGjB0rJDJKWLEfv1lSJNS3mEap2JUZeVSgQLB7djtO -JhUyyW+qaSAIyAcCMo+irpq/m6aAPKd15cFP3jKSg6JDcQIOR5W+m2h6zbIQvF6iRYwBaGRS6HlU -lrXniZwNfp4sJ9VJttdOx+SuJ6GPymhUwvM0WKkaKhRMhk38XQkffICRTnmqruza5KOL9Leqln01 -vU107Gi+C4uAPrd5+mtrl6cMinyqflq3R1W462isqLQoMSnBcWuOVbQc0uMqpM/qrkdsy5tnLY4h -Pk+CYdw0ZxBst003T5Hr/qmKdrSSk7GkViilE2hlP2n6QdOPqspheJNjChfLhYlJv6ohO95iZVKR -Irl0uk/LT2rmpfiC3Q8VMjROTET2vUdVdetQbQs3HHLDabUt/kB8LM1ONm426IZjdx6KXUd03HXb -rhxX5fpJ13HAyNAwSWkRa+FQIXEpfVhMoBQ+60jBIoQasKAFH+DATAzGyusUPotily9J+vNYbls3 -bQ7Dtutcz4s/jwY91NvCYtj1ujtJphvHr+sKCmWi61DLruq6BLutWRaxbCyGaqf9KnrEChoeWMBo -7f6oTUdwOEXqMwM7xcBOQMiQmQl5xX5eBQrJqvfopnqHpC6Ssee53dZyG8nZ0KJIg2I+kp80Nbnw -X5Y5+M1fF9LnBZDhYgbJCEunSXo6puTLEEnBoEArp3+mdToBeVz3HILPJ3cFoWfsff+KxmG4clzK -caznmdvmht/Jnkd4Hf/AmtPmLpPDLgY9OQxjMGw57i5NF36r+PsJfuue92YZq2Wu1+2mqZpnH03R -DcjJXlugCB4ocAQQLFqpmE8Pg12741A+niP04AY7VrRACYEKMIOFDzAhNCoQLKftMazFsfU8Uz2/ -uFY5qoJguCZN1/t2NM3N8x7J2POAgMFiBQnJbpozJtESNV7weDHZoTIyYxKF1rXlOtfzXpyQuHje -o64pOV7N8aum+5KUvW4EAXE9T2bVinl+GfxOr0uS5y2gTyu3T/Fr8vFRNc3KawPs0IMmBoP1uguX -Sa5KctefVfP0POH3J35X9lx647fzbLKkxfE30RCK9qWJj+W44eDnmY+jCEVPcPsFuyK4nbLnuRxD -c/wDjBgurNbHTV3ASjvMtCjBgwYRNVwYgaMFDzFoZMi0zJTARHKco+WnVV+yHKNnUJrKH5huGtnp -sF4Hf5+6aayW5Z83OkuRmoLa1lTfpjtnwxBH01fv2dHUJ0mPac4iSJOiC7d3kJGZAUNjwnkR3K58 -cB9kSCpQxA4JBKHjRosIiYY/8JpDJqa1fzwn6ynRUbraYMhu2tnhfCAo0k1Tt23luNbrZg/UQXAP -wT89YfpdgyTEtes2Spb8uosViQcVkRYpkQsWCeXTi2A3VceoWdbHUR/Ht/twUkzdtcnHE+NzP0U/ -FCBkppWcTq+9Pzmbkv2+QdJiwRLBcDknxVTTQBCQGC0uMyEkb+edIChyrxPBaxqUKObvY0C+iH63 -HTd/XotT6AXkv+46N8f9FE0u2rrjGCewFiUioRhG0TINlJHWHbNqmMTPY3uN4uFPbruXI7+mLgj+ -rtt2HsnhuBv3cl4tjqXXpVEScqrpmhx7yLjcKBk50e6ukvgp4uU4h+GnbWOffy5NPkVN/D01x3L4 -kZ0N2dnAX8eaYxYss5nmbp0WIayT32Ny3d0sb5KUQ1AGPRVRP4SMFyo8j+23EjNS0HCpYkC/Sc/b -JNltUIAZR1dPH01VrvsiCpFYdydL2fPgjpvBz/U60yyzbPs3TVFZuvT4C1YJhvSP6DMM1wkF5Pm8 -rIsr9YOLFjGpFI1r1UMmZUZLCMoKhPLkKX/PVTZPUxifv5RGKznGQxDmNnsM61G0yXEWRVTLSPB7 -cuG+LHExLLVsCY7vsnTBb09Rn33lUORJcsXjCdHzEy2X5rl/Wx1u83d1ffoT0K+i4RQQP4OE9YIC -sZhAMf5GzbMLhjuqftI1D0caDNlNY7Vs1TRxsxE5HG+zGbPMFkcS27LmmVXTKDk+yfJ9mqD4jUmp -fnU1waqKUp9ixKN48JEeb+G1bpq7aY5g+QXFCRzh44cWMDF8Rr3sj5pw56kbZ59nynlohxNSyy4e -ffWuvDnSXyd/ndnh/C3LguG34ZwdTg0WasbqlJLbIpP0kGHsbWVnQ5rbBvTA4z/VEwRFKmZ7rMCM -WKHSxA4XD+ChxovIh0EvDkGSEEhPUVPszqhGNVBeKlSknRzRDifVsrwk/9ZtPa/lNJE5VmEazZxK -L6QQCZ/jpOhh2SV2+DHC864bJmKGiiaE6IGjxUQGJXoZfVSz/ILeh1VN/p5P1XXT8DFcwS1KfsPo -uCfHttM5+XMPQOAAKn2fQ1BVwz6wgPEh45LiVOoxEvKCtcpFUTW3PrRQgVmhTjMNWtWRy770m6TP -R/a7FkN8FEcsO3ueu3Uvx31Q06THUzz6aEXTjFNuUJRSdIgULz5SSFSYQrD6Da0mn5qne8bAAhLA -xI8hWjRdw+T1gSaQaMIHHQvw4UYRMWZcVCj7VHm2ZSES8uKEBEXHLfpF6XWTvAahZT2Gcfi13Tbi -7yL3fb0utJ5GyKz4EHHZSJVWcttPURgM+XR14XhOkj1aetr0E7uwP49x8vJhRYuPmBVSHMf43cVI -LPb5XTwO2+vU/P6pGX+cumkkZ1OLoAjPy2BIbkDGDciZdWhQrENRBkM7HOcPlD+QFkX+PD/qeXrX -kNxOzXUtiij6bbEKofC2DEhvgQKhZrj1OH9VU0omj+rStEq/it4i+KNoSE3vELxBkPY+7wSImmmm -Ne1H8O1s/tSM2THLj69ktg5DTQcU2QkQuzRnVin9NFEOx90yfRTjjpM/D6bXKx6d9joSiwbhUpLy -663ZZcnsSP2+iPwVkwiGigmNlhT8LD1rGsLf/4rmpdifpR1+q7d9+fC6SZKczdtxsFmG0TQpVUHo -OYfebo4f9UTNcA1yK1agDhTAhxJEwABL9JiR4hQKqWN9DNdO41HzNMezKPqnSWJXD3rG3rZmHBr0 -dHNEAe0lpI88gqAW/QFDkgElfkhADxs0Qlgmed2nqAx6rx0fAQYewEMNGikcfzGFcpS4eIAxeRn9 -KvlVN00vSxDL1qHYbhqMlkt0u0S/U3qcNcdq1mG3LAXqRNL/dAjaYQdCxZSQPoOFRIZJjEYJjOTv -YTvOI2aFhxUyKWKpGywhOFhGWpTERDM9it+Tv0fN72l2T0C7655LbaqS3ZGbmuJWpN89arpy2plx -VrcMo4UyueuVu37U0z5L/DxNciyy5yynjfT2DylSfIBRwTHSMkJFCxIvZF5OoRsdfaiIWQAQQaD0 -PgXspEMlJiNk9arlXATRLQM5G5UUaWblir+P/jxSeprQk8W2LLYloeknVetR9Nn2d2NPurbml+SO -TXK61KoleI31taqO81I06WuXT66i4z01ZdCbQ6/luBcqJrQY0iDIm6cdgmyWrZ2O2slAEE5fniE4 -zpNlKVVZnEQuUCAXJw9sblstywZw4ttwSHOtgkLJIzluQHZSTIEipV4XdJomvf45z9nrUqxOHyjA -ES/HrVqnN8UXUQ/EjEoSOVpMYIkfjsDxgk/P2yQ/bhuHIex1KTyuwt8tRr8Kb8+h96E4YaJpVX23 -XOd2OqP0LL0siW6r/PtHPdmMo+PFBANMBMEjBiWGNUr54Cs+vppdFP2mZteDommWzTApSRmZcNOU -Qc8GvRH+VrEq+UCJ8Wj5ht5KitQEDzdmXqnUHZ9ktRSvt3r+7hrjcyR64EhBEhLzcxWtUkvIF+Ht -UYv6aEmLoec84887Oxx7DFF8HbSmtgj25tijp6pl8dfNoEyl9nW7DdSiLH5tABgsKHDAEg/YAQeM -FmovQ5XTiAJMEEAmZIREuz24kFnAEDwQwAcOFSIvkT533bR+kiydlmmdTHQMalcXkc8iFaI5iWJM -JL0kzQ5I2dmEYtcUxx+0hNkwSohXCf0pIE+MaaSSY5XLUkI+jpOYC1fKRb8rIf7F9DHNbd+eK0JY -L0xMRHAcxAqVHmRQWrxSJZilR7A+STs1X57eFNP1KKro+ETPPeMoc1ztdXgI2mOIn6XJrnFUdTuO -JbsuIV/HichM6ZfxMtUYWanq2OOmK0JWLKP/NMN+m9pkWItf23H5uq6ex6fqTZay5/3mSXLd0Mrm -pdmfappxIshmL03RiopSk5SWvejpYiiDH16WpFjuU5UWxVsUU5RCPrSQuGQ4F8OW21Itmz/PxOdr -nJiYICCpGP7BQqIAHCoMQEPGB0usxogK5bPrJglyW35lXVDUS/NEv0ds+SW/eOi53ZZqHZHrfmIa -5HRuMdwhZaQBPWbsMHGp/Dw+ji23AUFDxgtE0IEWv/+puCLlCSIFiQ8yITJiJBOd3seRRHHiiBkw -VoyYvJ4Xd9xJbuMQQfUoWcV8epXbdBZNgBFAzIAEIfjAsOqOYUyfGCSsGSwiO7BYyfFiIvLp7XSM -cZ1uuJzg5ViLnsqOY/sN020a/MYNiOt1L0ZgM60VPYZ4KcLuOcSuUS778ulnsEy5GA== - - - pnZcRgsKTYpEgssyqtELShRqUbfLQjw4ETZmuEAl1B3zgDGJwBE8XCABR/TgAobkw/crinaa76Yw -K5LJxz8BeQjgIkWMFUkEn/30ZDtNBjvdFP92db3PT8seLiNJyEiRggRq0fJnVduOc71uxNOnbFtH -TZeRB0YsBSNENbMqvYipVKRGKnu2S5EDCUBCRsoKC8dTfp1mJVIJ9SN+bprnt+s+rfqiMpnsu920 -OgRLb7uaaR9VQ20rcttU02zSc+Ey8VA5yXFCMqLXMqVPDBjKNL8kIH8DTCihY4VlJjVKoSKxarkE -t7IYopnGdh49kq4HglY2Bb8l10XFsB2Gr/eZHe3MNlTjMh10eD2PpOdTMFxiVZ0UbTGsRbHlOlDb -hlq3ddeptwWl6SdFWfRcYlVW/ILQs+Rw6M97kSrlGGmh7LcKZllyCzPyqHz4Uat6WPUNxZPz8HRd -u07dtLwk77J8Pe4mxbfr5nBMNy4/0RGPTtMyhfS3yp5NsWuC25Utt3RcV88Se6oo8TBaoJE8JrHn -JzX3UeTJUSfJVMvcjns/rw4/PPRQripq1dskP6+awmnfbe9RxPFKNYCGCiJmVnKcsGqYrGheJ9Is -s12X48XFBwsW/4rOEGFFAAgfPsi4sIR69+vMbYNB8LXjJlkOuazMCGRDdaIRiVZpykrREDpuu00l -ZcIAE0m8KEGxQ0/klkVuOcSGe6C4hlDB0mIkBFdVldNHhUmsxPQJ+eQpOg7xcRiPm+i4JLulmH3p -tYzqpKLl3hRDaqmKW5nT76NFZIeUEJiPR9WymwRhUB+UT+9Z0T41fdRs0fKLKBTC8zNagmiYCR0z -fMCw0CgRoVmZUD47TKdRdnyq3xcnr5OO+y8rkxLRqEgqIg9JfmdyZDWtDsGPqrqf6H7diI6P8HnL -pvOyxE9zHseyw9GRIiUDBlCAipdKaF1J9vrF9Jv8N4lvx/ZZZeSf/LuOEpcLyEe97Sc9aRH0UbMm -R7TrOg7HtOsjnt9PUVdus+46Jcsktp09cNxwNB10qEdxZd9t1/0panpb0qqS2BbtZLD35aZpjyTp -fVtIpVZ9h9LU9jwdBD0k6TlN0Xn6JEl/H+l1R/gdBb+s+UXx6Ke5PSH9JiSR374o162eN4rlkzyP -HA6qZThJktoWNdP1SJaZdqepi5QVWO+38huW16I1zcnx9Tp/RV82PJLPLfolrSgrdlcyzJLjVNvO -npdmGfx5Z9YZORtPir6IQi0gz8uWRfo8N8vV89ZNK9Ht1x276rZGiEkGBXLldp+mLNepHBeLoa+e -KlalFzGWyG6/bBklv61c/9f25bgZBFN1jRIa3SMJfx7dgbtIpuTYT8/+JE9xe5PiPoYyH7/Fz010 -2QWkt4h6lU3PItjDTEsEkkAihctl4ucnuIXlNcue/zV9wY4OPR81YTyPo2ifkjEjvwcT2IxT6MXH -Seq4lKaupnlQ8wWMBcNxlwzLUJ1UjEKwmlbNs46mdCkaQAgePIjBDGhIUEBwm5LbFi3SixBUDpaQ -HCqxFySrEw6j7vcAPvhYOZ1SRv8Kl0pV1yA0HbUtb54kh5Oy5xYvWMh1V65DjyCenrqqelr2ROSj -jEajOJZRhXZYGdlxMuIi+k98m0XE8+k4ilWVDdck+GnTUuzy59mfZAx+6teVXhfS89Fch1xXJeRx -2XNfjnTXvRu3k6bsebDXrRz3el9MaYTi76h11cWx3HBKToftunTjTPBr8v8+qsbc1osiyUzHYpmk -qj1ZvhuHdjJPmobw+4dVVTTMMuJHfJqmRWIphUjw62FZEQyT4DgGwTPT/HUNte6IZXGSPLPsQ4Gi -ZNcLMOKI/51lMHThM0qGPSmaj+OvpifZBbGoCW5btPyq55H8hs2zimV1cXS5zeRsRBQn0k3r0XTU -uqS2vcewJkW363T01MsSH0WVy0ow6oMFNtLnJPgVta66cWWmsV33ft1+ligaLsHsh0330wSxa3+a -sffp5ulh29s8b9RM8brolUfte+LpU/Gbj+HsdW7HtRyXj6FehqP2hOGySX+zaLlHzRIP7+r9E03P -qFCrmj69b0hNQ2ran+QHHUdrmpvomGX0GJr4+smuq1rWpJ6mNSWxK2+Wb8fpZjmDYKyeY0D/Kn77 -s7xLsi5LXj1xpFD5AAUqEPtFIFct2WkcJKkZIioXsBMLV6nlBDLNrcp+keihAwYCwYixfnhRMeF3 -UaruZdlynAgCwrLrGygtH/ZlN85Jb8OIRCyen8Xjx3TbX1FPe0LgiB9CuHjx0vGQm6rotkW0m2I1 -1J76ObKe5vLkJ6MRTZKwO9ZJMSfHmyTVzutANi8Ixh9YbkB4URylaildR2wcH8U0y7oTJ042DoQK -mr0cX25rt03+Qpw0+ROlQ/H+vrbrRE7n3IDoYlh/YMt5cCi+IFiC3Zc9q1zWBj/WTftwKakRQ8Hw -OB89++tC6hlD+sSQQh92HTkdU9v4ta1H0t24NctcbuNN8wWM5aJkpDbNkPwCoYIlBmzFmuXRqtZj -CIOeumU2Kapq2jTLJZ5/RNf/sjQ3IOYGpNyAlBsQEezqKGt2NhoMU0CfmJ6DVNWTojUYgidOhCAn -YLy9wwoYUvzyqRmy36JWrUmR9bpTy8iM42nXFl6H3tcWx5Ucs2ZZN09aLNGNEzkck9LICB07dvZ9 -v2/Uqiv4Vb2viWV980S3zcw6Izn+AYaM196TWla0qn+K3uSIclw8ii+Pp0/V1123avpFx6+XJaXl -ToYpx63eB3+f63kqt33aNjXXpPcNtSz8eSNnE3I2p6Z51vUmRz0teTZV4fbKvkXvy6umSIb/NX3Z -swrSB6W/UXIbctWWTqtoN+SipHj9zK7eqqp6BqnnBzVFqkpyX5Lr3uGoZhk+lnQY4mEX0+chcjxK -z485zmEXi93vngkIogeLkZQUHa+E9heuUovUx8W3X3Irg9zadXho8fIDjBn5iaYckHODItY685bF -m9an6n2qIifLBqDDXpp7WaKczocChZllMwi+3/d+nUmO7RD00bOl67M4ptpGbjhnRyM5nW/DUbmO -N8v5A391Zc00i7ZbOw/Tcxc9h0qT9jo/RUtzLIuhToY1QlgIcJGCRSkEOslcBGOvg0FQHkuRk6GZ -po/jaGVHayta25P7jt6WV8+ZkZeOlxaPaYZQU5SiOTnGoEePoAx+9liimRaC415d2WyjvY8fSZcs -n+C4Xpodig2nA4oR66rgeNUy2PNCbvuv6k6KPTne4EeD32mGXU4kEz4nqSb8dabW2cnxc6Khda3F -0OW4UtvuJPl2HKptdmm2YMh64L6yNlmGG5DbJFH+XhfDfgx9cnS1Dc20tuNGbxuzcvGpq5cliV1V -suyjKY+ishiqHmduGazfV0YkUKqq6PhLyIfZcshl8fNUOU7kcGKSZO38541DLDti065ZPrUtynVF -61qXZkyONGZefMyw8Y5mHIa6aYZalk/RPUVtcmw7rYXPO1bQtD6i2iRp0UPJa0l/f9q0NslT08wO -B5bbqZnmT/OTpp90PTecVtPuUVQ1bc06+/h5TDEFsyb8PcLjqPhN1XEodltQIxomsZSPH9tr1uyW -WBT2OnPLQPX7qenbLMvNZiXHJ/odQscwOg6x7TyWYyczMw03T3brWo17zTOLE6kEv0vt+qdmiF3b -Tfus642WGLULvRMgqrbt5rm6dRM8k9oWxKogChDeRHOcoJho3MwyG/xIrDpSUxnS58aIa8UKxavq -XpIjeZ3C4yZ3tUMQD799DFex62FdsqP9LrxC9dpN1exkI0in3T47DEXvCut1z/vio/jy8yr9DlJT -fATzcmw7TtxwVI5DNQ3VtH4sVXZPPpLttqkdDrnZfCg2qdb1aFtmW5llenqilEIknv5PUbnTWo2D -ckB2k9RN8+283ixHLNuTo0cUfZK8RVHNshHFiRoE5zDMzRPEsny6pt1XalypdR8KkA4FCvb7chRd -N80GvZS7+uY4allYjofcNz6OpJaBYDa26yB1pcPQHsf9PPs01VHUBT/W81iOa820qp73s3xDL+24 -9vPu0hT5Q7FInprmOU8aKVNIPf8muYsi7HlvCMbkiPJ5l0gUel9YXq989hSkkF2WJseRmlZmGUl+ -Y2Ih/jvfpWmS4dhNl+Q2CW7fEBQ7nbLDeQFryaBW/7qa4pjkxj66ulzHctu32XAoUOSl6EHNvBxL -LvunaH+eJvg1zTHLyXTyEYVYdqUEMslwiFV1sxy1Tdy0UMvErGNyOCe8PpLfpHYFpehOlrZItp03 -h6NdquEmcztw5QOCKZFc9r2bKPx9LLeNGxAeTVNIKbKzjSAbErviIAnpsaISguv2OKrcxp1AYZen -SUk1p23KcSke3UeKCIuVycVJtOLnI/lNh6LLcbg52mT4r6nrtl8z7IrXE4uemfaBbPoWdlGy4oYl -LJb42apyH6brMadSS89NbcvPs8TTg154Hke8HO1RfD3v9TweVclOlulwwsw0z6memRZuNq7n4Wnb -s7OHpW91/jRPFSr1mFHDBJXqWXY/TTv8+FKkv272OvgDU62jRdJH09n7Vg7n3IC4Hed2nR2Ge8rS -KcvD8+ne3fEUt2/cvpILx85maptMlvM4qppWYlcWX0e9rY+ioNa9xVLcdLoOp6dnkJ3nKFqK4ZDr -ougaRdt6uq4gyIZh2nU0Sbrf94Zg77b6qvJpmpflTZJjh9OBoEg1DbSqb+jhqVmyab1tZzSt15Yl -S5YkT/etyutT/Ybc1QXBdyRtdK1LdCbFVgxNbtvRdNTCO0l6zHJHy/Tr2M9jue3jtqJXTtH0K9c/ -rGuXaKptZNbxNhtvs7FLEjfRdONucvzX9VdT1SyjYngEv7IY2qZIgB01VlIrkyyDWDYezdX7yCzj -QDaeDihcNz3y+/aJwmEY0vsrvUfZ+mjOY3Vez9iO8xTI9PFFI0/px/97jXG0jUPRk6q4SGYC0KHl -OJM932ESsrLpeSRVUHRPdZ91kV+6a38U0U9972hZCWKFzIuQWEmmT3b98vyet4bJMy5N/31V972q -a3wM2a2zbh33A2m0/Wle5JNmGWcZYWkRSWGNUiGbV/UiHK7P8cxjGhUamT6kku4x1bivujdpvt6X -bly44XwgnHTrRE62bTgreapEKRdJjEgJjAoVc8FUQKSXDBs+ikCCCVSItfpLKqcWar5F7ruTJNx1 -ZaaJ2UZq3Ll1K+fp5jlq2x6OcThWgUSxkZS/1ELFUGhmYOy6SN9JpBCLdQoB1X0ptld2LofgB4Ji -BLclnx70vnua2uYJk6kd86YTLBY7+T0jn/dhWFRcK5UoRPqETLv+53bv0X8dlm1V9WFYxfMimnbB -7/28OQzpUWRBD/W49PNiVQ2FQitY0OzIceMkhaWEWv0fk9vS6NnidI7HsU/HI9yezfQdTfpUUQ/8 -so4aerqK9mn6gqHqcbgpmm75fl/ahdXyPEkzJc/R3p/8T+3CM+reqHuj7UyeebraJA== - - - em4eB7JpQXBf19o8X1GEyRFGT/Y0a9ltEQPzMkIiMhqddF1O2bdE27E0O9D1QHsUbzTF3fjFcrFQ -AeMIJBAgAhGcoAhEMEIHTMACBVQgAxPggAdaQIMZoAAGMSAiiQO4YFFjBTq9JKp64TySHjRtNy7V -tBG/p4FCUmIynYig0LSYscMHIRIwAQ8s4YAPAJEACdDgB0AAAhGMQIELeCAJAhxAAhfgwAdEYAID -FOAAMlrQGPWh+FxN+n5SKv3wq6fqXJZwOeZu6yKdZtTYIQkETEAELJDBBEBwgg2YgAUlcEEMaOCD -H3hABTAwogBNDIHEEj8MUYQOHz5iUqhgSXEp6aGU/rnN9cy2spN9IBvX+/6VzU8URlPVK7bDiCMc -4IER4GAJTgCDGcqABTB44QhRiIIJaJCDCYSgBAmgQAZw7IDEDIyLEVaIiP/MLIyzLZ6ieIryrcu3 -bvqBsaq+ViuREBOZGDpuBEGADahgBV0gAxlygIQldAAGM2jBDWhgAhfUoIgCRCDFChuf0AqH8TYc -Wc9Lt23tttsk+XWNRbHl4VlGRmLMyEHEAijQBAdG8IEWyAAFNLhBDYYQhCpwQQtRqAIVagCEIDwA -BCaI0eMHFhkYJSYuIa3WikgMCR984MGGDl+ubRStz7NnW9Suh3qe5WWlhxA/dEAFJnhCFq7gBCpA -YQpSeEIMdvADJixgASOaWEAOIIqAcXGDhBoZiU42YsTw4QYP+63htJXRFR5NWCRXd43y8U92TfL4 -Ly4qPwSxAwGWIIAQSCRRRAMiwEMCFODiBw8nMTMsZMxwEYMGSUkKiauEFWKF7g99suoXqt23dt9s -oq5pvqxL5/toxdIBxBA/lFjiCAhA4McSTLy8kIHi8pJiBc0Jy8qptIqxYCUtkVDNu2ixRDx+jRYv -hCCCiBGwAAVNoMIUkMAEJyShCUnoAhi2oAY2qGEISUDCCmTwghbQ4AUvkEELFtAABvjAQw8vJSd2 -2qZeKJtpHI52OKpZprrnIWywSAKIHxfIQAaM4AQmAEEJSOCBEYrwhTGIgQxnMAMVrCAFLGjhCmIo -gxiuwAUt/KAIQlBCE5JwgxvYoAELaMCLFCtaHlCK71F6vn7fOoofeg4pkQiQxBEU0EAGiNAEJjTB -ClY4whOasAUweOELYxBDFK5AhSQ4AQlmOIMYxmAGMSzBCUlwQQxSUIIVlKACGLBAjRk2SlIrmNar -JM95ac6g6Hbf6337aaogEblABSxQgxvMQAtdyEIXxDAGHBBhCE2QQhPCIAYurIENaEACE5TAAhm8 -IAUuWMEIUHACCmRAAzt08IhpgYlJUXl9/pCPz8rvVE3/q9rydSB84ECBC1hAAhe4QAlRcMIWwiCG -JVQhCmlQwxnGQAYxJKEJSmiBDFgQhCEAQQY1wMECHmCBFS9owFSxkv73bgxiWxYR6KXvfbr26goj -8mKCAEjAYAYxcAIVqPAELGQhCli4whW6wIUlUAEKOwgCD5rQBCNYAQtUWEIUotCCGcwAiSUOYOPG -Dh47ePjg44eKl5iYyuXTt8imTXcdE/0yWswgIAIK2MEQeKCFL2jBDGpAgxW0oAUoSKEJVJhCE85g -hjBM4QpV0EEQfjADHejgBTXIARBHIGAFDBsuWMBQ0RLDGo1iJ9PJKvXygEz3TVMisoPFzAEIUMQL -ZPCCFsDABU6AghLKUIYx+AAIQKABDmpghCMUwQhIOIIHREACB0QAAgxwQAMOwMQBaMi4wULB+LvP -3XlnX5ssfRQlAfkhKRMLFiyCSCIJEsTgBUZ4whOkcIUqhIEMYsiCF77wAhzwIAETuEARBkjAD0UQ -oIeOHmLQvGgZUclXuBXHIX2fgAIoMYEKROAFMFDBGc4whje8oQ1ToMITevADHHShC1iAQhSaoAIW -qMABD2jixw4bLycmMSYlLi4Xq/f88OxpY1Xb1k7nDkORHadppViglEwgAgyAwhSYkAY2pCEKV6jC -FbRwhTWs4QxgCMMWfBAEHRQBCUF4AhSUMIMbyIACFIDAAg5gAB5w6Gix0tKyaoHiuTbN9ftSUdzf -d8RESmIIIFjgAhRgQQtZgIMc4hCGMYShCVFgAha2cIUraKEKOOABDYJAhB1MgQpOeEIUkmCCFYjA -ARNoogEOaOJGDBglJ9Qqx0Mti5dk/H1yGK7cBoNey+qkgxe0QApLOMIYvKCFN7ihDWIowxiugIUp -UIEKTaiCFaDwBCcggQY0cAEKTAACDGSAAk0wQAE+dOSIQUMDIzIS+/uTkJ+S4xJ9X8nyC8pExA0a -O7DBDLawhSxkwQpTUAMaykCGM5ChCU5IQhOYcAQe4GAGGbiAAzaQAQhUgAIQYKIAS9ygUQPlNULC -+7pEe/RcsUKh+B7T+qriOiWFKgARQZAgBB7QQhaq8AY4vGELXwADFKYgBSU0AQkwmAELToCCDpxg -BSJQAQxY0IEPbEAJJZCoQWNGCxYsWrBgQdKCkfpPvbIkuxb5+C5WSDJQgQUkIQlC6EIXspAGNJBh -DnOQAxnGMAYmKGEIQACCDZbQBCFoQQtV6IEQelCCFaBAAyAAgQEW4AAfQAgBE5OiZTqdep3llXKh -UvKySp2URAT4gYcKQqABIOhgBmlIQxqA8AMh3IAGMLDCFJrgAx/ogAQm8AAMYoCCH/TgBjrAQQ0q -UIEKJIGEEUL04IMPGjZOYCUlz0hk7y7930nTN8kXIqwebsAYQQg6oIMc2IALXchCGtKwBipQgQpP -kIITsrAFLEghClCAwQxoIIELaGAIIpDYYccOM1S4YImZ9K4sDkAHtdM51bQMk9iOFxQheOTowAYq -4IAmlkACiB4FOCKIHzVqiJRKH/j1uC1umrxZlty2NNMzaa5cN3feitOJxeMJpWmbZWnWSVmtRuCB -DFzhClQYgxjCQAYxeIEMYeiCDGLgggIoYcQRQ/TQww8eLi8tO9iIISMSIhIKqfbdZCRi1XbK53/p -uO+6cCjO42iqYwIEwUMBCTCACUzwASH8wAYYoMACmjAAEg1AwBIXkIACFsCAAnwABBUgAQk0UMQP -PUZQIhOUqAXJS0UE8qTpDII3SZrkOAS/cgja5KiXpImWXVytGylgmEgiCB/0wAZVoAIUhiCEHmQg -AxboAAYmgAQPO2zMwMCUhIy4VrHTyAXy9OyaqmnYba9mugTP8BfeJImXouvXLRABJiSwACUqEIEE -zGAGLaAABJpgABNGDKFDBksMdbIasbxQMyghLFRMQPLcep7PsjOt1klI5KcrLpL1J86iKDISuWBJ -QYASRPCABzPAQhaswIQmLIEDGbAADztm1HABw2KGxWVlRMaKFxwvaGRWUFSkkI/bMFGo1XvudH1H -EVdRUl7zkKEiBSLQQBB6YIMiCEEHONgBDU6QAhBYwAFMJIAAPjRAAUSIYAQXkAAFGLCEAYz4wQOP -GC5Y0MC4mLhaozz/zK+rz1f7za8pqZZZXqsfMmDkkNGiBjVogQ1gIAMIHMAAEmCAEkwQAIgjiuCh -gCaIiEADCiABCCggiB5+0HjBQmZFRaZERKUFGzmxRkKnX2VhjoO5TXXLMFJEJoAAJZZgBCCMwQta -UAMazICFKlTBB0HgQQpcQIIOdGACEoBAE0gEwcOOGDBk0MyIpFIiu27pOP2Bp/adEYVioEis2D21 -zphtxg6IyY7zFEUzrd021OvOnEwrWiwWXdMeSHI6HsjGBcUQvhe5rQgCwulwgtW4FdBPkyrBmEQm -pdAr1M+QqFKIqFb8vcJt1k2rbvmU0yejPxS/c0muXyfS60C8qPQoCUG1qm6SPWqiZjdVwzEuky+7 -NCqicvj137dasiHnideUl2lHDBVB6KCRsmkUD/9C+pTo92uOa/CrRbH1Oo+a7ujJdpyZZWWnE2rV -lA9P0t9z+aHh5hrxP2bQAJFjxr6meBmaYlUlpLfwWkfLWfzoUdRR9NO+PgvP4zlysrfrSO3qQmRF -st9aHWM0DOmzq/T3b+qv5QhOYXis8slnVqIU0ic3S1LsqoxALSaSHIojpyNyODQIhtIUxbOL9Lje -mq7STuPFC40Lykvkj3BY9eMine7nlvXJ/Tqe2RWEyzVOYi6mkK+irwiCWWcmwxCsxvTah1VPrbqY -mGRkREyk3VO3eUuGcJcl0l8i/aRFAt3050VdRDqOEtaMykST4P+yHvhFvc71+ycnlM6y8ymisPwU -KK/XyDOy3Q/NnrhIPWLEKMAIIEpWpJR/o3gbBupd/k6ya51l5ZJswS7ktiW+D8vzEpBPut9V6J6x -AsWHDhY5ZKSIUYmlhJhWRE4rXERUoLxGQr7/tnE5sqBnkl+T676QSjpZvhz3q6mobVVxnJJfkh7/ -19bsaK+fZISOHijadrtOzbT4A32VhcVy9cKyk6FbNpLlv31TMR1DGrmMQiI5fqLjEf2SaHdXTZbT -UPPrAvJ9qIgM0aJFReSH3nYuSVcMRbBLetmeDFUvS5Mi5UgZ2eHlxIdKCIoH51GyX08+NeUQrMew -BK8i+wxjhDXy8yL5TTdNJmX6V5XlNN4kVT4eF65Vywg0ot8n2GU5buU2kMvCCHG19Dw3yxj0RnO7 -MuJnWKKW1EgWvxZOj+x4q55zUuxRc2XLITsugt37RE3uIztbPpal9jW9rwl+cXO8S1FExyeiz0nH -39AbuekNWGoGq3SizyQ3LLLL+TniZ9mvKq+mN0nqZZmC45WPP3LTIbY8YlPX05T4gcOIHz9gn0/I -z8MwgfmIQfmhRYwOl5IWI6yRXbOiSMLlFSlSSDV1EiS9bOuuUXjcJJdZL5tqnFJOG+GjRoxJSa2W -LR9/aZ1mqIj0iEl54TLB9Lo2R5WQR8UppOLJVbL7fluelqz9hmmpZmCsk43X57nSaxmX6ZTbfat+ -4PRUtzAPLgNLBTEjxgd2UTXMsmdRu/oqepcir5o+i+roOOLrJ//HHkvcLElyq8pl2I+HgHY/XuVU -ZAkx9WCxgrXrqFseyS6flrhJxiGobppIVUs8nnXbVi1bgSK1OJFkPn4M6XPy6W3zPLdNBkwMEXJA -g1E8u1zHm+ZIz79wfEfX1QO/zeZOyyZ+2IGGJKUWy9P7klp2xK6rWk4hfU5AO+ll201j6XnKvlFE -ohjUCOWjk14WP8t3DONRZD3uJkMXLpQQKVaGoHHBcRI76fHUq55e1XXPIZfdyTL1vip+ruLBVT58 -aoZxs6RJUcTv/TS9yVElwz5WTmDEWC2gPgWzpFYtwSyqhlFGHhDM0uYIgl1UPceYQC5YpRH+/riq -n5o8VkpihLj+FQWxKQsJ9CK2YsE6nXhy/SzDTsfUOBVN66cJf15ujqcZLslvCglUI8RVil1eNVU1 -/MLnkR5HweqpNVtCOYknX+n2/7axCMYhiHJfkxvvUTIvw/0cS3KrsmMdKyU9rGCBIhL5AKOiABwx -fLSY4FghCWIFywsRlUiGXRDM0bL0urkIltRzBSnkAvKgXtZzjj4Z5mX40jIdoaNGCQ== - - - alW6ZQLMWFGAGi96tJgYseIlxqq0muH8HGFQJtVtf9gzls8pf96CZfrxkpJjxWTFJPJb1SO3O2hc -gIghY+QDIvn7GSWtF1IvwtMjHvyEJOpfd0TLP8vaYgha0ZJ6uvR5DOkn2ecTP/+oq7pxnpYd0W+T -/fbN8V/PnjXtVFxRfYBg4cIU0yj5dd0yCWbpEVQ5zcw6J/ntl6SI4gTMaSO3/IpdfwT3UtzP0S5J -vAxTpEQ8zMjU4tif6G+euijuJMmrKW2WtTmubJiHFS4mJRMthkDMuPhYIZEZfV723LJnE8zu5Qjb -9wwwQAGjOn+9jzXDQKhouYEygvLhVUSeT8uyX0eqZRhVySS7K9kl2fORHH8J/T60lCgBg8bk93hS -FEfKCQoIpIrbFSfRzEk0gwTGQ4oWGZWpP80TEokAOnioblvUoi2Zbfn3IWJUfGARmfEywZT8WOxg -IlASOnSwcn43RZeRZwbKSMwKRXMSFbHCBcZLhZdiTL9feX2SXRGLwuqVVbt8eoJYVcXvdZPEUTHG -CYzFyMvToqW5HdHpVJuueHYXrVQrt2+UPAHtMSaeh5RXDZFVDZMYic+3Hod2Gx2Cb8fRI/jHLYvH -aWAqHCshO1BgLiWQSXZnUCIeLSYiuf3dU4XUk3xwkxBP8ulH8Pt+IJpldwiaXFY3SR8t/dQM0esb -JKsF9IiRgB41RkajWy1XTKEXj3vY8pW/NExYMEhYMUhaMqoTz6qmuYXhIsmIepTdPuHzFz6r6DdV -vy2pzw8wUrywXKfbNvl5mJNohK9VsEQpViKSEB8i6lW9bqfo+3UwfI7J78tdT3QaRruq+aVJkf26 -l8c3ybGPmnboheizjBCUCpWoZJ9R9IubZWqOX3d9l2Fdgn2LmuYXxrP/ZjmHII2YlgUYEYSIVWNQ -JB9YuBTgRoocJ64W0R4DVnrZscd1mwBiB5aTKXbPOFBEbJzAbqDAcpzERvZaJbu7KYb0txA0LiG1 -HEJL3xxTrgq7YxO/jiGSqoFSQopjkv+zIgqxjD4zqRGJTreA9pI+18/yX1NPeo5kV8UILIWL1bpv -PjVHcMu651ifx6xIPWJaSv4/xuvU8tlJ9NoFxMecRK86DrEpCwr1A40Zn9hVAe00YqcXkP7i4yy5 -DbGoyD1rEmxhEpLEDhwn255BiWK8Uka0oFECxoofYk52tIjQsEqoek7BQn3clQ67FCSPECmsFSM+ -hIZLK9qX4vx1p9q1AAF8WAFjifg1DpSWDywoNCC+h5QYAWLIzLRSdSnSxFgjoR/UpqL1PLlqCmZN -rqqa4R890c7mJLQrsYPHbpY3Cf5u6sJj1x2rbHjkx1NIH9LsrnCVZJCwTEJ7DBIVjZMXTNf18yTB -cYnPu246L0WT0C8C+oDY9ISnaZCkcKC4WoScWlIi2KfP2fTlsWe0jOSAMbGhEgJDBNVS+v9WBblp -SW/fZKijI8mvwxhprXChYISkinDx0oQOFyl9Vu31DExVkt+UEc/EDhc+0LDMQHHBaJFSmEIvHt9b -VWdR9+NibzPBKouY6YgaK2qslKCYQL/8sqF3o+WI36NgtwSXV3p75ZOTYvZnUZOPB7b3PWqyWJle -sEoqnt0Vu6P1HMXrS6s0E+JK0XMQL1YkYSNGixbqVb+pmBXRZVS84qSY4qUaAflE1FBRAggUQMcK -CY1qJCOGSsmtDXo02NG4Tj9kWkwue8LbSNCkFBFT0uOktaNklaOkVYLbFFUKBiUQAQOOQCLEriwg -HcZKNGM1mil9VLErYtN8/ISgwSIJQtjBBRrggFjfszARsQGDouPFxAeMiY8UKS9IXig61pEipobL -S2y/Y1QmkX8v8fMTXw/p8RM+66qpAvJXrEqoWC29aSunWfjcItpxoMB4oFlpWZVW/Z0BJo5QsVqZ -1rQVrzKpz46YkxkqIrE+Pwl99LPMy5CFKRSjX5/k9DBbzSust0VyG8LXP1hipJgd+XEdKyIuoh+G -yyH6nALaXXrtaVMZmIukRJJRlUpuufWmrniF0W8ITotYVNU4Jpn9AdPC8uGDiCExgA0VM0RYMKT/ -ZeTDEEHNtEokue3BYgYJHjtiO30DxeXjheRFiGrFqvTilWKhIpHw+MhVI1CEEEr06EHkppFowZIA -HzSOkCGDRIwWB/Rgw4cVKVR3bYOlxAc0iEGOGJgZlwnHSkjL6Sfx4CogfgSn4S5z/TkElhhiCR8/ -Rvh7BaTDiJF8sMRSpD4vYqYVMJS/nkTcUHEAHnqkeK1gff1i8rBQkWa8UjBcqlRuuyB3umMaLik0 -JLAXJyEwRFoxqVGoht9TXPW5jRITkaqqKPk6RlA/WkRexFQqH/6F27ZZ4uboWdPcHE8xK0QKFBku -EgsWSEVrpJphEX7vgAIQUIAePV70jGJTFP9+4RrRiJ1MbApa0fwchcABwwIGMAImRRLZbZgRD8Nj -WF7H8JlGBSLx6D5ayoz8JVq4zJQ+MKBchadjOs2zqQv0KeKHjx0tWpT4+w4psB9SXjhWpZE6Dqmm -iD1N8MojBYoGHICAHDQrYFImDSxAiQT8oONHDMoLGGrGZTIZfU61zAOMFjuwaHFDZSQCRPzogcZl -xvRRkRLF9JpfUZoETUB9SsiD8tlToEIyp5DIXpPwdA8VkRspIiYkEImGP4AAJWSIiKBeNma/PWBI -ipgx40OLlxeUqOTj4VNT1KYtv6fksiy+neK3fZyogFCh0qJV2lGy8mElRoLVGy4oHWiCCRkkISM+ -PtLbLCPPyykU63FQ3O5sikMlJMXoQ0LHUkqiXLVlx6x7HsFsC59NPLzMCdTEjhVM2FDhcgqN8LfI -XquEeJJfN9GuDZmXHVqw4JECkwAPMhBwg+ZHi4iKlCjFk5/4OOueUzTcQ+YFxkmKitFvgR1mTGCI -H0jIoIERglrxOsEYcbXumYVIKgUe0ECNFhYaKC8lbrDwIXPi4mVyAfWxOoY9baTUl+ACDDgADz6k -eHIhVKgEQZOyA6X1Q0zJES9cdryYiF41BiGAwAYcEAEa2Ovl5AlixUoQMShHxKgYEaNC8ul1lGxB -wqpBCTzg4kSFJNS3nP6Y1cjFZYqJehWS56TfP6l5YwSFg2TlAmZKcQKl+HrrpnlW9Vc0Bj169FZI -HhWtEYxIV3HyUXb6Y44sJRALkdfJrmF4/DL6VT56yn+X7PKpTfERrEtRJtaCYaVQQH0KFAhGK/RC -FfKhZYQIGROZ0P5u2cppKtld4XMSvT7CRcsOMCQ+VqzwSJGiIqSl0m8aLV9SpAPciOGitRKhZYyG -XUqfFjBTj5YYES5ceLycrGwZBiXigAKWWCGyOgn1NK1SDZUQlZMo5uczrpKpjl9WpBYkLZMfZ8Ep -C6lfATu9nEKsGk6hErmYQCO7rQMlRuLJQS67ym0YlIhFTLVSAqlsOeXXY7ccw2cXMZXKyGPy0V1O -H5IfZzmFSDBLatXeNFmzvIOJC4aIj/HcMCI/pbddPnqKf3/SsQZKyASQCEIImhcfZFJoVCEXr1ON -kVUK1SgEs/pJ8pBiZUdKisg9u1iJYsBSNEpePWBOaJjAVLRIKRpu3bMPLGCOwAHjRQlsxSsqMAKk -YDmCxqX0rv16nmjYdc8l2CW5agtIZ+JGix1aSnhIsULEixmYUWgXQxevFBEsYFhGP8o9Uzz2jZJV -Dy0hPkhYNGKqFk7HYDeEDBUtQkRUcpx615dP7qJFqqECOyKHigT8mFES6k2021L6zKBCJHwNw+cX -PofwduuGW04h1b6H9HaNkBKNV4mlx1mtCipFT/n96uhjZgYFdPKg6Ig1g4ApaWLGzA8U2EuIP+lt -kGryprgS8rjuWsWer9YkqSJKbkcranLV2E7fJSjiyWOUvFpKoZCcTvFvkZxW2TLoRVVE/cqOQ/Ba -8u8sXKkYLRWJLZfoeEg9P6n5o+WPlio5XtE0DYZx97noWMWzl+S26BTZDsiHAkWHYpNmWT+G9ue5 -XAd/X2x+aU6ikNzOS/Lltpjj9jA86fP/ND+neXLZFM9OYtOrlhWhJ06KMdilKIFOdvtzjiQ4zPLn -I7gME+JTsArL6VKrmlg0xZP3J5mT4auGUXbahK9bNfxZ0XXTUHAbI/o/JylzHX70PugIQksSe0bJ -bZG7tj9vxjRScRLNkD4n+/2j526WLFoe4XOXvtNkqaMnq4ZV9jpkdltyW3LT+ON0Uizx+RooJ/k4 -hlSzJcS/YJVUfLvkhk/t6WFPz6u6jH6Vvweh5cllP6q6lyUOejS42WZpl2QJdkPs+UFJUlqOyK6O -VWlHiGqm9OlPceU6r7xm4sYLHSwssZwu4WeSnUbB7IuOQ3Q7VcegNmXBIvUwcflAgcVgkWA++euO -Q27Kp2MQMmhORKUYju84gdEQSRXRwiUJGTJFrFi5MYJq2e5Ln4+o8cKFNIIhgVqwTjFeKharEsrP -t2wZL8lePUVwOvWuoPQsuSvJLasI9TJMoBLd1klxN8eTX4cphVA8fEhem9rTFa8vf97iyV+2rKMl -im5rhKB6UHn1KHnB5pcnQVnkblQ8Gf0rJpGpjkV2W+XfW0R+SsgHtajoTXeVXFHyYoKHDpVRyFXD -Ijasbjipd03p6xT/Xvn1Ew/vr+2Zcarm+eqKkyRvmvooglK0FsfXC1eNE1GgQDPNLs+XvpfcM4x+ -dRF8O85zmikeX+X3TS/rbhtPkqNVPbktiBxD5ChCT94kVTadiuGY49oOJ0WonyH5LZ57hclzas++ -BPOwM7WpR0VB7eq66ZIeX8Usa2ZVc2uTYiyCKVoOyfM101YtI7XqKnZH6qly15J6/mZZf55Jr7do -OQW7JFZdybEqfl+0/EnPmyRVjpPJEeS2btbRQ071qiv6FbUqDoJ7OZ7kWTfN0tumZrg/yZBqwmY3 -NrsuWCUVK1JIXntQk2XLLfuew3EGxZXbouC1yrZt03TD7wU9vRw/6OmPocpNw2B25aYhNxzjbxEe -l2FS4tp9HzVTcktyVc9ZquT3HsO200KuOkQMFThQRlB+HgWvqDd93bGJJ0fNb0q387OE3fQOLSao -ejb595jS72IVmvEqkex0an5fep6qaRWslMnvCbEqTLdXSB8TP1fFbp+avUnmY4ii6Rd+h+B0y7+f -5DVpRf/0FLEqq579VZVFUDdL1Muq6DSM0g/T338ZulxHRSwlASF83BiJlei1SDVBaVmCVZIQX5Jf -2xxtVLyxQkLi9y79VuE06V1T9Rt6UxkrJD9YuBDRsklmYUQ9N4ATHnP8pOUtgvTn1WKoqyuOsrXJ -nl1Ial1Ivle2zqer64UkJ+NOgISbTm6mvxu7HthqGQ56PSmq9DuLESiFz0ntmmaZeOLE3H11SJIg -HBwMVfy9xar0YiUawW000zYdTryct4+jmnHYbJODHE3pwwJVkhmFUPx+R9FSLMcgEfG0ri2CIhZl -GfkwRFgzK9ELybOaYXLDCdE4CL7jTpy5TbSiIriN4u8vWKlU28IbR38ga55dM82XZQ== - - - LoYf1AzZ8ZRd/25Lg6K7dSsiEMrn10/zHkd/FFt0vEJ1Wtn2jqIst42czU2OP3r+KWp6Y8+q3ui5 -t+6ISaXH+kqub7l+WPhX1bbrWs+ryZFEv09rSoffyNmUnY77eSU3XTHySe57P1EVFEeOG9H3597r -l57TV6XzIZ//JBRi4fiork847r9vjqa1KP5pClpTviT509zNMbSiqdsO0TXM30c8fCu/W3bNomXQ -qvppmqptkkyH4jkGCqlyPebxXbsOWtUa/GrQmz8PR9OSTOsk2Z+mb5on123N9CdlYy8EOZ3UC3X1 -5U9VJ0cRq45Y1cSmuNi9eHuGCopprklvu5rllF5f+feYLcdfN2YdFOxeSk4+tV6ra/+6MajRihUK -tuset6XV1BXyzEAhOen5FNBfI0RFsucs56lbOJI9u/y/b5+6vany5lnj9Idu87Vs39MN4b/H9u+T -PTNO0wGFJgAdXM4bsa5/oiIIJ90+PHXt831L2J99ll/61KDxS1unEdvFY9P11TZm4y2971d4P9n3 -Cz0UKGxRPPH0MfwOsS+Prp9XlsUyBktXTMdOnE/2Z2HP+uZmOo+lG45p96Fbt44oKq6nV47k2nOi -OBjuYegpSVfjyk0HzbpbRFvvxNvb1JteJBfrkyLdn1uVSS2c0ZeIHz+kWJnh33sldMIRe+kogZn4 -Oh1+PXr6KPrHMIuyK1vXN4n1mnFpsUMOIxgg44cFkEhmnHVKtVVw/1Ln/3VvkpEqhcoFQyqd3Lbl -tpCzSbntd902FDkOxwzP3nf5IxS9tEKKsQhJ8cP0wsM3kYFK4QMkkoIvheg9qr9/0O356Z1O3y/r -vM62s3Dr1l11/YrfUGq64Nd1OOxYonD/M+/zm3vykErLRIbE5eWV0se7W66xyYJqXkbf3Y1NNz6K -4RQoUoqSKJSiLMexnQeLJDyarmii4im39tzevf2TRC0fFHvlEEm6rJHq9DH5Ne956ZosXdD7Ybdk -17hpotumfl69pvUL4/Yu2/17g2aPivao+FALhQrBab6G8Zzec/iWVfhmY1Gdg1r4h4rISwl0wnv3 -pGGYxELJUYLjADBFYCAlCAr4Lj7MqhXwiOWsVbUfMtun1/XLcAU73XYCZORkvImq3hgnT1ILs4yU -8xdvislPKXDWi3vlgqSS4wTTQ+2KkaIZIk/R2H2IiojMipSZ1Id1u3g7pqw3uuDIq2xJyVSfqVym -87n+cE2CCqllkal6TPdD+y/5TrlzCb5R/h8DgV4/iJXnJfS0STJm0Tk052q2oZuOq3HxF8KnK7e6 -TZPq3AX7JqiWHicykBC57ACPYHKRim9imXeYe69kT6zVV7BtcplIdviWzbR33791R3yfZOO4/v8k -MysYQLQE8QAeGZiBECsIAgaWkAUONKELLSIAAz/FEDzLDjeJDdODIsKlX1QS8rRckoU/0Vfbz+re -pJnDtUiy5QzaYXyIAcGBlwKgYIYBMGghgRn48MAOdgjBDmQUgIIZG6iBSgFC8GFxxMfFR8rkBcmU -8rp+ScLhd5JfiaPtiH1lEHxFkS1PlZXnnOSHTkKllpDKxcRyg0XTQwiLIFIvPjwxFbLnRfere1e1 -rp+itgf/wECkkjybZnrUsr5p7mXpszB+/7FOyk8ovwqNFYwiUip+OLFhRA8QKIEIDwXkKz9WkspL -DSBQUuzgQSItq+8wXvKLVLhgJaDRPJIj930geb7z3mppyTCiBYkK2JBAClQkwASsGgUw0fhAgvGh -v1bQpBXYj8U5anX7kXxHUY3NNDfLfM4/qRWWDA85GoCCJWigBAYcAQso+EIaCsADKJgsMYIRjgbw -LgrgluyQWS1UPUa2n7GU25JlvfBf2xK+J9F3asLi6tesFiYYTeQpmPBlNKBkiROwHOAEPkjwgwQQ -IQs5WIAEmAewINbDBPwUH6UVHr9rRZyv7p41Erk+9G6qdRFMh2R7DU2ZpeMWr+eQZyXTm+jIS3js -JjtehpjAyxAVOPlhAq0cCEDN/DA6qXFiweGLvFg9J2ELEs/6PWGSs7memKfuzNZo/KlVMiEXHkx6 -oMBKAUjA4gEtEAIFQAiiBUcwKcIDphdJxHYkoKSHCIhcKOGK4CBFMWhI5Rdx0dYjWeZFTi9ebX03 -3nE/dEIDYwAOrIiACoRgARA6EAUvMMAIVyDADpwwgSVs4QJO+IJMEydg+TABkw8HyC5DhL+MmZOw -fMj6+r68l4BOq9xHwVE8YXoVM8KRAFQTL4BRgiMsoAheMIAQtlCDBEPgIQVCqIARsoAAHUABiRoo -wQcYIGHGB3gg04AVqGYsQatkVpzl5qncX9Gt/dp/FFy/Y/nW/VwKwUtajFoc0cLxAJIdIqDCACKA -QYEX7OhADZKAwRFueGAHsCA04MsA4bPw8FNysJ+UtUb9HhepP+VsTJ8rr7Yl2i7l/AoloorJ0dqx -xIsJqIBHCYCQggI0MGFiBCoUQIIL9AAKScyACSwsYIOQDQSgYiBBavExo2ROOwXLH5D9k+6edO80 -yrKq/OYjFMyMGSY+YOMDPThAD6bggzGwAQNJ+AIPEPgAhwZqwOIBLFjlWICd8mNN0aS/STmb2Hlk -16G4VF9VblFEEzw0AAMXFHhBDLpghhNkgQw+VDAEHmBgBCNw0IQUE2CBiQcK8DQSgLdIAlfZoYJO -2D/Gm0TwWf/f+CTT8Hjqo9hKRwJAPGDAxAEt+MEGTiiAEbbQgw2kAGMERfDBBUVoQghSMAAQoMAD -DIhAQwQ50DGCHcTIgAxEkuiAq8IDSop5TS0jkxUhL5QUD+JZeI/tE4VVe8SGTm6XHlBCbKDFAjmo -MYIh+EDBEAzQgygwsYMoHAAIVYAAErJghAuE0KIEB1Q9muhphIhLeJChlhAWeV2qneCEWSe7dtyz -5hMdJSJAwGKCBTuoIAkPOIIWeKAgCC4yQIMgXlCECyyhCz6kAAgtLPACFxmYwQ8vUIKPFBQhBAkQ -uCk9qC0ZbQjF9rw+vglH05IUCkXlhTWjowgW/EAEUvCCAnoAhQTkYAkloMIXflgBEFJMgAUxOlAD -lyZCkNqBAX4MAvgxmHBTfPD0krE3mU8uMey7JXuCo5Zt3/n6KTJ0hIAGE4gCGIKYgRMigAQs7KAM -bPjAFMrgAgM2qLEBGRCABkZYgA+ckCICK4CBQAtsiKAHKAcowU4jhA1b8SlxsTpZsZavO6IoWH5M -IaYYQsTowA1wsMAILkIABBgf6IERO5jCEkLAwo8XJOGGCHKggCFMQQJQEAMPFijhBQIwQAnRgRAP -F8hjLMAdpbj1ll6D0lEtP3EdzRi+6d/lEsQDgohBEnygwRKIqEESKqCELnCgCWNAAA+soEMEPGgx -gRXs8EANiFABEGgg8ILQjQbgMUS0KD1O1IzKi5xuz7I1SP/r16Z7k6llxg8MqGADS+BCEjd4gg4S -9MACQ3CCDr6whgj4wApEnAAINy4AAxwXmIGIER/AZ45oYTLUUcubs1j1rss1Ls/PfwICARPoIQIh -oNGAECRhAhmQ8JAAX+bHvnLDpKIH0YwPLQpmW3uQ3Tvy/URWFFO8lV9wJDvayYV3b3pxgAwUwAZF -iFGBFrh8NPGBI0ThCW14QwWkMAYjZmCEDBDBCS+wAhci0IMk9PhADE49mljxUMDKEBMArSACXq04 -PyYmPYpdu5T3opsPgVL5jzK91DjhUIKlhAeA2IEUFJCELdAIQQ9+oOAHTfwACjpIsIMWB6igRAkN -9OiAC5iowRBwdGAGIRhJrKiYMBaBJ62abX26JReOIEq+nj8FDx5W8IMEGGELOkjgAw9AgQsloIIX -ErCDJagwIQKZAnRgATYYwgFoQITWDgugU3SobigB43EAPCWH6pOgs+h8/S9UV3uORAwVNGJgUFpi -/FUMCAVAIAM28MEOFzABDCQWgKOJCrxgogI8yw2+ZKaPxdQnFFAGeTHoxFMmXSplENeZHRSbMMtq -81RB0utAls5TXtxwgUQTBPjACFRwBCO4YAlQgNEEB1oygPhRXIBQWPgkNCzJZGXFoKcXfgVHHkIj -k0RsH7XXfzymssn+odRLRg8ySUwAiRXoYAhlWIMChHCFHy4wgg8tIIIGlIAFImBABJYmQCByRAVQ -CIABmQSEoJSjiZnlx0uCw+xNRPRGy7Zm45uFy+77vDHlVSMaSOTowAs0kAQqLEAHT2g5AAhQkpCA -ShEPCOmxROzGECYXP0wvfKBmAKHH7GCyaEJSCypiMeeTR8ZbR4ZdGKvv54MymaGhgwEZUEIFOchA -ErBQBA2cYMLEB1g0wAM/cGAFOiQQgpIfS7xuFPHSYYB8JUfph3isZ1RzcWTVjxw5WQeygU2WxJM+ -+4hkcoFKMBbm5xtUapncPYp19fE70c8MM65DwfFQcFatIzecVOtekAw72zimL617PqYWy8TGDR98 -WMIBOAwwAZoglnDR4YOLHo4YiZFRGoEZnajgWy1xz9JDIrWuOtP7HFm/nX8XfkWyHVG2XGt5T71M -VFzkkFGACpRgCEo4QRGiMOMBJpARARK8HGEBFA0lPDE8+pEYfYWSr1JikEt98xWN6zU2zTaPuuxH -quF5kmzvKblUZF74gASNAkSABwQ8EEMJB6gQwgAjFRk2aUQUa1GJ0QMVQyPVVbOfynURitT6+Ce4 -teHWNs02f9+Yx/OJ409dsyTZounIZIJp0cLv/RKTEx0+fDitRuy4PkXzHNPRVD0k1QkV6/sSisIb -FByyk5VcdyTH4c4TN50x21AwTNHTZAT2gAcsIEZFCxcKioklQtP+GJokONJw7f+n+AaNYCohERae -RcJ/ULxb+yX6OVGQ68b0/f4kVIoXRoAABCEwAhEk0AMl/NgADFogsQAWRyxgxDKjTqGc/MlmpYRQ -VugrlXP+oPLfzj4t65+7d8t0zDZQ20YrlwoiChADxBI1CrCAF0YsgC+huVOw2R+9ss33/qzz8N77 -rVjIZMWJm8A1Z+WPDPOnmIKap6HgzKnqufWPR/SrRHrWyEgLGTI7IAFj8cN3mdym1P+KrVxmPCIu -cSl23h9xnb/PVMV0LluU+7oNB/VAEEx/1LflvlZEPzTvlix8sicQCRXP0xtdT2S3j9xwRBQoShQg -bdaZnOzMtpGjdSg22QmQj5PBY4nC+/+16TWO3RpVXfed5/g+w3MlVXve79rH7c+rzu3ImlsYh6Xb -hSAIJxvAiTPj+DSmx1QuT5t1d37kAqMGEAp4QEoNH0huBJFiofFxxfilEXrmQdD8whMEy5hMd9St -SVQGSVo085Oty/UNT5lEWxKdY5okZkYUgnK6NdrO6Trbdk/L957/+gfVurgN355XLsGynrazmfKu -nMc3vbp22sKjyX5gaJ5PeX7a9xQWq3fbzyynPL8I33FURbtvHdG71l9cXkxaIX+to57ogXTQTAut -qz2KHgoUIydrQ3I+VxlVeRgOKZ1CeX4S8mKZVDQrl9rXgqGHfVF13rfxv/s1rt+7nw== - - - 0/nY0VRNU7NOy202u+K5Xvd/CMZCafGiIoeOlxk9+pOr/pRMdv5Ck/vGNbZ70Im+PSaZ0rN+558Y -vmk2/jIt1LZx21xGRpBQggkUGRf+CPWTTv0fymc6Z1+aLFOvU8fwRALF0NCETiEw3b+uDcI/IHqH -w3LsaOBm8xqFRlYuj/6b5mqWph3DpA8opmKJeH9Fz1mGYyUlvYjFzjjrzrErnx0ofyIelunWjRyt -/UQZLFHOFnfijr6nu+/Z9/XAU+tCTsav7mi+PZBOuOnMn/g5VQ/Kwt+Yct7Y2crtq00V5M6rN5JZ -94F0OBQbU+votLVNdR5PtQNPuI7yRSYepLNyHJojeD7F9NuFmw4g2wmQcJPJIGmT6ZlxZEcLO9m4 -cZ+7LnGx9JsPnV7/qIXffwmSX2f7tK4EyzU0efKsP9H9xP6dPW3semIIknkoOGXWiZxNTlkfPnqU -QCPyE1OxpNPXTtsabfOXXtN2Hc0Q0Sn2Ialc50nZFX2D2ldX17k8308sM67sZCYhEE0I7H/hOBRB -bSvTSsV+30ZR1PvOT6zd+uOTSqBRfKKp99Xk+VnfOiTdzhM7HfXzUDo/ovEcXe3ylEWSJs09PWVY -JlOeu6SJq26IxnN05c9TL8v8PH8YFs2zbZ4cyKbUMloUc5EcqXHTfLOkiY4iS4axioI8/wvb4Deu -pMm/sMvzuVWXFc+VPGMTFdE53crtueqxHJPmvrKe1kXJdEsKhfKEdvrWY1lnW/cD3w98wbDUtvks -e8howYOOHrt8lzx/CNf/2H5F89twOgPQwTZFGpDgAkDY8OGp+bP7RC2rkuHR6+5qOotj+3kqj7/D -jh1//uNuTMJ1XGXBDWdDgaIDARmzzou2P20ch+V+siGXtsu1zDiyk6lbx3qh+4WgeM5Xl0OxqUv0 -Lk936zwdUKAZN4tkr7I4iZ54PiH9f2pdTaJ8+s6iSYslv7rxN67c53HhH3DoSIVMtxuPaNxnY5s8 -180TQbQPRUfcbCn3qdrHnQB5QTEWSdYD65EcwXFJnusSpVcYLdevC1ETrdWWXmEZdWVTdUGxNlH/ -jWtUHTtbC4p0idZmCoptOTzbb0y7j19bInDggNEic3IguOGoXAeK5VOui943P1NYJMNsYz/x/URZ -DHf0DMHxmc8Pi+EVLYfoOahta5LUUdQ00y4c96Bo/H3xWMIkOp9s2YXj1rHiSJ/rTKLrxtGel4ui -v66eOPbf9wXD/TRLPH7ManUCArluW8TDg942lds1YF5CNy+bqIvfTfx+JM9ZcvybJQ16H6dzcl09 -mmm2jSAg9XjWZgqHYx2KvvuS9v5uXxQWK4UFQ+kevUxdzqPHsS5PVyxZUFy/8E7V1K2T5nseSzgc -123jVRQkzyq+j4VI85l+5nqklGp5kXxiOh7F0D2fPr8Oy6Pdt9sZRltR60SNIzdO5TIYJzASkelO -1z5dTWv7gmLpeexI4qmq2neSUimF5eJheTZLO1XTsNxANqa2ueLIel8rx0tGoJjvv3LcFMcgCMjJ -dbW68jLdz/XqfWvXpRtHcjriZtOdQBGCgPCmWprx1O6r+p8/V1wsz2wrsy1H25QDw85GZpyurn/r -9ur6p+rHfWGxNN05jBSTmkTfT6THFEdfWjThT8RLFNU4EGQjh6O6dWUnc70vP8+P63pWFk9ZUzzF -b2SRTHobpyDJjuettv8re144RNN8+6rf9wp9UFSpmCz1E/WsrV6iNonqZ3oSKqnwvtw6O135lCXB -8EdNVy0zMw3durlE37AsO1t+niK/D2rbPz13kvSk6Y+euSia5BhFBOrPcyfJkJqqWre0rrD3jRvO -BwLymWufxlFwLLXODkXUicbYlUWJlBIC9ak6h2HM43n1Hv1EUbJ84vMqIU9LKRTDQrmwVPjK+q8b -+z0iWLZJcg5Dexx1s7TH8v1CGRzTzVs/EE9bPW11M71JU0/TuRx19bRAE0vsIINHye7xMjW9csyu -R67br21donR55qhKj+fqhSxIxiXqr2uKEUjHSIgLSRSCYdOuG/HDx40VMUQ2f59nr6KnOw4hfXT3 -teF5TVtbvl1zhcm0Ple1+3R13Vd1JMsf9qXFcW9fEb6D6hwExyEfT+zzl2y6d90bTW00pdGVRlN+ -dfNzpUVyh5kVIlq88FgpWfl91NuaHM7K85e4XvML367rq6qoXVUwGzJNNtNKDsd3XRcUq+WL8JeO -1TftwJKTjRsOr7I6ypIdbf3CPG1NuD6K5w/r9mgqet2Q67r0+0WJ6y5N3ER9V/blmybR1wP7VN3R -NCfLD8vKYPh+n46iJrpO4XjPrri6sqTpmqdIqQSS6xYcP7N92j0mGxfNMiq/e9edTRMFJVJJmWBR -FLHqipZFLtyz8QuO7xeyHnhyH662rge23IaTY46mffvqKpurbM6+LRjqaAp635ocaVH8WzfE95h4 -+pLbpmg5xuvy9+1lOWJZniRvEKzB0BbJt/Naex+6+fML33CE0XUKRf8QBKFnfppzGNLiCONy0YiQ -6Ci6IgLdMBk58feYUqhFjBUC8tQqSrrrENAnV9dPDIviGNS6+4m2G6dmW5ptsPeloFD9S7ef+Hrg -PZK9mvZruqOkjxQxMa8R04yn6Fy0uiD0VMlxie+XXvmjtn66xiH5hmNotvX1pcfxxKYpRh8W0qe1 -3ymmkBA1aLRIcenfWDW/J/vN8tlpjKxCcqySZ0madWyn40luHuqFcHmGYLgUvy673kvzJkeYl8uG -zMxHvkGwOxPikqFS4mKkVRL6Qa+bn+iurrGQyAPP7ifSYWgEC5QartOLnmfvI0E2bvdVoAFNnGAE -HzDlfQoUqcWqxJLZn/xmbjs3IDY5XuABDKDAARKgwv2V+9ruU9U3qHVDLTvC73UYouz6hxkudLBo -MaOtCH5ZSp8XVUkHCsyHCoyFKsSCFfqwawsVFJTW6691EBzHcjxGBFrx+KRVvUVx1bQPu6bsOi9N -XlVVvI7KbZGfXymFWkojkMqypFA/3LARYmL1LNuCpOUDjBQ5XlZIfH5GRYIphfAQHNHpExEoFNPx -aNKluatqCIZTtU2CZZfjaBEk2ThI94B0HmTbpfwmKYlglLx6vKTIqEym+U0RApMRKYF9Rij8BsHw -J357duXV1RTLora1xbFfXU8bj2SbDkX9RHN1xc2z5MI5SaqbBoNg3747G+Po+nljE46D5Nln15LQ -PzIaify+jxUxQ9h4YeMFheXnJDr2XRcFwT5+S0ik2B/SUfYey1ALp2r8peswKRNNmq4HpmicP9Ob -JHWTnD9uN8faJO3zPAmJPCiKkl8ZlekUy7dIyl1Hf96fpvxptnSdNlE4/FqkQj/IlBxBY4aJHjFw -sISwoEYrXZ9JcdSqpZbtTbL0qqE2bUEwBcXbjdFPhMlzVOMeN55FEe64GvxwUtxPUkX0u6BQuaqm -kPwhZqiooVKiYlUy+fXQy+KoaZ/nqu/3lcVRtATD/fiN1BO0pilaju33yp5fpJjgSAHDn6jM33/I -0USBwhuADt0JFB0KFHZZHmCIIoCwoaPVNrfTCZnlUKre49h2m7plbbeZkEIUQEASE1iCAL2J4hhx -bQCJHw/wQSOFqGfx5DCgHTa7qJrGgQtQsIQQRJxo2wcVMTIpFAqGQygad53J6ZScjQxL5QAiglj5 -9EDIsHjgAEUggEcMHCQwl27bJmmP4wqRVwoyAIEUsRCZ04cDTPCQAQL4gESMFa563s0RH0Ea7C5g -ACIwoAAFiHxGMSrTBYTwsQNLyYyXicWTu5t2k+IRO2p4AAMVOHk8MSKvJHTQEEECjDgADJYdJaoX -rtKKdovQIeMJSRCCAphAAGi+V0gfIWDILMFDhhI2WNAQccWIPC8Z9rDrjho18jpfS9Nf0ZD8Pvk9 -LqGRCd/vJSkTWwFBY0brY3rL1EZTjwurdF3FJPrhxUsElAACBgvLDEx1Y4VLDMmrhUUSGfEtj26S -MrWchNCwnLTEQkg5H6rrkRJK9Zs8tK6vLb+mbgjKJOlx37XrZDH0qCkLt1FGn1i/k2C4N0u301A0 -LOLh8xP1pCmKr79YlVagSq0Z/luWFcWPDNMYcYl49lQ+l4B0FiOrkI9fsusfZluMhJTcmLS2Jtal -Q3DduLGTjVn2hqKr/1e5r3KeC4K5Wabm2AbJa0ZMdYPEVfL7dEm6PHoIaUS6bddet1iRXLBMMCaR -qZb3VnXDzwO7o3vXxVBkv0d8HSXEt5A8Jb/en2Pa2axa5kFRc7MxOZ1241yOWzVNzTqslrncFnve -Z1VRMFyCgLCbNovhZ01ZN61iEpGAPKK2zUWRRMdhdu3Ca895puC2BbTzOIGN7PZJaUSybRQ9uxCB -4eb5fmAdijQovt6nm+bJp2fheI4XlBNEQAkeZlZE/n0Et7uK+nBrqufQDKt6Xi5H1R2/KGnFfHxl -y6AVbe20ixIXjhQSIFqkkKGyAtv1HVKw6DAZUcFtKD1v0HO3bQa9FiYiCTDCiH5NdajEJuBDjh1Y -TkJotzWzI3tdglcZKiQfmAAEiOjxg1TTRrRoiQAPNpiw0UKGyKrF9HvUMh9FV99nAAIOENE2iY59 -rIzQcJVEdrskw23HqVrnRwuYEEAgAbE/BHrbFTDVj5kXJGSwOILFCxErWiBARA87YFwOAMQPBDCx -hAwVMkkAoSMCDEACAw9YYgMRMMAEFIDEApL4ocZLi6rnY6h4aeIAB1ARUWGBSC5OSHjEtKCA/BXS -P+NK1aU4MvqsqFAs34Pa8/9dPWyaol+VfqsQcbmsTqDXHfk9MF1/5bmnZUt0fHIiobBUKCiSDxUw -sNAvumeaElcSPnAccWMGjBIRVB2XaJlP05Q88yZKcjoih0N2MjkM7bLMz1QOx7bzUkQiFc8HBcMm -2CXpbxdRT+LvnrdN+brnvn1aZjmNXkylE0+P0uspn34k9I/sucREWn1IHxWlia1CPr0obk3z+6vo -ToYvp6la1nKd23kf1qXBUAa/luPczuPR9BbFHkU96ip7n7nh6CVZgl2V/LJoOdbvofdtta0GQ5ee -g9o2JNOhmDbF8Ehe14CpVD46aX7xk9xP0qXjbNfhpfmqa50s4Q/UzdN10+q2xbxYQMxgYbrneBRP -tezq8xROp+x5VMv868Zmia+oH7d0eqpyWoS3Sf7cxoqIEDQuqNnNTTJVzy1eLBP8xh23j+INfrs4 -5mH4r2oJz+dRJOFvlX9HtSsqRVWMPELEpOxIGXnhcuzjpzw96Z4ZwEMOHCgjsbz+sGiIB08heUZ4 -PWXbNCknv8u2kD5AvKC8gPYQm37c1R7FnBRZSiAcLSqmuW7RcBM0VmBgiB9FqICB4UK5hHiYEwgG -BRqBBRwAAxOgwAA+8DADFGiACDhYAQ5YAAIJGIAIHDMrNFxIZl6pEpHfgAMYoQMazMBFysuMS7WA -HjEa0GPGjCmE0uMtIN+zngsgQBAPWIIAJiYUy4ObkP4ZWMoHzAkRMlbwkGLFpRQyCQ== - - - 9Ur08APG9Qr5PS0PPxPiSgKHjAf8wKMANFYk4EeNGCgiOFbIFMAIIW6wYLFDxuWFyMvlBFLltadl -fZZ1P7DMtLXzZFD8rCw9ku73rRuXatrqtl83zpumPYYjnhzGC0WTIqXwGtXnOR177rmFZYr9H5Rt -o4B8GSIrGiojMzHWSurUyzRNavRyEvkty7fsaJ5bD4Q9z+22ssMBQUBYroO/8DsB8mlbkRznKauj -qst1IchGRLExQTi4WLpcx3IbqF1rchS5b0zfT60bUtXTPHtUleT/qG5dBr/Su7qM/hssJTywiHEx -0tpPkh7L1/vmD7zDUPbAORR79Czx7CUY9lOVFsm18+iR/Fd1T03fZWG8/sOKGBwtKCOg35Tfdru+ -p8mz60yOa7fxZxmy56vcDsEv6HVBroubZn+iIraNPW/NsjoMQauamyYolmcQVLUMN1FS66Zc9zW/ -Lf8eszq5hMRCSqNWn+eAYUnluF2SIFV12fUIf4fgtSdF0/C70ZNFzz0pvuwYJcMi/f6qadKqes7S -R88X9HQyJMHr1hyv6ril9PkBc3IAHm6A4AEGuMASRLQYgcmwTBZIgBEJ+KHHDipgdMikxLhIOWBK -dlixogOGZAgcLwxwhBE0MdiMSZTi36QWxcfPBjs89H61rEEJOCAEGbQABgnJEC1aHsDDDAn4mLED -CsxGCQvG9PuniPLJOdAAJmCYhATxQkYCRfCARAwaGTHVCtXoBgmrheSTgHQIGCAJIfDABzJkaG68 -oBDghgsKENEDiBUwJR//d9v2A9nvE8Wy3751aa5cN5em374kOD7JMahdXTo+QwUl5ntKcDvC2ywl -EIyq9IKlZAcaKoq4wWJFCOzV7yyo0YuTkBosJTVSRGZiLXtlUfYZFru7SZpu20XLCu/KJp/QC+hD -ouN/isJdN4JwUo2LQQg+oKIkpf1CEgSkN89/bU0v/JLlD6qmWfZhWxokIzJJvl0HQtEUkAdlFJph -nXqkiAgBwzJi2dM8R6AABIBAEwiAeX6V/Jbs9ohux/KbxLb2B346nGjteszLxatrTZJ1CNbg5zHL -0/u+3HaL3w2ZGAtIwAGgWO7LUvWyMShRj5kVJnzE+MEFzEvXSU0z9bwKy7WzrsdlS7Pst2y/qvx5 -wp4nbjbu96GIRDIsFs2LFXpd+PtUTWu7zjTTN6rGJOni95aTyYcXMxFQ4ggJLGEEjcjrHUc1BPE0 -FfH8sQfuJDnS6y1cKhIt2+SIdjojChQqOQ7x+9915zD0zzOE309xfOLrNKkSHIL4mvpgscKlxXrx -98kHnyFyIsAMmRZUSOX0H6HjhUgI1NJtFS1TDZNXDzEoStCYUULGjArWiX/X/21B7luP4l2OJthV -xa6rllsxG6LHLV02xSyM6RPT5ZObekjQJaMyXCOU3ja5J0lee7ZUIfUrXqcQv1bZb2ynX0i9i5ip -RchJR8zJDxgqYJ/9h4oVIFrA1EBptYCdWDi9p6csiqR5jnGCAvOIcDOFP3AuTVA8r2haJ0U59EpI -fwFy1IA5rUb43AgXMiuIwAKOYJFiATtgjKAJJBwQhA8Ukv9CRYQDEEgAEj567EjBoqOlxAbKiCrH -XbOLwyQGQ6QV0uOjGOZR1eTCeQjan/c5zZjr1GyTu29lVKpJM0QBwodhqmX1soS5bgTZcCdOjBwO -LYYht21yXdcM/3BBscASQggxo4WKVmol5HHd9X6aJZ/PBhhwgAYkUUSJplVAvYvob93zaYZ99MxJ -suW2FjAVDJMSuzTRLFvBr4rRh6XX7xBMORxb/HiQIUMFIxCBrq69SbJIgS5QBI8MEOCHIli4uGid -9pJcvS4JIX5IwBFJgF6YxghrB0psRYpkwuOlVs1HkdWyFiQjCAiCCP1U146bw8/l479wrXqgiPA4 -GfGw7Mrj0cADGpBDhQzPitK0Sj64iJkJYa30u6XbMN3+rOsIsiHJcQoXS0UE6kvSL8k8DO8wtEMx -L82Q/19Jrf7VHcUwqGVVs7vCZb1NTzzugybFL8v6u8J+XWYlQkAPGREY4ocQLmBgUCHPy6qoSjJW -TE52vZpfGLFUDzMsPVZIUkZ/KH7bMMRR9MXvIHbFR7D0tiRWPbGo5xRRMRtyWRj0dJMkrevILceA -9hXeZvnsJH2Oml0XTusququmixZqCBgVHiWwFq3SDJIWDhcSmZAUSgr0AAIAUQQOGiqnEIvps7rn -VB3/rPqCoDyKvKp61LXkdMLNZt020oq2eHAVrJOLkNXKp4fp9Y+ZlggM8QMRLVq4iDwtWCAfLbAf -NCkurtEOLmAgkIQQOWBcJnAEEEjQcOFCxAVyWSBmUipAxI4mfMCoceIKtaqvqq98500TlJ6s2O1H -Uu7AduNMTmfTQQf381I8/dvJzg0H7Wio1r0iaYtjCoZRdp3UrjysSKECDUjAADzsCPH4IPft1VSF -0zCrUg0UWAOA0LEDJuWE2zCtFUvX9fQ01fAodkevu7LnGCKsVm6/npePI0rPl+g36mVfjks7HXfT -WjqugkLZJYkyCtUoee2QgiVGhXrhM8uORS2bm6WMFhYaEZKQmuIwcc2kRLB7BqUn7HEut6kdTguY -i4kefsDNEz9LlJ/fQaRFABoXIVxOVqhOvZqO6vkIHzxiYCOmVl0ihgwKIGAACyQRxA8XkxUrkcuo -L8Guum0xWFQUYAQRLCeTX46k0ySZJogk6a6jP+9ltSpCxw7bTNeOu0XwVcckfp5iAqV4oVhGoF1F -dbyYEWJHjtgn9OLzFK3TDMvkUgq9MAmhgSJCA1t53hfW6y0oUsxr1YIixXg8FL8u+MUh+LtsHH4y -2LnyWkVJJOPvInV8glk5BN3Pw03zHs05BFPzG2MS/WBBuVES4prlvSTfMMzPMzXLqDkGsenrhl+I -qH6IMYMAIXwcoSOGETlgwIS0VlQil9Tob9UPi+4mCYOeummv18nfZ3Y6Lcd5SDKFll/2ugWr9AKW -Ys0win4JkIMGAnzsoAISofw4DZFTES1WkJARQ0SMmB8yJyxiqRZ/y0AZYUmRUDhdjyHLRzfp7RB9 -HuHtFA2z8jsmhYLhtcl+i86y9jwShNPpgCLccEhOpy7H1V2jICD7WL5sXYT3RS2sj2Tsvld2vqcq -CCTQgCPwwAYxrtaK2IqIGzKKsPFiCRozPMCMAJGCxAA8WgQRI4WPFjQpCAEIcKhwIbNCFaCGChoi -q1Yde1CTZc/zGKrd9rPsSZ7pELzF8JOiLllmxfAKhmevmzEZ2UENXnCAIpAY2XdMt3egeSFiRgsd -KSMuYipXTtthyJ9mSsrEs2z8ffcomh2OXpagVD25q0dF4Y+L7TYPFRL+LPWzFLFqyWU/bZqq3RgW -qVdTVKzyIGnhIAlxMQJ75XSIPXMzlMGOX9cJHCCJJo4QgoUkQrWqZwxtbmM5IOwGRPa6U02HhEQo -t+HliOLvN1orHK1VEixS1CCB/Sm6myIJJMDEC0bAAZGPCIX043hB2ZGCRYkbMRTAgwYSMGRUuFB4 -erJYMckBAwYJaqXacZYTiIXXnvTMx5D1ujLrkOh3xTT6tCroLP2S9KAmy6ZDeN2zriDIRuTvDSAE -EClGSEw2PZJhUMuC2DUlyyl5zstTJsfUjrcQcdE4CVkBU7kIUf2wgmUlFfLIq+uDs/hbHr+7DPnU -1NFz7biRsyE3m5bz6JCcv/Ddttjb/BYl8eA0JxFM6SNTCpn0PYhVYYysWkwf1z6j8DMPLiNEwHiJ -UcJq9fYHbnH1xFFTFkMSBYr/LFU8PAlun9yWzbJvAAO4xZAIGi9OMGx/Xi6K8Se6nyiLY9nJOB1Q -uHDdpaS6y/TtwNkDY86LO8+jpiJ2JbnrSsd/t7WhMrICxirNcW6KJiCeAD1kKCCIHAsIIocRNljE -WFEhEYVgvFgtnv0/SRv02Kwje50cgvMo9qsrjyWobUMs+6cpT5KektxFERdDGScjEiCAETZiYEQ+ -fAFqrHDBMpHkNkktRXRahMf3UVTJcASWSAJGykrJvofQtNxs4g+Uv5AGwVbTVjGcw4SkZd81Seqn -qZpjE4+uMupVTB+Yr9di2MQPPEYggQigjE5/esoIUcmIpVSkQCo/36upK4KixrFLstWyN+vwoggy -URGKnvT+yHXNDqc2SRmVSQZVYtnzX4q+OYbY1EfNVMy6gKFkViZV/VLgiB0K4AMHTUgrtdewnycR -eVA6naslD5qXHS1auLBYKiTQK69JrgpST/8k224jOyAkIZ8IGTDwkkzx9RoisZTP/5+lTYprx3k6 -nLCRIjKCDWggpRXSuukWEagHmpkeLy0toD/1uj6K5mb5gwwXSPjYoVTXrBuOIVK60RJjOYFGPHnM -6bOjo+h+f8ghI4ZqxaQZhyL8gfUX6mLZcuB2AoWNki9YVFa9hxTHJ9gdsarpZUvw+tLnHzErppr2 -3fSHFitL6JBxhA4ZPVKssJxAp3rmWfV3W11NY/9nRdMjOk5a1dr76E80QTZqlu2ui5Oki8dzal1U -41xw1M81N1W3C/tzvUmU7UAX76dQpUZ6/7OqnhQdras+kvRI4iYaat29NHn2lUFRIYAOGkvkoJFE -jRdI1GDxA4uXEpEHhd+o2uZRVUfRT+veI+luHU6Wvqq6H/iCod+67wfWI+mn6ouuVX5fJlVK+XhG -7epZUxjIs0Ikxp/lr5olHh1GDMUDTAnJbr+cxn4eCr9fur52MrjzdjOdP3IXSX4ccRCkP0/uvBRd -u3b9w6p3KabueUZLyguUklL8zrBUMlJUSHX92u8cJyEpTCGYLf+oeY8iy3Fl1mE7ruU0VgybWPb+ -vvv79FDEQfAGwZVNxxCBrfC7V1GT/D6x65VeRwl5Wva8ouM+LUv+HAcsEMGNmJcV08eHipUD8LCj -CBg0P15MapC0WEh/i8ddoJj84AKGSZ5R8lvC4x6UpEHP5IDQ3zZi0x81Q+z65Lry19mh16/ofpb6 -GMb0OnYKjXabJuY68T2tmobtOYqGVT49iqeP4TWMmCql9AnJbYqRlYsVEZXUaCTkn+44Vbs9WrZ6 -nAA9+GiBnXxeOS9N2PNWbRM5HW7D6Zw44eprEzSAASz9j8PwHkEY/ar8uwvps2OFZAZJTEXLMFRM -SnCBCcyAmWlRmWhYpJaSH8LXJvr1tOsbghQ4wBIlHxBoZXfypD1RL9G488jNRtPhRKptpjfOSZNv -25Kt32Vak6frhWrWmR1t9b6Q36Oj5SR1423X2aMYq+eRun7N9ch93c57Ow+llPKBDWSww4oVIdRc -wWzMqD/AjxpH9KjxYsXE48ouKIaIRqzes3beqnW1SPap2qNrPZIp16meB+N6raRa/8qW4Pa146D3 -Tdm1i9dbPk+S5RM912hhkZGCImpVVv226he0orEY3igqj+S42cQoMZlhwT5pq4Oj/YG7KN4gWIPh -i+9F9ezDLMurBcNq2WBR8UGFTIhuf9ASNcOg2CXVcIhnR82xn555OaJcVmSaOgiWnA== - - - DctxpzfOxzLuPM95wmg6RddLars3S5scVa+zy3HkxlGvW3pdf1VL8AvTcREP3zLyleiBh4qRGA2U -FweW8CEBO2oQQeOywwTmomU6CfUq3X6RcjJEjRunmW759DGhHx/DltPUbGN/m/1tvDmCVnUGPb4c -SW7aRMdR7EpCTU9qxqgo2msicNgo+YhK/L2HSwoQKVqYkEFzQ+Q1MwqtMIlQchsS6huwRBEISIIA -Li3WDBYTFiWwEtCumuNfTUv1PKppFZ63nZdqWut96QeC2vZxOn569kCj4uPGdTmWYpbF11X+nWX0 -v6RGr9xGzbARO2gUQQc3aKGSIgYJzIeKCA0KxALqQ3b6NMN3OZpsfPVAklAIxvXqWdg03/dIoprm -gWw0HU5oJ1BwJ1CA4NhnX7OjpRuneqCOrr7K1mM5h+NtnmWmnZk2et3YPftmKXcf3Hk0CNYgWHLd -H1jIlOT4JPSJIfKSOYF80Lz0cJFiZZXq1RYGQ1Acz+YJdjKbNOuRlENR1Tg6FN3vcz/QVNN+G6cb -B4Ld1r7rpwpyXZDLkt6WP02RfgfiBQsYVqsWx9CqvuxZ5d9D64pqW4cCJAQBCQKGCxosLyf51scT -3jyPefrnOX+fHIppt/FuqoAgdlgZoWwxLOHrHSasHzAlSuRwAUSLFhSSxxO3IyTRDhYqXB4PaVVZ -sGuy66rafr8Q1bYQZJOXJShVe9PUx7H+PnbT4M+ryZHktp50VT0wVNcmJlOs72dcLBsqJiYePl/P -FW8PEYPmCBktVnSsEtpTuEhL+LBDBBiYABE6cJyURvZ5/m+bIlUyvXAdgnUIplz1BI9fMbtqnBAE -RbhBEVJTlDz3kCLudR/UjOk2yb+3gKFihMRGctwy6o2QMflB4noJeV72TGpXk8uKWhVF5GfgAEg0 -wAgjaqSQQIAIHkvwkCHDKo1gdx5JU9P81IQRe51mGabrJTjm0TXdOnHDib8PP1E4DFU7rnIylWQ4 -BhXyIYPSQwuYGiomLGCuHljEEKGDRqrXV7hQLVYm1fyCWjXkpqbYxcmxT9G7NG1yVLuO7GQ0KdJj -yHZcum1pptFgqI+jXo7dCR1cMGTxnnUe23Dt8l7r+c2nUIHnNI1u23vM9zQf8zQ2HuP7riK++d20 -MjGRySFj4iEzItOiRoyRChYyMlYkbq9GKmhozLiYYTKTbd7T3DM4LVPjKvI4t2s+vml2PKZlVsjE -K2p7Rd33NCwZQwamShmATA4ZE82MU5oKgIQVIaYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiam -JqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYm -piamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiam -JqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYmpiamJqYm -piamJqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqamJqam -pqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqam -pqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqam -pqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqam -pqampqampqampqampqampqampqampqampqamBt86K3uNA5YyQAuYmZHH9jiQiqaAelKb8qNXd9uJ -AoXa4ZhcdKSi8baJOpzwSdEHFJEZKZNqTUdl2GYbl8tadEyy4zDctsGvJ8eRm1bZbZEZlrdOCaLD -y2kgV+0Bo/LC8xIE5O00mOzqUJlWePKTuEWlZQiCAh7HEdEINdv6OJ7SFOa2Kny9A4rL1bIrh+N2 -XCzHazFUt2wGPdgcv2SZJ8eU0zk5nfgLYRBsOW7uOjbLWA4H/7wWj75i5JvccslNe7Q8wW+JZfNx -fLnt3bI7/PaSRL3vLoLvlsFc9klR0FmKTtInQb4Me5QEregpdnsS5MNONIIvnp3F30fp6SnFGuzu -UYzVtYld5S6Du4w3xdgMx3j2FlBPctNd9Gy4TgZoAYOC038p6iP4chq72ciaFjrRlrPRQa7khnmI -pIhYGUkR4lmwmoOeytngIYiLYNrZyB/HitkZEM+i3/o4oh3OmXFo0PtRFOY0GtRCKhnj4ytGnpS7 -zh33Zh2TGX7h8VVkOTSG97bRwW1lyzAcN71wPpIxt/XlyNLjPFYmG6UQaj11Mmw5TcSmL9ktnWSI -DPmRA7GlSDU/p+iDxQSm5zK4rWgWxuoU8sKgcLy5Te62FvRAcPu6a88otlhUlZqlc/SUIC96/Ojp -Y8eKWRf9psAOGDFEPkw1R6Vod9vcbSJ3je33TooiFX3V8w4rIUi8xEJmOZ7QQQuAAOSui/n8qJZt -OR0446ze9IfJKgI4WKTcVd6y2uNec9yPotvZsJ2NPoIvIU8SLGB2oIiQ8LgtircYnvw9ixJIhZr3 -xsm7zmf0dBIsuWvK77PmOaSmU6x6d9ubgfiiZ3MZywG5w3Dl48nF0A4/Vfy6ZPgGP5SzWTscGvRE -Klpi1xn8TM6mBj+RmrpkF4dq5OKzm9AuT354+JVYNfY87sSJdctCbHmlz1d4neS2/ZLky1Hl91ex -XH+fu2Wwt5189B4xKS9IXrH9fj1NFj1Sq5bWlO40ONvYnqaK29PLxnR9BMt2OZbm2HXTK77Ost8j -eE2HnbtxSmkJ49FN64mHno+Wv1neHWd7nYcc22xjck8TnS6xJ096fAnuI8iLYT+SMselnE25QeFJ -z1XcjtgyLn4rp+UkSGpRUGrao/iGHo6KITo9wySi8eyn9aQ9Tu62jznuoQdzGi6CLZmFEfE9pIio -6HhITT2qipPjiE1jcasyvyUw+yHD/yz3ssxHUB+/mdP8EYQJ6T9UYi1Oo9W7ml51P0XQaqL498hN -e8Qw57i4s7m7bbSqJJcFqekdgin4vVJRlGr6JJiHXE528Zf9KHnS+7Xn8SU5YlcV/KZYVua4k7Ox -Q9BPz9Zdl9jVB73d69xOFmvaKEX7koQ3bvY8HBTzMPyUYkntltRwDn4kNWXB78ck0c6m1TRRmr7o -+OSmVe7ql6JPfiQ2PcVub5InCAi6AVG164vSp0WJT4H6jFBS3rK520rs6nLbCILi/r5YDLvWlKWm -nlH0S/Fjlqm2FaXqu2m/aYpStOSue4i4RuSXxaIsd8VJ0YXfn1Vdtyzmsj3sVC4Ki9mTevKiKHde -7HUjvt5iVXrJbv5xPOh5xvDEnixUI5Yc7+XpYduXjuM4ifFoMSHxb70McRL8rKdKduPP+5xmyT3H -+LkPkRbrXT1pGZLh0U2XZPguyVoEbxFcwW3KbsfqN5SW+Qjm4pd611Yd118XbxkOeqLU7MkwttMy -TF6f+PXZ06TvebKUO67uOpnb4E2TvW4Ew67HwV/nWVf9NEvq2GW/R2gJYs+RDbesSCpWpxr08PBD -vazKz49WNBdB2eNkr/vR0+SyK9k1ueeY3KZcleSuukn2Jml/HS96J7VUueMZJ9IJfu9jyGod+/NK -Kwoj5SlC5UUj6k3tqZugBx1Jq/lJy3Xr2B+3f11IFFvo6WLXHz3vs7xLcqSuu/jpoidz2S52KRf1 -lOEdemunQ4MhzYsV0u+7aYJQtLSuITreQiWSEfUwGg6paT6WuWjq4jg6yxE62l73alkegjxJutrm -atkrhkXkuYSeMPiNxW8OgnYYpl7XJMfljjNBQOzvQ7nryi2/fHQYTs8hyA1gAKuZjimRXHYdgx0+ -giX6HVMKpXh0nhRZLaM/kLS+dyi2HQ7c4fhhWGLPGA2P3HVvnnHXhdR1rKb7ccS9Tv+8kEmW3HPJ -nov4vF2SZpbhotiTYmlNVWyKfxzudfjnseJ25oUSwWx/jq85NsHtVKuK0PHEliN6TcLnLbvOS5Lt -tHv0RGs5ktMtfz8yvyf19KhoS5ZLq7qH3sgUY0R8DzEnPsSkyKRCJD0egt2/XUHs2pJfEdlFqWYI -JWP2rHLXlav+J3mDX6plQ+bY5J5BaJmT4ehl9/SsQ1Any1TT0CyDzbKKfqPkteckYa+jQ/Bf1xAs -sx2ndjjxlpHg8RIvWHaohMygQqrZpcfvZ1XS65pgF4SaL/llxa7HLHdSzMXQg56ot23x5Cz+jeLj -JHfNSRH2OHfreMbwhJYu2DWpqIcM7c/LRfD+ul70UuyZetMSno4R9So5HUpJOuxUjdOT4u1xucfZ -WwaL2xhSKCUUIvF93zRdTps/ri/FklsOgVvPCMqdlnJZEh6HEVOpaNk/T9X7yoA8PrCQ6IidQmb2 -g5KfNf3Z9g5Lc7N5syz3OpKKhsrwU4Y2+JUbkNnrRmo6BsM3x3lC0NWuMBkmsWmROTat6aplZqdj -g58INUvmiIdcb5L4OI4oTpTw+4vfYTFUvS4VwypQpZfR76LffQR1MQylaGh1vRMozA3I/XkpdmXJ -b6lV//TMyXH2PF4cZ89LOxx5204rm2pZmAyL1DLsnlO2zKfp/H2rlrVato9hDXqks1ylZ4kNh3jy -H2ZDL3tqWY9Z7qOIgx7KLiMxkyKDVXrNsE6Oa8fdpehJTVK7ntp1VIosFl1hCqn4/Y+aeOjB4lbH -yMrGyEoFCvSy3xiU6MXrpjn+V/UexxBahszvi9RoxqrUettPGfLjJ2JVlxyLznKUmiaXfdlyimdf -wW7MbXDHyWFok2VrllmwG5tf2OyiWjUlx1VvTItiqmmrpt2gNxPih2gRcfnkKThFwSiJj4vediZF -X01f9BwD8pjYdC+CLfpF8XlXXX/UNJSaJNU0tWloRevwk8HO5bS44+Ju48/S1LImswwyS/vrXq0T -b9nnLFVwi8LfKrtdMr8ktfScYl+Gegi6WcfNOLa3zUiFgFAJ0SHiggmFPOfZbtnLZTfYidASlZql -k/yUIg8Yq8UpFKPfviQ/aSpy17wY5iLoIUPTWrKkQjxmVlZAHtvzRhQoYO77T3XtNlTrtJtmi2HI -Pc+AfJiPB4SeKmfTit0VXx+hZR9+dbfloCdSUZPLfs4TB0E36/hm+aNmHoYoCApXy9yOe72OHsU6 -/NYtUzNOPnozqBALfudNWzudEQSEN0v/NNlMOzkdt+N0k0zNsP59sbahnQ6adeBti7uO1bLPOcpw -oWa8UDFYJhc9x2IYj6JNjiO3vUcx5jQQKb7cdAYFajHiiu25f54tx5HeOLSuqPWEwexPgv4Isl62 -L8e9JNmOKzscXQRL6lgFiIfx85GK6mN4g10rdlHzS4/eTX6quQVChkWHiQhrjvmzrA== - - - SbJ11y4gT2uOPeaohx4JJVmYPjElEX+WrNYZve/I3rPeVoSS/giGzK/Mx6cZhUKrWmYct9tAaNmy -3y21bBK/JNMEoeZ/mjcIyl1Xg90HHUWrCbNfGVAOQxVKza6HRT+s6p9mToo9KY5Qs4dJiokVLC9Q -ps9p1qC3j+F/kiAV/dMTF0G9HOdyjEMQL0nPeaZY1S9H2uNoj9PHsC/Fngz3EQShJOtdYXJbUr8t -d8W/z9U6r9a5Pe6kliZ6LBPiXf5+Jcc26MFcBnNZ7W0mNTWl50+CLtfxKHuaZ5H8VtHvkorCm+Yx -yZL8dsmvanZB6wlrHFfL/LMsve9enqamtfbcpecm2C2ZpNzZrB2QWwRFrQqzZdb84qFHMs8lNN3F -8AbB2utuEIS57uRwZo5bs4zVsh89U+3agl3Tqv4pqpOiuQE5OSAz6K1a9m5ZvHV88Uu5bSqGb1H8 -ToDMH+hJ1dfz0KwDa9seiiEVddnxiW7noziH38nHT80yf44etfy8LKqOTfjbhcdViP5R7OYnmbLn -Utx6TrLEpiU25Uty5Tr4A1NtE0FAbjEMqWkILUPkFmSO8+fBn5ebpOc03W0zOxzPSdZYlWqsSCJ2 -7JsjHXq9evorao8gb4oglFS9qguWCIbrJJLPKPldO64ewRXchtBwS2ZLb/phUdwk+1TVy9PkdNiN -C6VpjBLIxddbMFtaUd0c99P0U/XUtLOzyUPQFcMhMlw6TV4Ec1KsRbAew1kM77LEx9GDlixWoxap -0Wk9/9TczZH0sj+K9uRISk3Wy65YVaWmo9O0Q08Gu9Ca4qFXalWaFAqG5/15+maJkyGITUer6pfk -j5p5+PGk+J8kT4Z/Wtphp49gaEVLbPqTIu5tNJfVHidi0ZXsuub4VdP7KPaluIJdEXqKUrQvyVv0 -hqARwwFH/NCAH3DwQHG17LCHBOuOI9FzHSglugh+zpKkoiG3vcJEKtFx0+vaYGiCbPayxMexPHHC -5jiUHYfhMvEwYSGhQoWm9IvWc806ofKsPVDcbD6Qzdt1dxj6ZYlS05K6nrvuP8+WnzetqD6CuAjq -pSh3G7xla8ZBOx0QBYpcDEPpKUJNnhxp8Hu3rdU01iyb4LflODkEQ6o6QlFSeqreVQSf+3Jc0bON -khHUHKuEfCFWtPh4MZExgVYwS0LLlMvmaEmSYRQSSFfRWwRPen2mFErBL+x9qLalG+d6XgmGaVAc -QU7UXtai3RCLnt51xejTkuPW8+AwXMlwLH5VrapiURSbrnh0mJFnRcP2+PloGZLXJPw9otMpVw2l -5chVbTIUue1NirHH+Wip4t8xIB5Wyx4Uhb3v/UAQC/8qC29bHX4ld3WxMsVqeQ7B9fu+LHNDENS6 -pReuRXEnR5R+dxH9rfntT9Ljtr4L6ynboygqblFu2sLfOkxgsb0mye5tmvU47ijap6k+jjv4fUrS -Rb8uoz/EpjoZ8qV4gtlRy3pQM0bLKJfFSfEGPXnLcI87oWUUOlataP5xJVdFwe6IXU+xe3rbXgT5 -sBuZ45brekzyR819FPEw9EvSBbsvvY5a0Z8U/3LER5AECUiix8uKCI9/0HEHtbrT9jCE1bSMGAze -NBTsrlCVZkqj0qrGHNdmmcxxK6dDeyDtgSgKFDQjEAeC2FEAGDIyIT5G5Kfg9RY/cgOCf+GaaWan -E2pbmAyTzvKEorB2fcHvu225OJpcN806breB2vSEv1lsWkrLffzSLDs72SdN85FUswzmMr0cPSaJ -YtWXPeOjCHcdK7dB6+pmnXjLbrC7Q28nw1gttziRQisasttApECZQfI6+Xv56+Bu+7DpXY6qOVb5 -/ZsUPWhZI6Q1I8YKqeiaZSyn4aN4etuTXa/B0NNBhxrkXrf8UU1PKYrIL+tl8xC0we+jojgI7iHI -atURGl7585mRJ1bHOgny5wjD69Lb9uWYetvTy4rotmhNRW5biyAugqH19JRi6BxHqnmC3V9VTXAM -w/MP27Ybd5Pkr6aqOf5PMz9Nvm311t3VNeTGfbrWZfmr64qeQys6Ws2Yka+ipUIZiT6tC2JXHjVD -K5pi9LNYmUR42zS7O4raJFmfZ/p5bNflouiXo2t+XUD9n5q8KeKi15fiZ009KpqKX9Ga9ieJi+D9 -dTSnhcjRA3q/CIrM0cWzszCNYPQ8ctcePfdRJKVnCm6v3PaDliw6NrXsLYb01+Vih2JPFYuqWPQF -s30pqtxWzrJ2s8nBsNS2rJpexbFfkvG2iSdO6CWpouW420YdBpCH4sl9Q+b5H8u68+rOg7dNhSmU -4us8Gdqf16eqJ01N7wtC0V4c2U5n5riV3Q6RYssBcbUs5rq442Kv00lTL1Nxw2HZtA6TWApRz4fd -7W032MWel5Pli5dIaIXVTkfGo7fkNEo1d7Crwc/dNHjTTD69v654GJLsuaueQWmZclMWrJZW00dL -Gi0qTfSwgyrfb3IsuWsLqLcBS618cpgMt1zW7TIa9PpylMGv5TSVy670uUpev/D3CA3THYd2NqFW -Ffn9GPzWrENz26cke9DjP28vSfn7QChqWtN8BNONg48gSD1LbsrS4y2e3YOWMuiRfD4hV/akaWlN -TfZ8pJZfetyFCZSDHg16o5YN0fURu5raltSyv4r2Zxla11sUX47bzTJk109+z2me/1TVy7I/T5Uc -m95XBsF200pu2vLxR3h8Rcce1DS1aslur/x7yWVFrPqyZxN/V8FvyW139HTBryZJ3zzjjmO1zj16 -Jrg1vSyJTVHv+qtnfpr2Wc5jCFLPD2rmIbhmHJMDMnucaE1NLYtq1RQ/36IEKvHwu6q23+d+njyC -PHquavnEw6fcd/48Vuuw20YnPY8p6uLXkyGKVUXgds4yvyxVwGAhP+gWRfz7PGVZctmRmr7bxm7b -2eHwptmi65X77iD4Zpq64cCZdovhPo4lihPjCR1G65qy8R5daQ98s06bZSxn4zlLmlYL3Wxy8FPB -rsl9SypKSktY09CONnY6sefBXZdqWctpo3UNuXOSWzepKm+eq6bpZHlyX3WzIUFQtNqGi6WqbV0v -W6Lb8xjGnxdSUVz8Zk/zSxDlpiPUTLVpDzMuSeSg8a8qC8hXUQKh2DTeshjsQKhZWlH/JD+nSXse -q2WtOUbR81KK1twWa52eFEkqSlJR1Mvyaup+np6i8zimmjaDnkg9PenZn2WKz6tmed20uxxRMxzj -8RYtv2A1FrO/SZZi9wUKio6yNRim7LoKr6dYtGSKMHgNnaTHJEPwPPTCPhmu6HcKj7Ne9uWyLTk+ -UtM1+J1kug7Jk9OpxY8VtyO0PELLMDye4vf788TJEcSq/XmC2HQFszL9zeKztwjxNFalT2reIvin -52dFSe4as2cWzJ5UlLSudQjGXkeH36dVfzZd2bHLCTSzKsmYQDHc9qipTor+Sf5rqp/nLIY0KfKo -uZulPY67SZLg9Mrfw/YcxK6oOVbdtSh+fTX1qCqPovPnyZ7no+lelj5q3uQIh2BekqMVhUFATBQo -Sv7fAgU4YgQUcjudDzmi2PVTknCH03Y6M/j16UnDUpVat+10cjHUyxIXR9n76g+8vY/uOl0EVa/L -p+uHAqTcbHZRFK2qKEVB6AlK1bSTkex5C8ivx/FDgcLNsvvzRm4alJ7z962apnKdiopFAiqR6FwG -xVfbWG2Dve8exbf72O7r1/bkIxqt8Mxxtbel9HkIXotYNYSeL6exGsfUpi0evuSmU65aWk/POc4f -96unR0Xl70s7HVsMT/Y7Zb9X7+qKXU9JuppGg18dhq2m9WJ4Yss9TERc/l7Vqr85ttzGetwqx0Pv -rJ9lS+j3oSUFBuRZQfpRdrw3S7jjTvD7p+c9gjLIjdZSxH5T+rskn2E6jp8pXpok14W/Ds1A0g4K -ffRE6BcWsyM13JNiyBRhMyxKz/zr8G4jneWqZWvQK8UwqnHjhkNyV5K7/pDjzG335/Wk6DlLVeyi -XHYXQxE7ZunrGdDuitlRSppadC/BEt0m4XfXXaeEfJReb8HtCB09pcifJW+SIDYtyS9eijAhfoiY -kx1aRlQ8umuGQygaOk2SfF7RcUmG/3b9vKyKjltzXGLZt+Pkr8PRkmTLKFqG5TbKxyfZc1ZN7ydq -k+Qchvh58qr6YVsTT3+S479ldbOUP88PQdbboug3id/HnheC5yb3hTWtPKFDvWUoOS1D+lP6WqXP -ZW4rQU6MXhcEy2z3rRvHahoqNWOz+5Ld06rGH8h2Xo+mI5bdxXHuOpnjcjGUPc8Ux7A9X7+vBUOd -LEGnWULDvPjRXid7nWimN/AACLC4RuKTNbdON1HdRHXzvMVw/kC7NE1EJBklKTDnoR3OPYYvJFCN -lckEr00r6nabPYIquP2cpdxxPCm24rc1w5/01E0SDsW180Rw7EnT/ixxEbS7bUW3XXC7j2H8dSzX -pVkmQs+Tmw7J71wMYy7TQ++TmqaXXRGBeDR13XMMCdTCpVLNcStuYXUcWtEfLU0uK3/e2dnMIAcz -6k3yOUa7MJkFsWldlqLXFeH3c8vksPPN8dSmKXrtitlUi9rf9p/kiF3vzzuxaKyWRebY5LZ3UsRL -se06tut8Fe3Ncua0PPxEakpKUdbLntwzbIZnbyO16AlW+TK0wy6kkqt4fdHtDRiq5fOz6rnEw4PU -VPa2O9xgN7wy+lHwy6JjlA/Pn2Vrfl8+fEhO+2rJm6LHLF1vq5LPJ/ic0ueuWga5acuOTy8LQk8b -/HqTHMUtCahv4fWnXV95/UIClfA8f571KOoqCqJl012vcpyF16F27dNTL8m9JFd+XdWqb5aBJ3Qw -QTY6UFBQdD1uNrMHwvh8Sy6v2BP/tlfrjDoMoM06LGKtlw9qvxCm4zZGUjhSnpK63cEOBUGhZh2f -ZV1SqNELkyhQuFr2n2aJfofctkhNebNct61PV/xUV65jORvTesbqOIVJtDIKtZRMIjimzzNU16OZ -xs3UHsnfLFtAPY1JxPL5lN747HRMdDwC8vwsq4MdyBRLbOqfZm+SKxnmS5I3TZPbumCY9cL6GPao -aZslLIYjWZ7HceU43SxRLyujBGLZ7ZJq+uW4Zlm7bS7bPsVvmnVs8Eu16ouSpwXJb+lvlo+vn+iL -6gSjOq32nP061uwSMcOyRAuYFiNPzJbxkrTJUYTfPy4Le9y7dVrwWoQLGBkjLxaPLpLfrMeBWlYV -wyeXvcPPN8eTq5paNRXD/4mCTPIHmBMYEug/S74ccdE7qaXJPa9iuCbHluNU7nrDdZrBSqnaVoSW -u/jtJMibIgnoh3G59tNsxe2OEZYMFSnloiz/3aLfv1VFMiyH4etxrNldQA0WRKRwgeW2JzVLruqr -6N+mKlvm11QewRN/vxF74WCpVvS4yx3TfPYRnOZVEyS3/Jr2Zvny6zZgpx1QYkTAoLhgnUgxXIpf -lz2PVrXkriojX0bJy8VIq0VIC+Y0GsVvyGV3k8xHMJSa77bhJYmTY0hVSahqogD5UA== - - - oEC3DQUkQrFwm2kx1+Hi+KMnyV6vUH1cfvzUuvnntVx2lJr1t+HhN1LTVOzCWJVYqEgnP7+bJZtl -vUmSWPU3SZTDMUFA5I7bR3HGdGLdOppt9PfBgPoRSoJM0cSib7bhx4+kx2+4qJhqnFddHlVfcjyC -z6f13MWP1Ta+WrKUQCF87nKcb5Ikur3y4Vc8O+ttT63amyONE5IfWtCEWDbmNpFa9mHFhEcKiYuO -8VGEO84mxxStlSvXWS1TORu541IwW0pP+/NuMWS5jYXfLSWTyL57TtI/wxcu07hUK0ZeNkxcM6kS -aEVDrwtTCp1eFnSOIDMUsaeJflOwTj/MyLCfF4deiUVV8HkGy6SC9IvYMQpmczJMya9ekp81del6 -jN9TcxyS3ya3xUHw9jrYHOMmCXI2KLeJ2vWkjluMPDMhv+Sy9yii3BVlv0duG4NeDX7+WZLkdIyI -L/n5Fs/rqdma3xKbeszR5KIlvKxD5bUCpjLNs02SnjUN2e0Qvd5XFP04eARjTKEeKCMkeW2C2b5d -77NkGYFcsFwkOG9z2T9qIvTaIvJb+53S8bos7fD7wQRmQzVa2emTHB65YxUtr+x69LI06LX8OhIx -Jw6oweIAM1isOI1IcLoEu7EYrttWbk7kIteTpEh++2Zpg1+bae7Ggc6TF0fQeeKgiIviCL/TqFAo -2PVN0S9Du+NgLetH0fa68MQAfFJk+XhSQH8IdkfuWmLTngzx8NPJ0DfLueNAp+m6b70sQSmqclnX -PP8oCnMcX5K6GKYdzh2CKfjtyzK0oiT87WIi+a7reWNP+6ratm5aToY+WpZa9ESfYbBMKNn9V3TF -i2V637jj5q8rsWmIHZPktIwYa4VKpZMkKD1Tdhy1pi3Y3cXwBr+Tu7ZoeMYIDNb3aud5UvbkwiH5 -HUrPGvTq8LNJESZ12oFGJub54GQZY/r8MKOihI0XQrCQqeFCiczwPoIwLFRLasWj54qOb5C0eqC8 -imDhwkMlZrLTNwm+djsF61Sq690sT3a6xqtkI6YKsWeW/O7lKHpZmFZKFMOiVkX59xXQXmJXfxxb -MmyXJNpxHxhW2Tgdij4pmtzzitKvotspO+7y8f301M+SBL+fle1HcSakF8Ei5gcVMiwm0Ep2c9P0 -2zWEx034GsUzr4TwFCjRSynkwukWTv9vS6dqvbK826bkd8SOU/yaJbTHdlsku7/b5isrn2vqdTFc -9iEFdoAaKlq0VH+7xmJ4jyGKVXGQ28uvRZT7kBJyIwSm8vusGZ7D7vSuKDrtitdX/bpiluWqJVa1 -SVLlOLPTCbGpHor0B4ogIKumzV8IQtWSus5d12YZCoIClKY3Vk5WUCZUy+KOu8FwF0d422wQbLPs -G4AA8PBTEYFYPE9uXOt5oPRUwSzrZUnrGUJNWNNW8PvC71XTXC3rSdFzmqjXfdGyCa/r4ziHoAvX -S7PNdp38daZ3XQn9LB0fAX1MM31mGsh9/zTFRxEXPx7sVK4KUs+WLdMwiX1Y9f060svCYJlYoEAt -Hlz1rh6znD3PVdMsoF8PP9ccj9w263VZfp6knqPU3M3SBcFWfZNW1t20G/RKLGrC4y2kzwxqJFMK -kV435LY0TkhkVKhXbrNmFyWfW3icBJ9hiKxCfD/ksipaKRwqI7A7jtUtCi+76pb0ojtWQoRoIWO6 -7w+rqjB9ZrBKKPs9Us/eHD0ouTLyrIitUDTcAupthKxC8BgXv5nTQqmJomMUHYfoeAvHY3H8pCfM -x6fBOpXU8Igth9w0qVVH9Fqk5+2xrD0viJSYBHjUiIAPHDZEWi4azk/TVM8u3BatZix3c7C4FuAj -Rg6T2CunVbecym1Tno/u/F5Vt9tKa/mjRWSIFSs3RlYspE/Kpu80TcFRDcXfXV/43DLymPB4CV5H -cAtSUZ4k1w4HHz8Tz+0iJZoZgUTsuSW7P0qWXJUlvzwp/ucYQr8wHp7Epn8UnUUR/j7R27rZhnI0 -lOt6tvXXts20T1nCbBpWz34o5uD3YVX282AxNMlySGVhrvtOnBBRoGg57ga/O/xKtPyh6XptQzP9 -YdmcHGWPSzmbmdt08Du97iiGW277pOnphXNytMWwDsE6/HaTJPn7FbGXPJ5oJzv5dyNatHjgiB47 -UGIuJRCoZc9O5yTPqpaZm83cba63PcnvF5HnBaskst93Ka6kSjNaVO6ypD/Oc4old2XR83+efVn2 -Zmma3xWuFYlt0c3m7TRW3K70+WuGXzJskuOiFIW5jQSnXZA+MiHPCV5ZcZty1frbTC+rhA8dJSNS -r6KmlyXR7RPdhtEvSS6b2lTlw98wCRH5e3sEUawpYxXqgfKyYcLSYdJq+fS2GObmyJ+lDX4h1IQh -hUh0++XXeVCJ0ShxpWRXBbcr2IW7rUdLkR2/QQL7wWIiI/pHbrpHU/s8S7IcclsfLUvr+ZpdE72u -EUvZaJFS/l3+PP8sc6SMlPweVl7DdBqlz0NuesUIhHJb+NNcSLwPGRMYJC0V3cKkQkDAmPGBRUwL -mOrFJDLNcS1+sPrtkRKzUfJ6EfkqID5m06f3NdHzas/3FW1DD0dHlP5+UfK4+HgrfkfreofiR0VL -squbJMpVQ2R2BYdZeNuEt0Xy2mOavlmCUtPksqE19Zwkan5beZ2qZ7nzfBM1wW/rtuMP5MtyxcO3 -fPzQia4czrtt9Pe93LYi1mIpkV6uUzONpK6vWX4R/a/5/ZzjyZZ59x0hkWi4rIBgWBZF/URVtAwj -+kVq+dSuuCjm6Onq+11l2W2zQzD1tisenUVrpAAfMHawlOjkyCICrYhAn9TcQc5zjqI2Lb1rqVU/ -bHpqWut1Jr8nJcdyx+Eh+J+lXo67ScqsVDFKTGAQRMFrS2ZR9FoFr/oY2iIog56Ih18Bc31Ulc06 -KlIlG7DWC1SppI5R65mH36tlpdcV8fu32+aPO7Vpi5+nCHlQbMqToI6WtEmamEQyrxcdgvXnfVRT -huSRAekr/T2Cz/HHrfCbxAPyVfYWQ9FantxzlJb2571fF3Y6Y6cT23UaVcqTnvbofVKShK9F9vpV -x6e3ZbeM9LYmvI6i46357c2RxKallxX5/ZcWKwTHplYFoiWExgu14tFfNBxKy94cdzJEvWyOFhMT -UC9DpcSIGS9W/h7VpiFztEEvtJorViEW0Z+XI8sH/yHFSQN8yKHEDReuXPawpr+aHvakUQJT8WqZ -anllxykfXuSmWTz6jpPXjREWLK931PzZdf48jxmG1vJ1xzQlkIoRaMVJ5FIK0ePImuOW7I5QEcWe -LbmF4bGoVUnxK5rhPD1L85tCxL8Y9TleqBVfj+V5CJ7fI4l2snIDYtLrMaUQKEXhbdNJsqTXa5C4 -ZEwg1vzOHKeCbE5ufGLf2uvarIODXouYKodLSYpXymQEMt31D8czIyU5YmbscMRDsMSqIhU1samN -E9eMk9gpnv3zHMntGE2L0HMPO5H7LdnpU5uycKFcUKbcLH1zRPF1ltA/ktumNu3RUl/RH3ZRSiJU -TY/sNswIFILnJjj2pKgdgrcYyl/Xkt0b7OBs89LfQLSY+NCCMrLjn9S8w/DkcH4VHWLGCxIM16CX -clMV/l69rh6CoDTN0RMOvRMQ34Kl+snRB72TWpL0d0noD/HsKaUQ6rbpEGTNsQhuu2xZJa+s2j3N -7p6WNlxYVpiw8GxMel2YUY/C2yO0dLXs/TgW9NrwC/H0Ir7vaVWPq/qqaXrVEt8WyekPesrg17rt -VD335sjCdYIhhUz4XASnYbhQM0piJjnuz/HHi8mJn6vkVsSiJLsdktulVg2d5EpmQWsJkxqpgLk8 -6ulBR9J6wub3ZLdJbtklw7gIqoB2Fz6HWtTkx11WIRVSvyLiX0oeGiQuVm6XZNfF6/RiEqHilzdH -0puG8LKoPUVtqppjt9ti+rxDJWQHlhEeIy0V/hbBZROP7qtnKYZxksTJMMWT34ilfJzATvzcRJ9j -sEwkO54y+k3uemrTluy65vdvY1ssV42Du48nRxmpkcl+z10HYtsR0ejF6yH7LWLRO/x2krS/T5Su -I5XNxbAvSROrBkHDsoMMCspn/7DoXZK/+64gMckBI+OnacsIdKMk5iL6xOZ3xcdHcjrltiJ3nZFC -MuJ7as/7lOGL1QgImRQZsBSMiIftNo+aMqqUDJIRE+z6JylaTZjSf+Mk9uKVGuHz32VpqIwkcUPG -yghlj+R+lvtJ5mQY02ka00eEliBznLE63QhxrVChVnP8o2ZoVf30TM2vjRSS/TTt8ZMZ8S+/znJX -XgRfbnu9bUfHldF/8vnQ3AYiQxiPzQQMGR5cUGBGv6hV3467RbBkx1Pxq58kzGrkQwZlR8wKTMvU -4vPdfft1RfHwJjfVxS/eOvCmify9ChKREdCfquM5BH31dOW2n6I9WqqQPC0o0Uivp2IYhtsjl/3T -sggYMTQqlCmGdTNc8dwkel2K3ZZu/xCjRWmGVXObwtcunx12y3sZ9iNIWtGcBFk4/fo9PXu27HgF -t6g2ZcWuaE1906zDL2XkQdlyqEVxpMASsAPGEDEmOUhWK1ahFVD/s+jqllm0TCUZBrEpaEVPcpti -NVLRLuyWU3DretvJRw9iRoUGNXrV78lNT6/6suPYTqeI/FL8/uoZU/qsIIFeoEaxGmbBKQkeq2I3 -pM959PSo52l2U35d9MYl+56CRJoZiVzuSjJDNuuUm00ROXB4QAIQMPH8p/QkuecXKlOPk5AYLcvb -xnI4KPjdAeYFhucwt92gl4LbHS8sO8CorIA8r9s+xbGHTX/QtNC8VClaxsGvH8HTaqLY8yS3N15S -TEIhkoq23rUEn1c8e4gdp+A01J6q2W3CBw4hYMSI7frJz69YkW6EqFqYQCl7rZOiZ0UvYIAigBCD -FMhIaQmtqYwJVINEFQNWqhFiYpH6nNYyhwrKCChAgRSw18vq9CLExaPlhAAvUsx4qVQwC0LJ3RxT -vFhAsKD5pChLZltAe8qvx1CBeChJuSh5RGn5Wc8eVsjscFFZ+fgumU3x2CI6reLrMj/v4uv/Saac -Sj/MkCETi7GoUiQfXkfL9utEcHvi4V9vazvtV88VkO/jJcUIGCpeSiCc/NpO+6AliX6jYBglxzJM -YDBQYjFIXK85/qBlf5KombXBUqLS9ZkkaxL0AcZkCBqWGicwGFXopNdzGYbks4lu+yaZkttWDbuE -ehmwFIpnh+04aJ73Vy0R/aEYtscvZeSJYaFaTKQYbsPyWtSqIxZt0TKlQIlOsSqC0Zceo/y5jEo0 -w8QFQ8TFpyirjmFCnhNef+FCtez4dcend9XNUEW0u5w++SnC8vfHSavHiAsm5JExgWhYpNU946W4 -wmuQq35SEuWiJ3wds2OTq6Jkdy9HU9y+dHqEt0tqqoL0KcFrXwxtb+vH8A5F3zxVpE4yq1TMpnnA -WjBQJpKa6p8nb1msdequG6lpS2mks60MfjFdbxmFZFAjGq9Ta3bxEXy7zLXTPMCIaQ== - - - YRILtatKdl+oQjZYohffXsluLYJvx5XaVQY12s2yN0kSvWaRAsmAlWi8SDEg/AS7KaNQilUKFb+p -l50xhXxI0ZIjxWRVvygffaTPRfi8RqwFs2fdFHXyC6VlLKdft4zy+zpeXFhOoyBqvDjCBowX0ghW -zyZ3Nb0qqU1PcZsS8lNCnh41ZYScGJBjpgeV2AoOs9yvCg73JagCxmoBCDQQhA0bMHtGgsbEAj3I -QGLFCo2oj8luKCV/M+QAAxIQAgpcQEVMZGUkchl5Uph+GjHTi5Xo5KpotkkBUyXBA4dJiGSLn4tu -Z0D5DxKUjJXox8iqh4nL9K48qIjhkSLF6r5D/DxF65TiBJo5eZroAeMBQPxY6fmuniemD4wpRFMC -pSB5TH68b02/PWG4vJrjF+RGPj0LymTC7dYdq4R4l5SoxaWCjUKx//e0LAufZ1YnGJRJZMdhuAzz -859NS3Crg6XkZ9GQnubhRcQAMVIoEWMGCJqVIViw5FgRIcmxS8drlIyYYhknP1O8nnjuHiawHCaw -EQ/eqyeqdVD+e0Vq1KpnUJvGdJuGVWIhfV53baJpHT1Zd4zy6WNKIJMeP8Hrn5b2CPqoeYJf3iRF -KkpyVTr0epOkIf00n76klklo2RdDWOuAUjNW03tJqp3OX5awOT7JaxXL+uTYr2ptmqtZzrGSEsNx -vNtUcDnGqyQj5FRDpLTEjBYH8BCjx4uJn56u27a77Se/kzxm+fArI1CLmCoGSYuF2zZZrqhUS/jg -IYLTJ/x80s80qf+IGDE+YFRG9nwvRyFesCjAjhsyLtWK6GPi3yWgXcUk2mGFzA4zMCUZ1tHyBOTT -oEQ2SFwqViQV3ILQ8pXTBfBxo4kgeFjVs4pHzyGiIqJlhMdIKodIqkVr1MLlPy1pVKIXsFOpTU/r -SYMC0SBpzaxGLkJQLynS52VNcQsEzYrJZw+1JygdTfSZBJdjc8sjBYsPGC5kiMBcsFQp+Y3hMYxu -XTI7YlEPOu4Qs+KAIoA43faITvs4edVgkWhEPEoOpwDhNKpPS499WMGyBA4aLyHQES9iIOCDjR4p -LhYmX0bEr1CVQCyqcgJFgABAtJhMLtmVAekyWKQXLVNJf7vs14OSnvUsQA8dR/T4YeJ1GyYtJGDA -KDGDhgE/bjTBw44Y1UllzzheVHK4wLRwfIX0C/EiRgkfOXC4pKxgnWyUvD5uulLyk2jx4mKVatVv -yud+8RLJeJVUQPyIr8+0UrD8nlGJZMBON0RSQKiMzHChRjy4p0VrEezhQiJD5SSF1ygjHwdKTAka -LJCAoQJGSwXT835NV1gnGi4pTPPMQvpdvFAwI4+rhkutinLZHy1dQjxoRfVydCmNDFADhocc+RFk -wa3KVV+y+6plz1mKG5A6DEv0fQS3Q2iYhJ6u1lk5Dd0yl/zOnESg04yzjgwVyQWL1CLyRXb5ZcTL -lDwuI09/lqn4rbuNxI6RiDHpISVGRAoVJFi07FiBjWDXk6Y7YmIWEAQQI/X0wRLbwRLyo2XkRwsJ -y+gTYtG+DD3ABBJE2LAximOUT7/DxCUEi5UmdpCRgQIEsYOKGBPspuj4CBswXkiileyO9HdMp1lA -PctH99FC8mLkZZOhSqifEVO5/PsMKH+xEsGYPCigHYb0y5B+kqv+K6pidXrhQtGwSjQu0g6XmErp -L9kyzM9lWCldRfsVjTGFaEp/ipD+ws8jvMzaa5H9Jrlsy2mkdzXxbxar0YuWyQSXX7Xr8uDxGboY -UYl4dP8k/zMcsV0eJikD5FAhBIwYFipQC6gXsV8lYMD00DKCws8rvg0T4lk+/EctYXx9AwbFteex -W5YJ9SE0nJpf0auqaLZFvyufHQiZlxcmJCos0gF+0BCChUyMEFaMVqkHi4iKVWmk12mklMhAOUkJ -fX7AoExgiB4K4KHHECxiXrRKLCDe054sqRABaLgo+UGuXNaBogoiZiSIlBcO10kEn0nvippdGbGU -S4gv0WcRG27FK2yfW7lsetcaJa0Z10p10zSuUY4VERsoIS9GXCyiP6TXVTjtAmXkBxk2Xrt+gBss -KuCjBhAnsRUjT+pdQ6gJSk0T2+1NcS/FlNAfgSF+wEMwRmwFAR5qBOFCQhPyR62qats2AB1ePL8A -IYQwCY3kLWu56ktmVfwbha9XgPbY7LZaZ/48Hy8pLaSSzH3259EgYbVolWJOn5TPvoegrHVSkD46 -TmAwOiat6ApuY/WrAtphRr+M6CexKeuWJ6AEEEHIaMGaZ5XLjuz1CF+j8HYMFolkz0PpuUPMio2X -SmR2T/SZ5cdLdrsvR98cXbhQqXcNyesfLyk7uJgcwEVMjRSIxH59dHxB7mWFqsGCUopfHSSuBNBg -McRLSQ5XKcaTl1Jz7rSTT48CCkxgZNdFqsnywZe4MROCByzxAQYsIcSKlxcd9+W4wrUCAQKWQMVw -CO3OMPkGeAHzA0pJbJbr8HO57AgbMIqY4WIGNVLZcderltbSBMSjpEQkpU9bhieXsZD+mdIHZbdn -Sp4dJq2V3ja9KeyOd5zEYDc9os84SFpMwEgRRAyKiD5/1vFEs572NMGsKW7hj/tbtUWICogYFB9W -RG7EUiL261lHFyoxE1xAAjReXkhAHhkSj4QLFR0pMRNfN8ltyE1LPnsSOGDwSBED42+XEb/iuWM1 -bMLbKL+uAvI9KzojJaTHCgmLRw+R25adNtFn1uyaZPbk10EuipffKmZfQP2OkdWOkJVMyH/Z8Auf -WUb/DZTXa69dux3i5zCpEYySl4sQlgqX6UT0o27YCBYrPUheKv1NcsupuB2xK2lNW5xAplYVrSlf -jjTo2SLIIiV6+ewilPSMoSg9P6fpIUffHHf0RDWtBDmhIwRFE9pL8jgXu5nrvB2ndpxdkquazkcS -9z4akceGCxWjX5FaklqUzTq216n8fQpVaSdDF9D+g0sIAWCs8PDyMtlpfvxmLptpqWyQAhIcoAce -YLTcgBwqYLRIIbm8ilm6016t05tjEjtwsJRIonNs4WsYqM8MiD+x6accS6ppg5wK6NOCtdpF8BWz -K/zM0ts1XqYTf/egJz6Go9f9EeNi4vH9kvSUIAtfw4h6lc9estcsnPbTkoS/dZTAWP69BasURIoU -HymwFs89I+pXoECu3dZZdMWqtKL0kfn3lz1fua0NfjHXifG0Src/bFpaVRmr0BABizqohDI11pQN -gATQQdAP8xEAADgQFAvE4kHRzDBj2j4UAASWeELsZNCCEMQgBgEAAAAAAACEAQEQnAFAAL4Fzlzs -k/DeZee7+vQ3Alpn9E6Z6dMH6Jc+ZSlfKWm/8rYZNh9t2KbUozimYYWViR5KqB1+Un1kGSA/CZXU -FlqqFagprUWCSPmKUtvMf7HS/HX7XkYVO0fjlnOdGjXXdWNZvfZ30KZEVdVSh1ebvrkcMDmCJTJa -Efl/kpiSTcRV1YkudZlIoPYTlVV3oleBJlKo4UQl1Z/oVcBEKjWcqKw6E30KNJFSDScqqu5ErwJN -pFKDicqqO9GrQBOp1XCigupO9BRoIqUaT1RQvYk+BZxIqYYTFVV3ok+BJlKo8URF1Z3oU+CJlGow -UVF1E30KOJFaDSYqqd5ErwJOpFTDiYqqN9GnABOp1XCioupN9CvgRAo1nKhQvYleBZ5IoUYTlVR3 -olcBJ1Kq4UQl1ZvoUeCJlGo4UUn1J3oVYCKlGiYqqe5EvwJMpFKjiYqqO9GrgBMp1WiikupM9Cvg -REo1mqisuhM9CjiRokYTFVV/okeBJlKp4URF1Z3oVcCJVGo0UUH1J3oVcCKVGk9UVJ2JXgVMpFLD -icqqM9GnQBMp1XCioupO9CrQRCo1mKisuhO9CjSRWg0nKqjuRE+BJlKq8UQF1ZvoU8CJlGo4UVF1 -J/oUaCKFGk9UVN2JPgWeSKkGExVVN9GnAOW4+okf0qaTaAirirCK9UfeKnf2ER8RTOxNZJqeV96g -0GhoRXWTOvAZparXP2gxcazC3od5x94rmLKnb4C0oDybUVaKRUIhwQOE0YMa4dW4CTQN/jdponwb -cB9bmKEv3qxk/Q5Y7WI0WwUhhlc10wQJDdI/BrlHunAFbinnnQCYqakJ3UIJzyPuDltncJk8OXEF -298Bufox2MhgvDrk2dais6euOnZM5lynsoV0zf1GfBZouwCjApQhNzfTpMzaABjx3NWQdSo8uq6v -NkkZwJWPTAiOiG5ImvYuW1nwkTIbuQ1m2kh7e7TBBEyAzuAw3OjzJVCtW2XQCOt3amFOvtPSF0an -VT4sUo3WEWvC9QQdooRZf2VSAt4s+VpjRLz3DvyjlglssrVLaMuWbpll4MqpUccUIA5VlpJPvAGE -rRBC5F7Fd8SQgQoxzLSXg3pVzNHGDYal/QREUheXLVvoTSfEACJwJKu7etATmPx18ZyAGu+FfFza -Y6EmAsviGksSFOlZli2gqaa6SUs5lukSnX2MJZeyJrTNDY9MjwmGwA1HWIYX415NjwoFmFDjDC+s -4iEcwbtHiLopBCmYYgeFPi7FNkyEuZjtycYDAGzUH/QfAUMdm+xZTo1TfJldUPpeFuzT3yocDJlZ -DgEWbJxXSKMJvCMmluJJInnbJs4DNrvVkZm5huuaCw6YSy7MWvRWVWgXuZGcuV9F0I2rDtgCzgFV -XuHzoWryL/OQwWjU/3WvbX+Ew9DxN53pHpviSPdZSOncqR/pYAg6BMa4sSZfMA50tenm11NRwRQQ -AMBNB/4dMKATJjvXDtnI0pjaWPTUDuqdyrbOgcPW4BwsEneENrvYgUZ7wGQf58hlsh5gr3yAGu8A -CDSFsm97QDPqrcPfAFtSXd4OlSihC0TmH8F8+3eJ69KITzuZU0ZNt4ju52oGF7i1rXtI7bxkD1Ch -okFufg3lAno7/Oo26fLJt1hw7rk5dIX9QYXsPTQgLDM8ORCrATblQ4lfwEHjQBw0qwa5SLG2KGQQ -iq3+BeUiCyFF5qpZ9WdSEDU8FRfExQRMd5e3txz+PkISQJcJu7X77h137U9GbIngBARFi8RXh7gB -gigH5RzOpF7wu2EcZtnbWFvGz0jigS20xNqzD3vR9yLIF4no7c8pBue0bmjrQqMmwgEdIkaNVvM5 -A7uDWQTgg7YTidBfGbZvFq8RIhRSFhdxBasUbfDXHdqozn5RnItlViv87yCxro9CC6ozvkCWgKzm -OXkuIboQ5RpGbfHGIJgDJxDYgSu6kTp6zq4Zs+MIaAR7rR2jlGRKcEwypBDlACOHv44bUXm8SwXS -Vn4znj5WGc1BA7Kt7kt0gC/xcWHenCApi5m0I15fsfG/un3c7y38pv40vB7C05ks1KGUrdE5ogQU -Vs4+xX0Et1hjmgOdLzsRxkTuwEoBUU2rCqtQI4dgVs/jCgcVrKAoeUqdHiperw73yImwTkrCdvxZ -TFBQMuGxsnTsf5A/ggmsNVRrTKJkbQulwKIohkaks3MX3YZ0FT53/IaqmdXBQ7HvOg== - - - MojXF2ARzQd6ZpgXmml4r35mXZJG3JaffqvbfAnYmUL818TP8iaxKdf/GExnlBzUZa8VgyRKlrrU -y6L2RfRhtbBtLBuELcuVruKBYLG1ipgD6E8/uVdh0sGUYpNSge6k6y1OygMjT0cZEVgdWNkppBcL -/uCBy1wAPEH6sZHJvwnvnDKG02vgUkL1BgnTV0Szys+G4kNgnyHNlhGHX7SGo6aJ9Ta6el3g+i1B -Rwv7QJ/6gBD/O5ZbArSzdM2V6F9IbD1alUJ/bxi8Qq7JN0jqrQXYp3SMUMlGUiyj1C6dVB+wdWoG -ffTxbFZnIDNq8m4kqGRhTkuw65qY5RsoMwJ7OsxRMnBTmDqQ1BFCDzKQFmCfG0UGF0EPNFSjgRI0 -jkSF/JU41BUxbs5SIq2sjbNKmidtdDDOIfLmQZKhpedCygADVR7ggmEOxK3QOP5lhPIQtoOWkk1p -JWTWaL4pPgGAP4XsYToTJ37KQbLNXG+Xka7OxZS6soqwA+NAeb5M+ZFB9pP/lir4jRUQqyTqc4K7 -QganbcriBjok6sgzI41OCkp1QwaSlxcBdNKr/toksJ+AWrVau3hYqnmaaTHqikuLOFCQviwjV8Ba -oqfLY6Qyg+zGZ5rX4RM620Jl3Msfn4J2W9ghhS3fEQPhjHSfgJgcqbr6mSAn5JIYOLe4DXCbBcyJ -BXmnFv5K/IgjAmLpM2UAWlz+n83uhm/B291Z6CaiYkYJQtQBBumv++SRczlqc3HT2HJ3kwwUTsZU -OUC8ncZCL5w6XCc0F6P3L3kSw0SwwRnizwiV/jdRlTV0/iso4A6CzJt8uFNTVsIBs0TIDQg5mc1D -EHeCGEm8Rw0ClOIMDOcp4t8LOC4kqXqEEqsq049f/iE3dVDEBezxylMrkp/9Lk6HBNtiJasxRbkX -cDXpvbOWvhfnVjdK47bSJ6N/xwtB0UgnuP691l+a3U/IdRke4nzRWuwUxJGO3H49M+bbP08KqJeP -oHkSMxp+EX4tS/ztmZvgAsIF6w9pX45YwQL0mG3TruD++shLIpmlBJyfRL/B1NgcGRAcbIDcS9aj -e8sXab/IBP5Qzk0KB8zuqpxdHpc4y5MgSCKYfpkSeJe1thG4qkwW+o59/UMAifm/JxHfZxYXW0iy -g2tmq9sT3SEzUcyhbQwCmV9C6LiDqIlwXnzHh7uCdSeVuWrz+tPGoI2Tx/FeJSJhY1h/mpx0iS8D -wkZ1XyIkvAQs1OGMkOtrlAn4spN+4RRnMFzSE+KtESFZAYx63XUuaPS+blvXbRmAPah8MRHOA0lw -nwUL6Qi8wFP2m9nEoR0ImzVNizXLJkqP4zOneArVC7O3U7zsnOA10+xvWmC9xOimht3tSZXtwbMK -4ltsBbSrMROPGiTlc7D/ubnsVhExjelh5C89L64GYFC7wloLgIZ2cpJsCfuvYACh8WkiQMfdFimT -TcESnhcscrXUvbG+0y9SPzvP0ThAUGp6w5//nm13fpAWgm/3/roKNAJ9RP9XzJz7ob4/Uc0iziYe -HdkQ9W+qARviGPtG6JBoipjfskklR17uLTcwLjkrNfRrVCXYh2BUkgJ/kMcGemqLEZbaJGFs/nGm -O2mWWZIAOH1iJquRiGMPSDY+L9zVzP4yD6DQ7ejXdNHxEeuvYgwhY6UYqOYSxw5wSjlgm/yHjCd4 -pLanoIiiaeF2rJZNqmL/J0OncvDlbnfLE+IokQHoGgV5+C/oFFMLDntNW+nWE7GR/nMDTEzk0Zn2 -KMgy/uXl2WArdbH9jZQfXsP3grz5XtCmUCVpUAFxUjHhYchO0QsrgZJp3E0sxsqXtjYxQeV/yLn0 -D9MTE7P7r+uXECi0HoWcbUWO7Xjsicco9fm9OWVhUgouO+bluSXKtJkAlfA38ZtjPTbVkr9Y8I1m -B8KGuksAF+CX05EzgjYpncaNv2yXDGvHqrMhh+4RMq1wXSYJpGg8cvbwUuIwRCE6TEi6ox6iJ+Dq -5y8D3ctkxrPd1tF4cUNkVU77l2wdxlg6OVKNvW0gpBGHFL/yBeSHU0NSeuQLzjuBVijiR/CbF2yg -qQ1nKBxps9zoR8bhuxlljEQPn7zqH6OnjfCcDA0ItPhUT2hxmir6ATOuS2VskrOBvIRvQ+6vA6ce -ElaD1M90YVGtKIoYBivx/SFYo7ggKa/ynhL/SnXGY20AKq56FnPsFHXcwphmBxON5YsL52mo9VOs -xFkNnd+1oikM54rg/vIIE+ooEXSGoRszHs7+V8+epJdxRQmuJ+yy161b1e6w4k+MZoyoKTJJ6+0q -mvy8b+M9GsLlla1OWhoZd2V2G2qQPWpKfdxEj9dUkF0BuTahgSw4SHbdTMS9zNgFGpFEDErsHJQE -0VNeC4TSbpLVBN6ovQIR5/e+LO/TwLg4Umu2QAS+BhiMM2om+tan7tJ6WFeJVJtxbbvK6V+11o6k -UUVx0Day6XhofTMvqFEBWpIuoYSa5dFYDWLPKX/G1C9TFKTrcd+pk+xTF+P3FK1zWvh0VOaZOwo1 -6lrTRe4mpSKJhCkaDLvC0nFhJpS1Fbe+QV7r3c1stmjaTUKUPmkc65rryo1TPt5kzUS2x7Z6ZxZ3 -+7RDWLF8ko7ZcC4GbQTaqAvqgyZNvdRpmiuVY0pA94txe8QSx2z1nNcAjp3wkSQWmfKB+vcszk9O -/YttxIxNRYYavsm4jRiXm1pdrIJTuGBU4MWXD9BuNi6myb01xDHRgK6AVhIedSu1kU93meT8H5Yf -WzhSC20PuNsNNrnNiySBr+ZWtVlUd8YD3oMxJK4JdzLNW6hjYxB/so3yVgPDBo6Ul46QF9nP6Hrb -15yPx2pYiPccyWDHkej28tQu0LQAX7hlPc3seigDS7BdiF8tgfLxQm7zRdy3y7Z7ZmNXER6tbOEr -PH6UNRAP2gHf2uYq/F5MzubnK717U0Tod1CP2UcSRpxdB9Kk/MqGReKsLTUxFLoV0fKXwspVf/FI -A1MTVH7NyO/A5eBBIXAAZF9lrp2UVj+e1pCkuBikXRO9EnV/cA/7u+xfJtMzHuIREi7Pugrya8bv -AkRhbxZ3aOGymcQCrF86Tm8ETKyK2YIKFw0uHHpmD8XIynULy+OcqJz/rLCrwrnRf/BgK4MUegSB -nKClyBZSimovV5gitks/v3QtWSSN70v6QHsH0sFQemkFZuqKmdh7QmGKLAy0eMgA3pxLycdbSvB7 -8x3Bjlp2XoSeVkBEoA9BnReXRhCFn/abcdyitEKpnI92QHkMTd9pFNZBsoFj3f/UlfIcSZsNXMD4 -Q2+P2krKAV4AGZ6wldwbMLBECRiSkekksq4shiCvgd0pQFxk6RfijRDrG+9gnXd0PxWAcdvrwhNl -TZL6OhZEiXxrJoWU5htEQucYrObq0fCDvixVxfIqrhJTiPkFWHrjFrqMwecPmWSNa/TZMkinJEGi -kcQLuoCmj1e5Z4zZTi5ETrxsUDfybl4v9hWKHRfhiHzFAOguA9EtPc1kKqrbGDp0bOPgOY+sN2bB -ZOdflOOMAu3zAEmzxq9pZlPYvkEKxBAb4HSEZGE0wzfW+bKIScu/HArotDr1s6E4AneVKmJZAapc -zwjRmBkjtbPrEsMdWRXydYXQrKBLKPG5twRlFjkVpihFkAYTnMqHB0L59h8MRzsP6pmu3kBiarNg -VEGqTt/jCjSBTQM5lntITFp7QagkVIPLL4Cuduh9XesmhCyqZiSMD6x1XQYdNsZtFxwOF3Z9EH+r -erC5i/ymsK6ko2eHfZaWgfUJM34NbQNVZGVEcN/cuxQtuNCKbDwd/V2Qos5Ngt6d/3m+CRnBCLby -bEEIM0ORRIMg6+HzuX1rZws3me9E5fC5fegpkYXGYrmvU9pyWF+gmNAjztOjnO5cp/sU2BfBfSci -XSy4VC71kkPA5CTFhZPvumanCvhw5WKN9oJwUCmhDHD/TkeKFU3RhfIppFQ5Jk/o4HEcSW1SY3iC -fFQqNHX7RfAdIKJ1Jj0p/can9YSkscRgoqZC04cH27mlq2rPWV8vJ1+fxQIdbpscpspmPiKFnKx9 -0BBcSrNIRyXfxAuULKhL+rxNhVJ2Zvkkvr8E1ITqwQW/IM23H4lbBzN+l8PZE6xiio8Oa5ArfdLL -TjU/nIGK6UOeaZLcDJJniNwZSNpmvL6x7d1PTlX7t5qeAr/is7LE02dNENOCZtYyYO5BvTnIOwKk -33DlCqK89MwYSTfhH41orMCxTMO0w/R4aMvmCZ2zW7mfqsCu9qE1ZVJ0xcYasc6oI677nDWRSWe0 -vyHmyyVbrgGQi5sCi3zS4g8z79UzZOloNp/iK24hVkGFhBGYauvOlHljG2l+FQRoLkGmR5gy3LQU -L9EkWADhBc0DVLPjNbMvyeQK2CK+xqZCIhY5Kl+VkoTI7E58OselgrIxhwSD3XqRRYJvqs4H6YfJ -c/wpszFDkmG57ZgHLiP8uFJm0b/yk/IngkGYd7Sams+Ow2zAdI9vwXTFyua0MCITXi1TxOsD/bK+ -bN51loctoE5gO+9H29h62QYczB/2PNtA+pyegfmApuuU4t0gEZGgK7mh7j+iwUGzDkecXKwfiZ4q -d/xrjYjvGjhXSPpWQyUCCbr9ahKpOf94abEl0oPGAIYgqD5FFZvBpo70xlw3oVxhpS4RMRJECsji -0gunADREmgl7CAQugIDv4C4jUpdtqna9xeJS2DeVLgNZHHljlHrMhCbPE33X+Ea4EkdDkVzNL/K0 -IZbgu0Fj6aeBLU2NL2PbejOYBnIqFbXRSjhkBORu/XAiqjj6k3JwwDCVb7IlhruES+nxiHSU5L+X -3+bLnTrSeyfVdVQ+93Hc2/HpstlPW8IxxXJjm0zPb0+WycFOuTNU0GxGx/g+HqIpkj/Dzk6Wovh4 -73rcOGDyhKCEcPxaaKMgk03qi5jU/D3kDhQOxkRXXAQ1BmUVpWX2q6OSaQNR05IaggEU/dnb+SHJ -OCg0y0CsD8APQrRE03oZzf4bzdaFVPDoN8OCGs7MhmryaXIwsTqMMMvKDmPnZ7lfbwPuRRxt+1Tk -/jQRxTcmATxKAeyyQn9zGnog77PnQWKe3WrOjQQQnpWfTQ8mAqABKNq0flaAABqd0s1wO/3hR4tm -EUoFELUilvNbaGz93ibSmlfe5CY9hcmtsORLP5TNb2K88RbeGcfCLCtJFIf8EtVlVN5g/UwU653s -fFeDyvhDqLFe9g7DGOnD9Ej4rCw2JdnEX2TdZva3FdKHdm8NjI1mWuq7bFMTIYbEVtmpiaET2CeF -3ysTVxbr9lcy/ciH1erl6UYyIE4NmJI+zfc7XIoxlHEunfSWsTgq7ZSEjGr8NVUw4mEvTGXtEQn5 -kIPrbh3Jy36VteBeEH1pDZN1rFGMfMojNQzjAGnNhqvO468nqSYbTkbycMNVQGmdaULA4V7CXRNS -PfPBEI3bpm0z3bV6fDnB1al3R0QMTIUvy3cizjemrvTm2HM47TeqFyUgv9U8KmoBpg== - - - b78cDlsnf0l+EZVMLtyYjiZOfVgD/cAAFWwIZtbh2d+KgGYijAsIY6ScENCyy9xVbuBx8/ohQMhj -0RHYvxxI4UAvbwa50abln7/BQfX+ENZ4CKfXEyIS1ZrKnc81AQ9agZV8wPY51fyiwRTDktHokRbo -72IC1BJpx7p6vBOPKsBTxrNLdNB6NF0PbfSSUBcDbqEvdg4DkFCN63kJuAKpqO9eHMiMRY4MHCoH -brFgXflerp/PD8gb2Erk7BtDfaCGrlHDqo9vQ95Gcm43WuizUGcG68udZ3xH3KUp9kPEqGRjudGa -e4WB4f+ROMXHopX9fQX3f2ZPazCJbisgVJ7c+GR+MXUHBRBqYx7jhTyiab6GI9p1SWyDkiaYR01B -rymzyZxoqlbN5Lp4NgGjDILueQ2buB84lRmH5tbbPt+6D0VLUAmMazrEAyqZlQ+bkARIEUOF1n/p -ETdZQ4JSOQVf3vhn0/4bfOcdDM2dojkUhqkYk8VTq/MgD5zk5iuf9Ec/gy8JDF3q68TUG6DOQ1YP -i3NVj853uV79DY87gPNtaQjXxNNcJ+o7hSEXh1/i7hkOGj2h6S+jr26FUZtVPU/UeHYHj/k3M/by -aJWHAiMwvettzPrfFh6wMR6uUjabGXQeJsQxMkMm1/mOe/bVeJM+HeGGyrX7WOVi8Qmy70Vl4Ee2 -bOnArUvO6RX8JfmrwOZj0udZsYnyQwdCMIh1hCNfRkJ+HaM7LCs6kaRzfkXKvvCss2uDYgTOUuo8 -EhDhwOw5xnbYFyeZGQG6kpTJ6NYsjkD4M6sIqx6gPJwFow3aTRxwDsVeKSmgdiECHmiXy1lde2+Q -S2VBAILkpkJdSwCm+xu5Oref470GEkakcFe5n0X28ls0SBxcV14tYBn2AUvP/buQ2QYKQHxYOhkx -Ad+QCIFxz2xaDJWS8G1HLM3PvClr4y4oXmBMn/9kV/FDz+qTRM46nGAvpIm1jEotjvfHnkHFyeRN -1+J1aUtKs0fENJPyBim+HVYW6IumSTgi3JF8HYPVmySY/YEy2yZEYAIosBbFW3lWIgl8HqGKmkx9 -bYIOErFQ8nWBUqk81zYdCHshPYJf7o7WEGjuJGzy/vWaPitRW/t5smEiOKAinYcdQYOooh1BBd8a -iG+T7rEdFnXhilxR1AAonyrFKK/WpGZSu0lbI1wVRozX+5vZAuegrVkyJQ4YYR53B5LUhrCi+I2f -06pj6eukWPdwb/fDTCyk4QD8nKETPNrrUz9+e25G1J0Dy7eaJwKEyOzOobEDeJ4L+eS7HSCkjiUx -g11MxURQ+rMxHP5TiR4RneZI04bRE68RiUcWa/d4KAk7mR3Lzr0QJqyhiHa8BaRFvI2VJdg6jVXk -AATFcnHvpLmTJaRrl+paYBW8jvVbkEtAVcyw+iKweL1Ejg99DfC2bmVxl/vbAM0w2w2iTjCYn1o6 -jIofx/eFxHXUxQWxTEOIggMwYh2ZLWTM8psOgcYSNam07dctq0xOhKkeeSD60020ndOLAZkCNmg/ -mJy+RflAqPbmaa9dlXzinprrRnf5TLqYggnigj7I9jT4ZXgAC+dRBycsnhZV3JRBv9dZIbRDzKKD -5kN5TQAhzQMeGjNpeq3tjaSZu1Md+tv3Btfst0C9B9EORxrW43W6fscgJEFVfGtJFmfMM71geDQq -hMp5IDjbXrQznHfL2RsGIKzcQipAMyy1kKUTGa6VN+ojIVkECWt8gBNe7w3tAcm26rqmuWf3L/Q+ -qRNj4AxvyQUcLTsm7FwJyEIHZAYA00UUPC4ygBkDQBlAi/22ab2PweP5TvM0H9OokNlp+l7G5ncV -sU2Tgo9T4DJ43PMydYzvuIyNy6ygoaGx6xuf2ekVerz3fR/j9I7HvL1iJlaxgicDISCxhDljhC+u -fCMNrk/PQY0E2KcmzEB5fVhLtHw6nTMnX1GyT0WAP5U0cwb4AXkT0AVAZkEDlztxh5UUtzN+CyUQ -XBSfOifd4NVpAaqnsOdnkjS2IrpE5nTtLn1qbGEFMgJuPekFTvSxT9Ygraexi3BmF8bC9YsNxAoA -Q0slOB/ve0/iut7j+W3TOX3nd33vPa/LOU/bKWhdRkVt7/pMCju2aXaZ2M5l8FjGXqEC13FdRc/n -OZ/juopej+sVfYp4Ba7jca6n2GN7BT2T4zS8nev3vue5ijufoXuaGZqZno71HZeJcz3H4xmaho57 -W8XMjdcy9YoZFSru/s7pGTre810mplFh43G+gufjWoZekfMp7po5IMGESYYIn3x37Sx2oIyA9QlJ -SHniDD4X1N9Drva9iLAdUKIACSUCm8EJVwCZHUCp6JO9BctAeTy/3WEEVeFgpw+BmgASqqjnz3Yb -c+8taPq3v4jTQu3tgNoX6e9VQElQw401Ki9OdP5gEySUcqDiEAlVAnJQOFdd7pcpod7G/b4itlHn -IFCU4gK+HLg+CQHUDJgABJDpYPrJGVyfbJDtZAE/T54BNUHgkwkY2UpPhcmpjcSnzoA0+ojP5wJ2 -9wocZgDEMhI5NzYyZGVlZS1lOTNiLTQzODAtOGI0OC0wY2E0ZjVjNmY1Y2RjZDgwNDNlNi00ODNj -LTQ3ZGUtYmNlOS1mOTBjZWI4YjBiOGQ0bWwxMFNWR0ZpbHRlcg0vIDoNL1hNTE5vZGU7ICh4bWxu -b2RlLWF0dHJpYnV0ZS9BcnJhY2hpbGRyZTIgL0ludG5vZGV0KDEwMCV2YWx1aG5hbTsgLHdpZHRo -eXl4eG9iamVjdGZBSV9faWRpZDJudW1PY3RhdmVzbm9TdGl0Y3NUaWwwLjBiYXNlRnJlcXVlbmN0 -dXJidWxlbmNyZXN1bHQxZmVUU291cmNlR3JhcGhpY2luaW4yb3BlQ29tcG9zaXQvRGVmIDs0NGZy -YWN0YWxOb2lzNDQtMnh4QUlfQmV2ZWxTaGFkb3dzdGREZXZpYmx1cjFHYXVzc2lhbkIyZGRvZmZz -ZXR5eTFPMihsaWdodGluZy1jb2xvcjp3aHN0eWxzcGVjT3VzdXJmYWNlMTBzcGVjdWxhckV4cG9u -ZW5Db25zdGEyKC0xMDAwLTV4eDJ6elBvaW50TDFTMjEyKGtrazMzYXJpdGhtZXRsaXQxMTEyMU1l -cmdlTm9kMTQxLXh4Q29vbEJyZWV6YWkxLnJhZGl1ZGlsYW9ycGhvbG9nMmJiLWQyMDFzM0F5Q2hh -bm5lbFNlbGVjUnhEaXNwbGFjZW1lbnRNYXAybm40bWF0cmkwIDAgMTFNNDUyKGFsd2F5cmVzdGFy -ZmZpbGw1ZHRvdG9saW5lYWNhbGNNZnJvbXJlYWRkaXRpdm5vbmNjdW11TjBiZWdhbmltY2M4Y2Nj -OGNjY2NjYzFjY2NjMjFiQUlfRF8zNjZFcm9kZXI2Nl9fN1BpeGVsUGxheTUwIDVSMnJlbW92MTEg -MTsyMCAxNTsyMDAgMjAwOyAxNSAyMDsxIDEgaW5kZWZpbnJlcGVhdERzcGxpZGQxYzEzM2syOzIw -IDIwO2RpZmZ1c2V5MjU7Z3JlZW47Ymx1ZTtpbmRpZ287dmlvbGV0O3JlZDtvcmFuNmVsZXYxOGF6 -aW11MURpRHIxMDJsMTAwNDQxMTAyg56ocq1GZkYAAAABBVIJAghmcBjlUStlgQ4SQFAYDMSwIMUg -CIAAAEAAAAQUAcYQQBACQABAMIUYMERqFSQOgEp9e/ewX9lKO2HBiIynuco2Sh1X8RhAVGmoy2T+ -9WlCpjcjQ1wymkiWRKvmp+hAYTS/xUEn6K6CSWdMSjSQgxv2yItrDrj8sRfDGoj7tE2vS1FG+z6f -Ayqo0K3O6ICVQCZIfNK+olp4e3ALFB2oXTqNaoxeyVu2wjWBBJ4iAwTqeg2MnGs8xcQa4MkNy094 -AE9AOt/pmICX0P+CQzr+Gm4/qZJ1Sr5HEEw1ig2rOCMnOnRYfR0wdYcrkn3D1upAB5qRvq0pJ72y -jHUXCPKiRg4ERL8tp2S9tP9OozeB7cUYmAiqrhhNLmH2FgGIOnMT6v7hiE1R98jvGxjOmU23Gqre -9TyHG0nWyHID6tlZabASCOoFh2AC42uxZ1qiF2xBSqQdP91diVdH0bhXDmohNdBt5eReLCSUcmDI -tLpLpEjL+lb7Yf8WfM4Lx4F8yUcPwCMCpI1UAymapeErW2Z6mZz/CiREFKE+2WqJ5xEPmYstXH30 -6IDxo+s9+iswuPV0BfKNaaOrBI1yaS3n8oB0abHyzPX7cRXo3LFNU+BGBLojKpvUeuZusGyxiUBb -gSeol+00c7IjtwMB6Qphcri6c6WF1jckn3iRQ/gLIfBhCav1QZcZU+cgf6BxYBvLxZiOuM3WTBDd -FzQkJgx2HJ3KAY6JweOOaH68mrDGws5tUFWzlcVB9/aIoRZWmBi63ZnNki4VoDPEcCD0VJdDD29R -UtRtIGsOCCRijPYgBrP9c0ZwsTjyWZndwXqktO6YeQsrPf+PqF5Bpy5Ex/90zZ6Auf+26zQfM8gE -3on/EgbWgZg8a4podR9sIc+4tg7bpmdiRWF/xq/690PG/tKciB+qMtedX+Ns9/tlyQnM/QV2Y5kN -HlAXlfOWM12P10H7bDS4bjttYtd/7cgUOYpAN8ZSNYv99XqLq4W/64OEdA1RWbEr4U4jpOrWD6Yh -iLtAKCkfWC8NqhwCdhbwdGWTBQEQJOvULwpbNTBxKBJpXwpCgOYyi9QSZpA5gq0H0udkgPQKIGH0 -mqwhU8ayZUiWmAR5FB32+vUILyRvjJLgJTRACYKNWl/PAILQwhFAZYD7LroBgW52Nh0Ol73BucYi -snQEmfqntipDsh1AvZL5SpRw1nJgmp1H6DhF21kyrgGwY/4osyo49ERHDcMRuMakKlbVG0ZDbKp0 -xrMYaukI9kceTjoV5EYb6R1zOLfVgezewaRhrQAcjs/6YPYMi2RKhMzAwULFPaQzltBgBSgQoCXS -KqbvsLaKU6CFFZe6ssxy/5VA6gXqJ2rIRDEFeBllaJx3Mk+5ylRYo9AJ64rsamRjhLjUVdK+yjNA -XXsZR+SbUeV3Z9A5c0vYq2N1KKEFhLF+uTRcOMXz2tEZEatSTW6huZIhz0+Wdw5P4EHoncozUliJ -JWJ1EiTtpEuxloW8rQB4SVz7kgye+gZ9CQu++Cng9+eLYYhx3y7rJutRt9kgbTUoTLlyGL25Q6/K -VVXIPQxzUEpg1Qb1ZuCC68ZTDRVLLzw6m7xwj4bMweYDqkGg8zEK/J6W7/7jm60lJFxqjKtygVUE -YW9nScE7+IA4Vd6OHnVPYgAuTbf+QglZoC8AgguQUSXy7oWpn3czXFVuYbZhRRfvjCkSfcxhrhhY -wSh62jhGj+YATiNrmYnhGsvRx6snfZP3URTU3dJ/5eRfidXvVWiJKYdBLCjgSzjO6gyGqK1V/oTb -6fLSsjomRblyizSeYCWlZP7yJN6h55ePLyUiSVRqMFbzZGSuz3x/SoqK/HdFksja6g== - - - GVAzKePsvKZ+LBXszhzgcr0POv/pTEwfOo3PbjTEqbobFDutXMwYu5qMhYHEr/6tiOtxra2BhK+K -I+XM5GpryEzk++apJx00I7wgSgOmzx3u5h7jOXEDoNmc0WFNeQG3KhbleaJlpA/LcXeu4Ytpn8Ng -/GSdP5qAxI2qXEbyaael7inPxnUb025zWqK8y457S9sHnRVYAhVHhKeebpD1/zHAgQkVV89b5L0e -TxARIqsqRUMQ0URglGEYW3LmszYE7oenNDHZHZiSGKklmv6gwEdAycQfagTYxiQPfsq79hwICGuZ -VzcQGSaJdXg+bT6nnfivWSrmzoHFGRKPx5KlOS8z8cPYwEbmMnrRSIem5kR66gaWbb3uUxquL14s -B9aSiDKXwSDlZrQVx0wHCOmEh79zd+acJ4x42kI/2R2tVsRtNNgLWOnWStIwh5VvOTB6OoLuHfR7 -y6O/6sG6hARhdUx58KEP79TbnuiStZtvKps+KhL8mWnJBEOHo4U0t7DzvzETYcDvwGROU8uETjWb -EGUPMdIEVhfhYKO1Za5eXz0vWGLkY0WDOkLDNM2NR2SRcPpHrDWKL82mwTYN4G9ZqNNlJj+kEEj4 -iLkRioPQs1/6Pw6k15Ms6hFZu3MLw4Etgc/TXmSuGVuHZAbRmdpfVhFT3y5uSK1z9kAk2Y2SU0bG -bzsecqAzhdFwEsakruWLba4P/GAu443N5oofwPIxWyRNi8w0Xcvk/AI4IatUkoruJbQ9KKM/5lce -x7oRfwbsjM/SYtjyd4TJpK26M+bMsvOPE1HFf9WLZKTb8iaTyDCQfJU7HQIHY3ASkAD0alOIcN3y -6+RwmCCF6jL8Hw9LQfYpKw8sDaMmsSsyMF5NCJSTFzzwVf8ACWRElKNPLeT+h0/3z0UABq7lnsgL -TfRiYKnvINscfIa8s60XrqMaT1wLFDDlUnueDdfAd4eyzRXFHQyjgoOiIBFuC87EBlsWV8vN2DPI -NohU42FnFDqk7MMn6wjS3AyXavkrMLTo+RRynhiGC3UWMlxWqHpe8XwX4kkcZgF/Qcgoa1Y7QQAv -Wi/3Ie0sb67s8nxh2FRXw+XvmfgK2Ei9uXLL68sN+RwRzPgDYdCuE19slT9II2p48gjH2qmUtsyz -yxpCvfEhOEKssX5AhKJQvHYybt5AWSqdCvc9iU31+4jJfg/n5/+7wsqa3TiccSiLA8NGU8wTuBdW -DoXhDuw0S0zRg2aVp8+uKl7cgqxkMteAYqm3AmuKSAFgHB9bXhRHkTK5UX4/XG6rtmGQhdqHc6up -LZtIE81WbcKiIp96pQYpgO+/wj9oeigYsPEBMQdUH5/1yf/LSYw2xOgn3+NlRTlLhPXJdxcAUeJ6 -nkykCHD45I8FJj1IvzRBa4YYmxgBKYZODKIkeM78BWxCA8qQWTcq0I4IAAaLVYupRf5uKJD1n0Wi -xfK8GH8k7j9VhRJK4qkZ+UQQEREVGBG7lQOJA00Dc8hh/N7p3BjljAZKPdKX7xkXDjOHc5cRRkF3 -xYXE4bJx4RcQB6uR07lO2ykSiMO4cKd82o5DJrYccc3kei3NbhRneR2ksrWu4UC0d8S6RkJ4hOV6 -/GHK0UDW+D4Q40CHI3EolOsRxIFAGg1E+UnFx2z4cQGBqCY8yIilWZ0/SWXCNeMCYhxEh/RPxWS6 -ohwISjPGwQCB5N5JsdXQXkmF+nxRjQsHafqMYhSjGIWVCu0l1VEJH6/OVIx1dTj4ERMlqrXV4wJ/ -NBAzFBsH6czkj0OKybYgzF50JlmSVrSjKFpRFS7Z/3juUfwjwjikMj9xL9hA0t4/H73lPg56yt8Q -79qNw8HpHwkxFJWbtKSgjYMoy1lL32iQX37T3oyYUQhvDYfcfxuIXo8amUlfrsnVyE0u8XJCpkws -ZiNnORtdLrGvqeTyoJZ6zDMayPc/bb5wKmXRK8czEiysDuiO/4wGabaLVLfrBy+Rirpz+l/SRuyS -OQqVryyfHpJYeo9GLcjVgFpW+ahsJNuuqJ4oaksrXypreY+0nOu35Ly8HPU752gjM4qRtx3lh8k+ -A5GwvRXbiNaWic5IqI5Rf8bhIzeNBc/9I/spmuHgw5+RQPoc8THcOu0kj3w0oP7elmpmn6X6TFTa -Sp2lvrcD2tSdgdj+4PHWiknHmHJGMYobujm9T7hHrjMQtCPH79IN51xnJD7bI8JAHLSGcI4/TYic -N9d+6c/YxxsHZUw14yCHlLZzNhPNpstmfyBqHERHsEvywiOxxVxiTdc98lv69NldpsWNcCD5+dF/ -Hw1Sd4zus9f9EfxRT90HQi7tdAQvp9e3/YmOBnI9hNePw8VGdpdxhHEkxIb2JV85LUlU5pXbEtyB -yKaSxaKVxJavUknzWg0GCPAMC/NWcN+ZfZ1Uu1lUI1uLRCX/ONip6nXCfSP80WAkl26VjlQ2EqJy -3HdHH7GP7MjiiPFIzjjI0OY4kOxbjXCPsOnk++qomhp/dnW56tcg2kbiTNAYKkCIoAKEBxgY+JkH -EwwwgfoBGgBAAxahggkMFRxgYQKECQz+QMmSFRMscKCBMWAVJDhQAUIECChIUDjQ74AKFjQwoCBB -4TAKYMAsYIELGCo8UL/9eTZhwoMHhwomGAUKDQ4M4AILEgoGCigIAShQMDRE8IAChYYIv+CCBw8Y -KkjwgAIFCNRkYpqFn4rBArOaBSxwwQUfu9/wAYQKFSxoYBAIKoDUBADwADZjs0FgAeQODMQgEmZL -hZy2l9jYynt9hcqgGwe5X5WYY5U4er5X4i+ZF7ePkfRDAgaSVP0JGKjaD3/Sfb2122yP9tWlrPje -M+VSLMTjxjqmM3lVVbLwJXZTHZHaCLUuG4dBHCpP+7C78Uh1vey+H1eDBBMYLBQQGCAPJFjwAISG -CBgmlIUKFCiwgAHuB2hgAoUJDTAgHxMmAIAJAOABo4IEyKUCYnzrysKt3Wwx20QqaavLyr8KoIQ4 -HKoML4HDgXEoyb20HKWkQAB4S/lCxqcttf59Pt0NGxvXmTF/IOBles6M1O7p7fjJ21uUDBgwEKwb -2rEtW+slsZyBntqOBAPGFwxEbY3p8jxiI5eAgbylRgQMRlGTqaSJkgcQLDBMkJCwoKHhAPkbCEs7 -xMn2A8FJNWXFCNVFHNGEYnd1E+XiQ9yhCcLUWispEYQInJGQ55EpNVaiahZ9IOxOfimZiDC6kUAx -1M6BoG8NtrZRMAqbuWGky9Wirm2WWqGlFOcz6/8oboaXcFbMGlsHAwTHfG9b1t1fVhuV7iMMBGIg -Vgdi96s8EDjfNWTCOTPqqwaBWUpvXlLlLjKdgTjUtNsMRJFYpRzzDIRg2gdiB0J+NxCiiQORA9F0 -2pQj8cS1Zyde413dObO6+valV+w11SjQJItiFKMYhY1iNIyiQCkO5X4viqJ28nlF8crnFEWOYhSj -ZDeKUYxiFLfThKMYxSiYS5ITBZDjYccFXcp75nMURnmUNhLZSjYufBmRdYnlRjEKUjxpHgnEAcVU -KXkcRE/3KLNHMYrmUWheOIzilkbBl7SocpTbFOQmHQeuc+FI7IgwDuMCjsP39FEUvUfVcudxoJYU -O9NHQrBHA6mqMbMiJalatqQV61pSWNJGAqmPivmKJrlzLX5VRSz6Etx6sXAut+zRO1dJ9WXGUrTy -YmK1ZaqsTcp196hqUk7TFq/kh3VcSHQqS7cpGRv9B1t7Z4GUdSg6dUdOmnQERXWyPqUHUsFNMpuU -06OdUzpBZLzxbaVy6XaGA8ET3iNsSqkf12rX5Ozq03S0jJrCOuMgu2gyit4RVM3bLeouRibHGUzs -RP1eG/GIVgneuHAYxSjGBW3OKkaRI5PTB7KRuW7dMXE37YzEmccFHFQ+LEZxHro7rnEovOFxIMOU -mUmcJx0Njv65H42VKWd4RmGZmTiCMw43OZ1oCneJhIS4m9pHiA1sdtMnpuVtB9l017ahNy+Py/aK -1XZzb8+s82dn2NB3hr3TcHsc6cre1b1TyWIVLZahrmYVth5rYXLyHudiHhnPUJcP+ZhnW7fIXZin -hcx3jGxqhIytyIOZhGaEaB/h+ZOfuLeG28nam9iFbK3J10fuPNUzS+YZFZDbVRCBuv6M1B15leq2 -DwvfSgizLrvWyl3Tsj021/PciInfOj7nE3OXdg8tufvQsG25bpWOs7SRb/eQN/v+u6dhVbLWLtUa -H/G1bS/b2r28Jee/23nfvbt8El7eGc1quc0obSvzOKnU6sbKfHZ6t2z2kxq/n6lrmXYr+9kb1bau -Qfgz4wIQ3Ca+GlUba7+mjbdtBUwYCARiuqlbqh4ACUAoJDQ0YFomsCChAgxIQCqgQAWGBEhCQgUH -VEB+CBYiNMBsp8K2JVudcpV5nNdj1SXL4lh4EdmWx0wRla+ObrKO+GMm7QR2ZrNRC2suYecRp82a -9LpofHv73N/S3pnSxI5cOlS81tXcTHpR1Ys16YWXTnxyl7e7ssYbCURaubFeqs0Nm9L5+qZqT/ih -vZ3MCdmU93zeOspyq93+uPqKpCMh2JxbR3aleP9R2nQX6eyLEYlvmfJuuRVpY7dJL5pkJzbl+WeC -tyf9Lyx9durJ//6RqIuZldroud+ZP7NuoV7ZJPfUhkexa1W0F8n3kt7Ymsrs171sEt72Z7uJbY5s -CofHUC33OrUYT/tpG8Ez/VUZ2aeLRjaRSY9pdFtBraWtW5qN4m5bxaTvv236Nr+qR3vDNfy17BfU -L+qRtrtWW8krKmulM9mvqZxW0p4Y8hb9RiF/tiIP/XLPe17+jZjWclVunmRDeHRHJn3xKd3Uky6p -fLOsVhqFtF7PpPdHXKRK/Do7OVwtyg+VijHfeSTkRriCUcjdGGVmn/JooyMvzb6RbUVaqlxWvrFZ -Z83eaE/fO8HUbPq5ju7Ekqd61CZciLJa0flmqncmqGWyxZe4o09ggWEBDBioQCECBAYUHDBBYYEh -AQhEAwxMYIFhARQwTNAABDCADFQwiknKG9G5LD2W36mmGtOaPU3n18VP/TK0UciJSSqff6PoRhNc -/odPKXzD+QkUIohAAgNyLzUBJn0reO8zWrkbsRXDFVlFahzdWsvFTNIVvlPKnE3N1XOyYevoFW6h -omqnaRozp6jOOFwm6+Y0JlXf8iCOFYrhjAN1t+VVn3jD2TsO2WpWvCPRZLrj8MtKRp0rHu/t4fYS -J65kjmCPg1xHVMUQU3JGuC1nexwwR645wvIcOU5UnhHOcZBLLE7NVc7mJG49lerI9TiYyhq1tq62 -ao7Dql7LSDUh/+Yi7xgWDyYOI6OhHV1HMHcOvHPv7RFmZj4+IB8bXZpHznpTZQ/fEf1uLSsKK5Lq -6Gzfjk7qyHFItZtSeyR1PmJ7ypysvKQ8gvtLIAJISKjwgDQ4BSwUECJUgJCvBxIqPCDBBAkNDEUD -eldeknvMzLsbRSLetV11vnVTNT/nZV0r1EqpqzrGvGPtRbT/RnGjOL5WMzHQqhzINA== - - - RKxBw7VbBePwu7KPCGBtdXdV1acBh9Cz0prrqi/VJJXa1+4NRVHlzn93fHd3iQ22f8N/+Wwo0J73 -rKvCaqupqoYrzBycvxpubGZkdzOzu9O7y7O6ns3MikXMzDxlZt6dMvOUiYeKhg1sL0Q8/kf86/4r -1eup3t0RD3/ZlKeqp6r6356WmZRoT0t7Y9ozcykvU+2qpqd3Pe3Eu7wi5WXeO6s18575/z9D1NbL -3fcVH79+a6hUav3atDQ0s7Q0MzMzQzMzMzM0MzNDQzOzNEtLszRLy7S0NEszS0tLS7v/7v67tkNV -u9K+zczuWkOtu2NOZmTjIm3P2u5u9+5Wb++OEJHz7BqQ7hruuBdRZDImUm42JGZnWyZSZlJm6iVl -ZhbJlJlpx2Ej1MuGUzx8qx7rDerveqqXO4Rn42pYwhvUO/zl/a1Whbxszzvr5+pysnVTWaWVtlXt -dSP/iIjXEyI+EVF1j07t+I7PGP9iY0MlS8YxVr0GszZku3FWLzY23nJjZidnLo5io52RkZH4kJAJ -l5GRkdEQkYd5hDszG7FRCbsRG/uSsLGxsLGwMRsJ0aaV8LBOVVlYtnWT8/Zeor7bdrDI67u747tN -PnsDZqZdrfcUta55vcvGfTcYKiqhKVtxrY3g8TFztS/vaovRiqv0EIiLhEy4iQ0NaIaGuNgQow2o -xHQMjcpoJABIAnMRAABgJA4JhiMCuVgqhwCA/AEUgAW9kj5gOhRIkyRJkhQyBgBAgAECAAAAAJkB -AgCrIAAjXwOEeo8ONelpVLVaSf2iMryGCB2Pio2WqH0/GpxJny117O1VMQLwj0qky6TR9UWqQDUp -kVzGe+MGnBoZhw4AxfpFOiO5Tv5KjGVcJM1QuaYCC/Gf88Ec2F3t9mGgSv2AaUMdjLc7jMiDxAL3 -IJ58LHXAbx183NxIrQNOCyRR+aE9adT12i6zRDux9PC8dECYbw0ByMKjJRbTCNR20rC8IERprHwh -IUVoBaJNPS2Bw5b7t52JyYLmqCGet7Cm85eby9vX0/AoxgNFpZ+H0+xo2aqz6OqV9tH8Znl1k8En -sJdXO/7b49A0vq2JWjv+q1lJI3OcJSGJMMyyjcxsQG7eqmtdMjkCfxiVZ+bXrU4lg4Mb5fSAD3G+ -dvxjBJSQYaQ6qJPYK1VoVgbhiQcBvJRSAiE47HCb8UF4ygP+86X5f6bpC2QurrvA7ai9gTZkICSB -NHRxKnbwGTQ9SmBaYPTCqbknM4mpcNh5Ks6aQCZOVNcuyNrnT+EHCZDQwzZEmUFcuStLOBUm9hlc -yPJjcT6KSdd8dwC0yGX+lihhHd4M9MoYMlhTg+gPeLC7URC/1Ma165f8ELfcHLgxI6lkUOpVVxJR -s7Ko/Z4JLUWXTge7aji2oA22TpLQgXLUh4txFJFVBqtg13ffLBUjjBC2UNR6xrTYeV7EjfUpai0w -bbhIbbKoEaxk1EAp6MBNRzgT5ZlzHVZw3p41caHtJARnOl09KFw/SDUJ4KGgWMh4NnZFqWy8Byg/ -Yu7OETrkYGKdiUKDf+Mu5YFuU01orA1ahPhOu1dC0ygchwP273L9+zcuvJQiruiMRfQWJRbcIgkd -DCCymbyFVDcjexNhsNrKucwrXFm1PWWciRG3XblyXGgv9C+iS9kEKTwRGmtEVJs0gmk4f1PDXg8e -FeyMQNeMK2MUlwikDQ0bi0ASXEn7W2M/bXr46NzqFUIKTiDAp+W4Ou5GDEjPwgNwLumApxtPK85W -rr7uLYpIwgBH8cL9DoVIgkziUM3siRWO45BSA7CZUUnXndR5RLjHvB9R919xfrwY6IwW5IatqGnl -oHYgrz2UPiiC5qk0OAjq80QE4amwu7nWVXLfywIncAORF7D8twSxLIafuw9POva+A+f1EvljmP0Q -EH6u/vRC45gqTJ+qTKg9ojpcBUwGvZIz/fmQGQ9ItLGXyy3l6qP9Ad565sWZGCQPqqve9ElOaRdP -wMjK3XgRkYZ9kvDTDClSzsRd+ggEPsAd89pbVwkA/97KyKwb6Xty3KFQ98GXBVhiGHk9lfd/6UeB -7MTw7Xh+HPmiaAxnB+aBZDTxrrKNt6y89qC0f4LqI40fnGmkrvCz+rMklFqTn99hi5KBrwQPsg0F -1pN/CtEF68NChN8R1L+BeZDznCEBugEkHiFVLqw+PQ7zy5AsEe3H8Lf+eYNmGOfDIdqeu3q7z34q -EkayXkyLcPQzgY0YMb8NiJBcRVS4SXd3PNxGHdpAKo3yn0OMGvVZlOaX0hCMkAxOKqB0qM+fyIDb -5HWLT8QiwWGQaNFGZno20IFX4dTRrAVn+xJxGpJCICkddM6Y7TPUjkMG1qDJ/hdxx+Svz9YMQOps -udEvkSZiyKWJr/A19uSQijJOw8a1FOmZKBRUm9NV3C8p1Okj3S0kbUXX4YuZGTQXa8HP41ohRDPv -55cO/iP+Dj+XMPOZk4l/0KA5kCwBAYRlfuXRODgbRLGopjSjZgqbMgeHYol0cVW7UsUf9M9NwKT4 -GERorBOohpNNlLCpSvWAblunVHcPNdmo+JjrfZrjWp3VFaOsuqe7Iuw2X1xyNZAtKBpMyV0rsdJB -60e7isAUkFwJkahj9Svk4enK+XsET6JyPmKMKtdVP9qTx2yYTv5Nj8IHxGWXhYPbUZwrTuFH+uh+ -gzKBjdnZMU8iSIxSAr9aYY2o2KA85X4PGlOcy/jAIOvexuBihi4Z52kq7kxlel/DO7Ob79L71Ptr -bhD1hhzjpl5OzD/JRrEd3Zc8L8dVwMMy+/pWyw/klknMIkxlRb3tE9n2+b3J8GRNqKUh1LwEHxmd -eIKDdc0HEes/ah4VMFKjf6tJa3MZohAX7y5Vm/X551P3W3NZzBwToT5/5/vLBVjpAhz7A/K8Sefh -Gk0edAdG899i/hvPEV12Avnpc3eHpO3WqDuhURT+TLG3KMakw3+i/+uw/pDT+3pXpnBacn5PQ69A -7j8LRKtW+Hincjbk/JD2QJJ88hXvsr+jAhRrenGdM0qnCZDjaUutwklHdJKjBFggzqBemURFoI6k -96jVv7VlUpZm623Qjy8jYhbup4BC2wFATVqkFpPSu38Mon8Zid4ODCQQmq+tuQlz9c8kojpOUmcH -E8u3wI6xJQCSohXcm8n5GUKwa5P5VNPPdwpiHxHOBfjjEdq2N8wT3md1qh+ocovPCM9OIxHhVMgE -ADLY3pUpgV5kKZgyi6XM8VMcGNuXbAC6XtYuQPqzo3UHXw9XO+yO5LuRioqQnd5k+TOlYKSNAgN/ -3cIFHFhWk/dC9IZ2N4iRCdJckB7GXr5An4H7RIHgaCvfQPLjU4AvQ50ZGijas3lWhEyk8QxNP/ig -AfS6dtkuMCKkTDR0PQGU1UVa42iInNULkRfB4Mzfa9UmExgttILInRsibfLe94wkd24aQu2hEKHB -xMmjlDBvl/0SsSvrl8uHbyre5DDKRMQlSejcX05HSnaTcBgDT75S+CUrxM/VOb6LIyuO5UzRwNWD -knGg+VlFZPHB2f+OHJuLPPGOG9WoPFtfE1Qi3vBn5ND8XndkPhAGcPD6eXFC6Tyon/YO03/dYNd5 -FQ3bAs2c1ymolyT7d+htAhGbj40Kz9V4InaUtyU2hJ2B6xicglUYG2LI870Hn8R4fIcmQeaV8PdN -Pvt+uwWgkgO3ZP9L3mFyMpOEHx3VTPlmGpwpfS1c3btr4A+JsJOCNwc1vk5WGZGK0TuikLawNg82 -wUrzZJcjKeG6CN+Osf27rO5nUdB0ymc/TYxZR6m2BEhnjrDxoQ0Qo2BNSSTgYGkD8keQoDcedBne -5nh2nromAV9GC0uDtOWMm/g9n9Fr6Ij3qY9Dzxu1ThSYaxHzURpUAINNxJqQR8exHTuhDr5zGbp8 -xEwa1+35n+9yWAOurNqOFWOULvEXpU5czZTeZPkgZQMHFjTAhBTAjhPAIyR65KHQmnWWs+Lgodbw -oDLicyco7hh9Z8GP19o6T90WVV45MaVlfqoN2iNed2whf4ldqmIOvYAQnAdF8HlHM4XEiZHZawvJ -//XaAMgDTQU6t8sc/4yG2T9neKRDa6cOlBkgQFsFwlcTFErsFRsMEExgPCSHIekjT1J25xjh0SYW -T9k8nJMWLfrUWvn29cTQAenx56bZy4v1tAtAz4xxssJMTyqXju0fNiexA38m9h9JKFwhAPRVH9pI -rJyqEzsxIQ9LkaNwH2s5Rl3q/AwELlxD66+oIGaaFz8tbovaJSwvD0mfYvXtnFiAZoycMNIH412r -dvBjOFzyXNmWeSYvJCbWnRBLKf5HiN2vh3K55nGUwCdw93+YQlWSGX3+TIH5ScUguCJx3hyeaZRP -y9cVagTILqoy3ozjoqmwVoIPr03Y8joHA6i7IeFViY+5TD+Aq0LWYf3SYVtmEqDT5p5AD8TDRXYQ -nG/nhgpymKpUJBhYNR6dmlxY/XEKpfmOpUNeTceTJhajUb/c86jFgYCD2a4IBEU8OevmGnAG6kbo -HHDbyLSko45/iB9IlvlDXGRYi1a0BV/InQkEJjoRuOl43Vmrl5x4tMbfU7sXFv1KjDynuiieb+iK -49MFXMqIcgKcbGZUqrXd/b1Kx6LpfKmm6qvPkn5IFIxGxkAi3ryiBWmiUBcL8Up/3AnVnzlL4Qie -EHh1ciKXm2ldJyNozdfOgkOV9K7qoTfORGj6pF0UZwU8CVQ1JxwC9bRfWLDa0rHQNvSFNbZSqk0C -zdvgOYIG7RAPygsaFDEEF0xwn0IKXpCvkLrZ4+ajMWBoN/nigMpR5n3YHl4RYLXwuNmU5ZrXAiqo -KIoi3Q5lUm94ByXUEGQ/r6yTEFL5kWbLDF7Q6pV0iERNBbYF71kOPgtrn6V/rNBI8W/gGk8YgRtl -/8A9ocigDzt5O328inQZJUwVOAdbtEJhRSC8d/X5AoilHlFTLxMPpRl3Nr6UKsck4MevVIaUcK3W -BFE8Ch8KFWzyHsZdJ5a0o8ubjePmYsqaZ0gLwOvRNPB0/AQ8SKYz6W79aGWMpTKarW5v6Al7c5IK -Sjc4E4PqOPITwklmEn4O0dfkKX3rD559PoiYObn5DdkNVGR1UiYNeCeLxQv0DXnXpMBu2Rnj8brz -8myjISF3D9F1R6rbmejkzAUAcvwYilpNm7bdt9uuGcGf2wNkEXhe47TQuY/BypMX9IFUAoJjqE0Z -yLe7nYx7Hd24Tet10pHnvwAfSK+jbhb5Zpx0trHhgpPEzv11oCc4Khbh5C6D34nwMEtLhf9KWQjI -nvhrFgotIgYHoc5UF7ojFFNbn1LO+cM7mQgegmV4WL68hJw5L29g2HKUXf7LfS0uIxm8b7HfDcKG -QBffY4lPVu0oM9iaenvaGg9kQkqnNGProJq5MxBxqQlpOzchC5i9S0IJBUXe9b3OC6VocmVRGslI -ELyMcDlTQPOaosAGlOIoz5+Mh7QfpFQ/Lk5b5QmJx/T4LGL20FbJjrdOowPNkH1M3Q== - - - gwb8YFMMHR+P/dATRucsOBTLtKiOAWAYY4Xwh4vtHQP+QVbZyIkMlEyenvcR7PWm3xizbywkmtLu -1IFMTMLrv0rvmDgZTmUiDLjt/M7TWA8kZBrWCr/3fd2o9O9LwV83FUAstaIzoaA0tYe4iEwGgSWi -oIS0LusUN76BRZBh1fS3P0PPV0OJtLuuWZklyTCS58gIdkwaIbSK80DAE/jhkTKK6Zgk7xLrX4fB -7+9t1f0BzuudNNaHKalZ+OoNjbl4SgC49phIaQp8/fiGPq1i0CBn5KVmUor9FMFJOE/lQvjzmCyw -KrELhXkRABtoDTD9MJNCDmSDODgHk+3gkuLBeRB4QgDvF+IzHvkBMo0uWd/gE4Hk6uywEn9XIG23 -l5RmbbW996PhcPT4q3mIpPVPIVNqETAYaTao017v/7aWtZDJDkALsk/zyHaCZAPkVi/O+IPVQHAV -fNrY4SXrz7K4471rHgQrKICaxyvlo8hkQYSgISrsPr1Mb4P0Mc0zANRW8hYNj5OiVoRAcoJpW4Ro -qUVdKRSQckITMQ/2YoBgGtCOF/uLevFhy2thT2JdXx5TrMD7jav0UVuAeYjuvGpD2kX+Sai7UrW/ -ndm4qfuHSzNcJXe4j81eSv96qGBXoxnC4OURwKGsRPK+gDBPSBt96CUgng+g/uBAeNhrL49WD2Te -JGNu4aouTurmmMwAjf9vDHBsVY5zszx9cAbtIWt4m9glEdZszFi/zPzPm7w+cyjGPAJjbtKILS4Z -7H6FsTymcGI0ElxklkGeauoKadgsz3MNEnJMCwrbFJoar6gyKZiq00G1jWk0QJBEzlgunpPLF0oB -rKgL9IuxFMDp2ZJVtmH1q6wZ7hX9loOtqEDi8jDldo/K1+JroJ2Fbk8XFlXN5JGsZqdClY8UgIJy -VxSGFkm5H+PIhWor8YqKGMQoq65FXZNVD4d5dAna9beSGZeM9M+8+DQMpgIQcvmrDovQ28OF/1IK -CI2HuQWLyqn8nmBRYYm/A/tGEDKH5D/vepWtfQpgE1ZfqtuCW0ESPaRqB6PRARdbtH10KDq3rOgA -iXL2CqQJKDv6CrR1rSABJUOQljuIV952b87FZVa/zo+mmtRiKZwVFlhuEe9fPQwLkJDm1Dok+kf/ -3Q/AjTedR7+CgTM0MLOciwYHmokCgi6WYEMXriDH6MHvrdkKsMPXc9YBTpQx4L4TDSja2xXway0c -C9+HO0L0Aut3QAb/elRTnvnLAqzAClu95qJ/DtMKGPBqVrCsXdqiZAfPnrmOyl8/bzljh6x3r5eL -cs3GqxUttFO64CsASfHLr6C9OmoePauq8ePjykWbFznOY9UrYPs63Tnc1HEKjX9TIi6KYsKyyV0B -0hDRa50iQvZ0eMteLKBo3WKrsVe5o/RqbRWBmU+/ifpn8fqzt/f+D0nw8HQ5EBanu1YYkMAUQDe4 -o4YHlbTq5PTQf2O5F1nNWJBP7l/ZRQsx+thT2wDBgsyhLyn4+KOLfuEs8R8u00VDwpSG6lRm3qMa -C2RnNS+PXYZiPOduEpw+syWETQG6dlX/2jbekOl7ILXT+wc3/8zFubgS/kt0sKDfUnz1hrTC5B2q -hKHNGNEMmZ5dNNOvcxqFFUO76MoN8b2s0/qg1LsrCpvfPQhdffEeWg1k75HKBQAQxX8TdX/1A2Xn -+N03VEYEgO8aUAqJY+LruWQir974nrATCkPviN0zINvQ5frAeGeQXR1pQfRZvQFeVEZNpp+8et7a -0KbULKZWSgvlD9XP/Xb1QsL+Yf2eVvVLxGd3o/uOlLDzjfQsBtv5H7bLF7R9xx8FYR8WRKOr+O4x -2Qsz70dgMfFMAK8yDnOf/ITkORxPLpkd9Z7we2IcfYSLFaCkrR2GzXTmyrRiKH7dSV/CPDXZ8NjO -sSxKSeOfey6JxG47SoqpAfVgH1T+E2lEvnUX4uauUVwDLVLV5qXf1vIuidzuJ3FjdyyvAbz/CqtL -UEbDhzSW3dVg69pIrdeZtzykfcey/1rpT9vnPkMqTDi3sfYsLbGCPzy+2yoYsZ8XeGmbyNJYtDrt -9AjcDDX2ErR6SnXhuDGBETAwgRQaSEvVxNdIr5uRHtcCXQJTRGgThn0JDEJ8CWQa5RKwt+MS6JZJ -RfLyY99Swjr3pyC8aohdxuMG7I5nBHLZ3RJwlrbkWAL7QbYEUghkKEaQcgpCgSWQsrDVX3w6S+C5 -kUnqGkYhTUNbWgINnlsCawCP1JeweEaMnQ7RglgCLT58CeywfQlszlqcgwT1HF2LGJkv2T3jJWwT -D4NLYLPMuQZnzoHBAVmto5JGVZjQiswEuriWCewJsALY82YCWdUm0WUCc+Kjn5HM62P5XmBpDGJy -7ICWQAsp2XWWwM+yEQjZdy1RuDIdpBEbgSeNt/s1jpYRCOsp2wKf3wMBTmSbRYGlcwn0cJAyGQIZ -tGpMrdlwI5T3VgIBPCA8H5TMPAKLZWQ0N4JqE4ijKoqtyHRaOUy7QnzK8oB6ET07Amnzfm7ZBRc8 -Rt+H0f6qngqvUtnPjECEMg5cZa0VRWzxcn2ZbhytppveamnOI09WTlEafzuKxq0DgOE6brCBqF6V -+qoLGmZylEsB1KwEDR15tLhAoCW4OoSYRcvnd93NufXXlg5irUfUVGNyq0+pD75yFqk8VXVzDeds -ybc5ZnvpXxbSRRffNzf24PBpqlrM5UfUAQfuPY/3BaPIdBemQBtruNHAq4vPvFhWGuX2tmpi6IYW -malclpHqSEUEH7lxFRJcaPuLAJX0YWA/afGu3qwwoI5vMMAnK5yWaIqtjo3qYJh6geUKUv2GlQKz -FNLchEEpMJ4XafZcGHZEKl2uzOD2eXIS5BJewihgt8msoEERSCHgdcdnbwzvYy+bdiNJM2ZacrGB -IftpL/GOCosMo2S1NvjEkNBpBmx2L1m4wTxjzNiNXjb8T0HAudQas4blJlia5l/nB4eFM1Y6+q/i -MjIDoAWMCGj48grtNkkmR1/DWJLLIFseFKpFv/R6J18v9mjqzuuUz7UMRt9v4/0+ttL0S734jIJw -6ijl+4yDcBdW/XWi1iYGzVtGbbizN9q1q2KwJwmnNkB/Bd0OcVJVYTLNFoIRsvBSzghwhnHZo5VS -XUNcYSnn8/lttc5hR9tBSV5ZGONEHc21PNC0nXdF9RaUKmL+j4wB13+EoFH3+5lX4xhBPxx50+nQ -YthzSVIUZEYgyXIXVd8WJK3MDvnRM96YVQp5nCyLPgTEpbELCySKZWa81O9mtQMBfU1V8usHtKnF -rT8NmrD0lQkc0EZO3yfOAjcGdwM7C5LGl3t7giREXrSgkjqZtYodSBUlQ+KzC96NK9W+BSZxO0ak -sD9sF2PwcVOOFHAHKMB/iMgj4J9kSDfbLX5Y75iysKwph0IhJ5nsOK/kSM+lJ2TQc8w4jHEbljKc -wMAPCojgEGdWuZuCaF3hfU/7EtlaUAPyJBbkv/RwSs1p0h6zEADd1tWhRgXsfDKszHqmlhCNY+OS -J2PW5KO5az3Osk/SJ0ym/Ch6SPBjCzzWFh5+dwFaDoTQCVr+8W6ri63PYi12rilUzML/oD0WC6tA -ORSB1nAWMwax78q25jst8K5/1jpOh+GxkHUVN9Sq5SWZIRmg2JdXHjPbGl6MtZNxI6x3PiSUqaI0 -8KynHZ3FsgQDhxOJWgJ7XoGzjhELNcz/upBIXplJ5XnW46zUJXZTabIrN9Hj2tbpZvlXE2wlQkCY -/wuf5OHrde/tqV4yppzQDqI0DJvzXGW6e+mYMzxc5IGxpnsZeFsYwBcqaMEhXugWAPtxR+G5GZOy -qTac8aGzpEfgL9SzAcDU9F/Se04MpetdXIyCJqvEvWXhf02jPltDC4NHv6O2GNjm5ymy9zb7civ1 -OLtCedLuH6OfCLR5Nqv+Zyxjm0k9zHa0uvoWcvZwkJgMkqGZacO2PP0tIWmhJWo3YwJ50ALiFJhK -JF2BH6Zw6p7+LIKf1acBDQx+NU8CsJhGVAKTwWjPYSxXMvKNf735QHdNAjj4Lwx0DiXfjQiYQ4i4 -Der3xJAMbLbp6MgSugfEvqAL10+oNhiVo6xNSUyZnsyoV3zbcLaBa7Pm3ojQYsEzbVahBQXAKfIy -G8Ss9vpKcRpaXjzIGJO5e5EoLHarK8pfBAPsUU8YZI3ng/XYZX8xSvttr+aGCEZclhTebHElfFXD -ItLEGu1vuLVG0jplyDkwKqwQ+AcefrgTTEqBNezwfbfvvNKwJQDmzJeJwD2A4asoDK6O9ekOOgHJ -LsvXYucXKAHX6WlwuNmCzll28Y0y6jK4ZhmbiiqgYb5ny7vLUTs3VOW0uORFvmyKO7hioU3zTiae -xOxs2C7NEOQ3X9xsjXFxhSnjftLT6PIKDZ4TqshOhTGcr/O0SplhPQGiHHGkp1p6nip+0QcHDrrq -wzRhVz4+Hy9etj6dDymUsJq2S8NuGla2uRwikEG7q5mlnMXRAj4LZDMeav5LTJVmRvz4iP4nVds6 -SqsD0HjCUDu25FuLZNTbTeADeufuJvtWp0sywa3wS1yDDOVkRnTr8a37jOIDCJV4i2OoGJ2SJqBm -+0QmBbmqwh7jEi4qVdx30OhbDfx0TQ4CPDt9FOXz9lRs/Lda6SrYTqW9w9mmPUykxCAMe4WL7dZK -aHCp6VYzsqWhS7sDsqmmaNh061xvrHqY7NZWn3FFdzHktX2ALnFiMRXEk7QaZlgK6yewdtxq8twz -Os0ScikJoA4k7nP52Qh0OzIgNhmW9bnV48H1l49buBWwHlSMhJ5PXG4rlfv20HggntJmRs7P3Fbb -VCTjtTXo/S7a2l14ZPIxeroGD0RfFzC0lX995fZBQoIUyLs4ZytQqFV7zEs11zNTFNgxgWxFj4o5 -oKcODumvICSUTRy4mAf23ipQ6STkqw2XArpxH2kUgzooVYn4hosqScZ9CI7RUEHVXDu61kI9mbVE -HuOhFAEIScwvk/18mRDh7cQ4KaH5dwlmDZCHbyqdc7bJmVwder99+bc8JZs1c8hlAfizKIQzOopF -5FQsPGkS/9Up8E+oOzXsbGNrs+yZkTDYanUli++YSbOLNUFtTEHY2hIvgE3YavsiI9ha1kK2jSfU -myZGu/5LHwTVQpsVpFXksT8+yash4m9pc5JZRlm1BBU2pIGkkUHWP7pIe5JxC6Fka6zHVYFIspAL -J1n9JTnmO7knDUsyLH/6aDZCl+QwuK8kI2GK0HJLZH4yALdI8pojf1HPe7z7Qmr/xQzLsjBDrzTa -I1ub7zTIQ0LHRzKo/VQjGQRqJASBPZJdFiniFHO7YNFZwtCLZESx5kZbXSQ7Y6EESCRDtoNInYTC -5qpJBF1N17qaMW6PZIyosNxjQT+RLHvVBzIUrUwMEpEsTB1P4I1iSxgYz+6xHXWGUZ/+NdTr/YC7 -WZbFTZnGLnGqA6wCItnfA2cvySDdq3J4SRbEJBLmt5W5mC6SKWJjC/+VoyRvV4AboQ== - - - XTkwCtmoGZ1kQH8ud4WPkgw1Gc2r0K4uNtm2W2tAdOM+kzytSghPAbiEl1Ioo4ozyROnkd/mGw/t -R8PGosyUfGtTUvKdp+2GyhG9ExFUKSWrKVmURFUptRgWmbGxtNRPMpyJey/MDW/iKHx3kjzR2zb8 -qIq6x2qa3S2S54s2TR1xRbKJk69JptORDMjEpFzv7Eh23SuOIWGuCloiHkVyZtIqBuoMnAFTg5OT -RXKCncdWvHOc5NIJihYsbHHUGLDqUA5BkuVfCZEkm9a/jNiwAS+9U3K0KhwCS7KidmvpvrH8SO8k -2QZmjNpLbUvyyJ6Qr1qmZEEKI0vGSgrBG1lXdjtF3p8JZOUoYwj5G2RRYKRYHNJTVgn9NBsgFPws -inas2KL02ijSIROlRe5NKMFmPXYKszfkFBPULt0bsmEIiaPxyeujX8z00TeAHXL+Z3p5ND1kOXYB -YznX3nCgmrFFdok/FSIjm4MvFr8Gmtzz++zu21IdlrbprM9QauFx44LeZxK9VXnDgTyvUUQs+biF -J7ODETq5H0JPuMEtKwv/G6CmGpkYfu611aun7L+Jp78DQyQS3H3QqNeZ4vyh1KybJEploUDY8Hzx -6YVfCknrlmhzVr0BBrtOdaCyE9cU63qNgchiOMOKYAsqw9Eiqd/eQ2fkqpGkkr7il9ykhPJrOyK2 -roMAZsPFyLaXjo1oG2FnYKg4RbtL3Ecb6t8jDf1iBJri5SnPTtjwdBHbHIKSChjsmsXT8QFPjozU -RVkAUR2J9qgT14rtwyqEuDRZzNoUx6prTJrZ1ny1KAtUB6+MUZpdZOrTI7f6BI3LgLpwigBWshT8 -X9dM0h+gcQtRa5eFEOBbaSxu8rWFITlt6qwzQba9ekOoyZ/8OjjjIq4DoaHJeroFJ/YlLrY3ymNn -SwJ1zDXqJMTmGUTn3rtREiDJsgiznemD3j9tYAL/GDNim6S399aoSoAD0cWTLg1rIVxfS+/l+3qt -9UCPidxI3RMSJH5fTUjDM9TsuEzYLV/363nqClK+54K0GVhv1N1aWyG0+9gHYl2x3kFjVB+mALxM -/VXGzyxt5mnlLukBfseoKZgz9mNq8wcyXduDCrSzDpsQfN1yjIOOgMg0ETbUpkPhVIHzVYtqFNV4 -byPsWkdaB0BtsPbifHMoE2FO4UXc948VMxrPQU2BfOA+kHKBVRjjnGSdW9F0kchclfanM6q6KVpG -CeXIR6EtEG5iNFevOySB6lHumw2pghEMHAXgjk5DyXqDd63sMAnPggMn7v6ekd+P/uAaG2B9QMjB -B6m4KC04fizRpZrMHr5ZRV2+AbAIGryHRAmODd/konnlplZN1YDVLCLItHcjLqdudquabFFYXTAz -vIkT+44zUQSbPdkudmokDIZBgPWJQuEOnLlMbfO3uDAxFgjPBwte03qo083ZGM4pHlj3Emb9InF4 -zXiJaQLwTcsxwSkGlRNR8WGjwCop2MXJ4MsRTnzbmP0Bx3lq/ks640Ar/3IRD3LwgjK8zxRsaZxW -pNay8ejp66M+kcfwAcRyCBTd2MexsugheqGREhSG7pzeU7dgmHWwUpMJKgk7FZgNwp2kkQe9LlHs -S0QGMl/eeHCf6uaNaqhoF5xpgBga9YV+bT3BdX2h+WZHgyc7Sh8W+JqiLLNe3Vjb9exeY0VwWclX -vEE7HUcuzZfFnw6qeCQzhbkgoUO+djGZIJVQSNgUZi8tpU5sD3h2cDyCoSmj/rd86BFEYWZj/4DF -6HfplBckEsZisAlM/HY3NLt4/mQop0qBrc28JYPjua/K/Jck/sNb66VrpEQa3c80K3zL8Mcc3zNF -B8Ju5P61EgHyNuK2LHUZPEBkQyKJxkiJVcXYJFGrH1ilKdi8EpyL8Ssw5tTwX0C3NoMSpepCSWYH -2kIAr2Sqmn/hA48Ay+F4IUCsH6NP6cd8JkVgWsErDSdWCKInDdOuo0hZfzfk9Z9t4a+DxjrIi1++ -xi+gAJbZHOaWALouXJqCDruMKZfzYS0Th+38ixrJezx8id1FwUaBDqFsad09H0N5EF2Senx1tVe6 -Pi+HJxDSUgPfWoB3628uSJ4XvQwvtoQSx2Zd5hNVHI9E1XaEODAEKMVGepOYRACo/4oJXQNHTW1P -D8M06KJMkRDuvJLw4nd/kxmROgmxITMG8+0rYV3slisUB0liR8SP1XYl9WkfSM0Vtn/e4CcDtP22 -6t9JXKnEtQxKM8zxXp/N6vAnGEukRTHlbH1msJX+1JPdcGMBEa8nP+ymHV86SZOq0s1AGNLJiv2F -INi7yFoxJSkf1LaSNh4BU8aGwkSZfnAa3vhnZrMKqTRt6gSOwJij7Xbp+lORgro1OliraEJsiQp5 -uuUVkRLiqSbrsU6gr+pOrhOVWk/DrbJDZiFs6sWEm9eev0+RL+hFLjsmm4ki9d9/iCvmJJqoh9Cd -b8tRCgne90RTAjCDy0GCnKR1LH/y8WUkmQzODGX83pd/FyvAZBiY1Wt/Tc0DinYvLYsbIKGk9fvL -7bMbUpBRxS7K6fuEScRDVmhz9btB7dwPY684F5GYXhySkGf6m2CBSSkFsNFr7c7wXcQ1w0MGRM/3 -J5EGWl6dyYjeepkh+GJLCDXbHGQ8h52LulGdY4va9Cg03wjh4FKe3BFxIMlJm4P5brmYYlTTghj/ -q2D/UxnivPEzJd0XPwgx7VreKfjhO/w4rbCIcJ+x0OG4GQjdQqse0DJt8Kf6AeurJvOOe6xWmxj1 -0vlWpZNRab5NVV/uFSXysuPcKwQmSa7AQRi2XbnZ+CQJRh7+KoKPn2X0pbMysMBEDsiQNX4mB3Nj -o4aYaA09lCQpCdedsi2MYy+a0hhg1hhDBaysprQTE9qB9YzST5WQ7SxiC+zSsUCAFrOVV7O4MpzB -GVM9QDdobN5gQ+l1+TIiWfSlb7XeQqMrc1pKfg6Au+74zq3btG1qy0qwI8nQXMxa4GlG5sMt9MlT -FClPYEp6Stg2KVIFHezPjoGWLjUx7tG+EDwMqo9XSPaVM5ybUgZNK4XMBsTmY0jr+gDUl0fojB5M -YgUe2eDqipkEkFFCmxprRTUVRT+wmzaLmovrS5LRp5f4pp83M9WhcwTncgI3ihtqMUgJRjr6Xzb5 -0hWFUKmIRrS/ayO2JkRSEKc/VSEC5dSwBCWLGMEsFadZsBYs2WDP9XE0SDY3H3Y+nesqtPmIuN6D -bFoKyGx6XqndaWLxR3QOLU/27rzKHGMd3Bv4KiXcjiAZK4SGKGGOJrNDjiJJe8E1xIpwgf3fkn99 -Oi+kN5Z7Aq4pgrMBLBRaXLUiQyW3S2SCkmvKcLYYqA6t1KWkdBIzkfaoLibZSDu4emIXdWBlUQBe -+jRPI3E4GTideIE8X4F4yalbk+VPHFnlyPTbehRORWnYskXE1PSxMjLrm4WvMVcxpwr8GZvVMH/f -Y37mo+Ddr4ruDE1t2tu9682vOvNM9tmpryR6RlOfxDSeT4gnMJaazPeUwA7JGJY5DFFbQLL173ZY -Lkr558I90Ewx3rjXZJV/jKc2YV5OU0PDl8l7AZUnjk1xQWIJjieGuKz1HPzvokDbrAtv7DPFBcnz -pU6JBGs9+SLyMXrYoyko31RJfEHX7MxvEcLcHel1XNzppDXpntgWIrbs4oXhDaR4yEA8fGjcTgY1 -IwVrPFEURc5vlBWhM25n31gxM7MzWweTT9mnQIMNuCP+JtCLhmD2kCSbNsS++pSVm5hQgphy5osl -a0iadxjaZmjvRXtxZ3e2yDPQPtYgNy1XJwY/7y//nhiEIJOQ8/eR2E/GHm4/WvZzbYN6+pqEhUCu -L3dZoEl+rf/edgzjNis7j1/enjs1Wg5LI1N9ipkgkNR0EoB/XAoM2tLYS/gEXrG7jJ3jjc5TsL7J -+3jXiaZC0+5bnk3fwM8c3KccxzvnzZ30PmT+UUTQZzvFD4BpvxQB/gDqGDhJpItA+QEeBaEDQb+z -6AcX5HbWZzcNLDN98uTBOMn0fFrnI7lJQf2hWtwscKBDEkn7VAvEd5q+onrIBfv1NSL3Tu95hr1y -ZZ4VVpt4Gfd2KY+ykREEnsD57xPg3FLeTu7WJ8T9HJljgv7rN6SGMTh2Iz/NSu++TaoTzHfnvkkY -SPy/EOPh+vopdra5XqC5fnTeXs51r1G/EXqU257ElX5ARUcYYGDSEEtNqhRlufaqbugBy+hnUJow -5D3tiws2EXYCOun1VpQ49jNZFv2IiKO3p812njRDiPRaO2Kw9xaeyEo/kI+H98zDBj7/7IHxSs0r -8cD0w48deIfM6/IfQ8ErQwXgqCczANjI3AQTXuDVvxAB8L9x443C73MUjljIbtzchRp5nECCMJRi -dQXIjNQJ2wZv5JdxUBbHFncUKpyIpa1g95HxnC2FtsMpdpwI6vJHItOefO6PkyF+G1Y8z0KgnS+l -hbwiHUG/EBZVk3MKjWhzVaKj8grYQp5usid9Bq0VvSoZ3KCH9SA+f8ErKRjNVaZMjsM6HFXl16GY -KMDPnrXIjtbsnUSNoNttQUqRNd9UTLczbuwXi+uQpiZa0GYQbSvvCZb3NHnHVqqOG+Ndx4VLS6Tt -0UntmHTBb0dkQKqk12o7Z3jhi8ya7diSIrw0xpeN9OA2p82ofHZNU93Db2zZlGI6EQZYAyee+xTt -FWO96J2IMi4gJRT440vww8Ww+G+Gw1cEcKvqJQFVYtzAevrlRzSb+zTqdmOda53J2LCLkGx/KHB7 -CoGQBMgJZ3nGIvjzJwrYt8+SyTnHptCWVUIx+YurYjimz1kYfPq78lv1wtwgFek5OIMg+MKVs5IJ -4oFiOmcrAidLexepTUVlfhX0zcOcBUxt19cfrcnIUFFi04gN/FvBpE9hZYNGBP9IYM+2R9C7l6Qc -vK2iXvttewsJgNQ51bw3nS41kdAjytlzRT6CQjANsUXtzZrZ76DhUWlresJFiLO8IYgH36FgBm/e -3/6WXUmn24s+i/D6RtxVMUUOzOMvmzHIMnXRb5L9OKmBErpZQ5lal68Cg0dtxjCoSqQqJBnY4YLM -UyPqXjdklBeaELo3RL7ZjBbsQrizKoFAUDd06694V+DIewwTkiVTXQI+4bPaXj4VNevDZb+FqvjK -h9TmLO3ncw9bjCUcq6WnSML/1c35ER5ELsmZKdo9pILNDgn5pkyS71TUkb4gL8hzQmrLOloJs3Cm -Gc5aDTswgtn8qA6zDj6G5gez17o6iBQTBpDhaWelxY1igGCsMhakuL2JXYbSH4ZMiKlRXwwKoJG0 -/F2Bj4EvNV4EnfIeJ658gaN6O4DGY6a4xdaP+bDFiELi2Haky7s8UA87emSDU1UdIzuMbOTwKsvA -zEt/vcDjpuj04A92Ii8uiqDJkrS6CzyWQbarHH+MmE0l0Oimh5H1/KdbwmreFZKMq7V3s0RFFdoD -rx2rCISR61ep0Hv6AaJWBCssErOnmWDRaimvFC0tq3BdfLUT2le/DMntM4CDY0ZAgA== - - - uidNnL6OAdTp46NBPUMIso57rpEKxylvc22EAaDybfv4aPWSyWW5pRPb29jclfBxTIY4JuAm8LZ0 -p5hRSMWIG21i5h0eSlGu9V4TxyjQky/5aMNo982TvO82OlZEz8JlOvSLg3Itui2eAEjRLHLoN5I2 -z3sR3TMg6ur7e5ROmlnkYROXVJFVSlTkkd5CLhwUZR86I1gc8rytywQyTU3Z/sQN8w8J7dlAWTb9 -EMSNAKkyRlZR1GXjnNqQDUPRvBpI68RnCiXfigeSaiPWUEZbf1iRDjuLeBwKJVgSTmaXhke1EurM -diLQQW5xVWdivm8Q4kDtag5qilpp/NP1T95sGrS0z26Y9BxPr8XYRMKEiDVABOtM/PQIAWotSaGt -/OwW4jOEWO8mKg+9t9pHk2MGgZWs3KV+dLcl3dl2q/YlAlSCNmQz9QfBsIW1BJ70HpKsqo2Yup6y -1cZKuOfWmR6MXAQIAHf2NeIAkQiJXGaAljgQbGc9UAsxdNHSmJlj/XrsZfefttuVc8oVewhqR2jX -xH0g2RdRvG8KvqmpR1MCS/wy7DMAEEuM3ONwu0oP8IJh+xskA0cCYZyFl6zIpWBNWxlDZfhAbqBR -zVZFrQF19d+W1KZ9w6nGcgJx9Tvg5i1x63UQh7Z+rfOnNsp4lvXgoc9QFauakh9+jLv4nOVilMDr -2MujfSJceNl6LqZj7U91HuK7FuO0xpb6hP6gc7ABVNzGmjRJscSblgq0Fny5ORweLgV5BH6pghG9 -jWw7JdD7QPCVQfIn3iOGO7/CUre0PvHagsdY1K6kkQa9PoLs0amTpzVHCpuGJGCTnFYKx3XXHtrJ -54k+AY7ZkChyLkRrXEpk5lqVLUWmFaIRiJJISAq8OHtLW0t2KOKmZOyeb7cMNaR/5BZ/3oWqZZLV -2ei+GH6sD7Ek94KsMaV0qkRCPZpoCrU3L28T5KPHuU0K+DKFJNon2p6Cllrbefz6mwgfga5LIwAD -6EQ7ihVUk4boKTTWO0gcc1oVD2NfQ9etC/BskYD9LW07LOkZBIefuSCTH0HPAeYlV9r+COVEmJ5Z -JDCW/mo+dF/DsZAjcJC5aKp/U4ETISZ3yFpVBPp2zq0cympk+F0jci0zmmzySOT2B7ffUFkj5EHP -JVb7OGTO7/6jTfpb9rl1Ji8rRHAzT8z1Jf8AR3dFgI7nCnzsdmpIzQURTSC44N6rqQhQitavUquh -Wf9NykbwkEFatjUtB2NhDnOuJ9D1RQwkAMGytSTmx0MwkadLVT6IT1+cdMfU/in4rQEKRFbNN/dV -hBx6L8kEfN4wd+C4uKYEn0Ovfm40JeNWCKv+4YpPeY1+GcD65T9QRabuhqULwCcyiNRgqXftH3FB -+mY+3raz6nQlizbgQrKpgN4ag6k8NttpXhOq68PIGurxvzjJSumUzoMsqCLetLGRQLPQ5NlsEHHN -iRE/aFZrY8S5rXakL2gFQoJPfDhWdzKGETG0vVFzZbROc31IYHVwjAVq5GlkiexgVQIgyuXLhdd7 -2Bv790GZdQn/jLfnnuDjZ0coLCgRImy4O5F0ZtnQcVvLVp7xDkygVRjY5FAxEyLfvvBeho7AmfoR -pCjiF6Si6KRs+4H9ZvFQTHmGf66KvOk+4oPyFsSJA4tjk1ozj5QMvEjK0PE2z7dakea2ieGQDwHS -qEZt2Qmdy0bjzWaqSKRXuAM9XVE+bsbpKWqZ7+nLhiYmrgIgofM/kGuptKGu7NafLINZJH2gOh5L -0Nd1Xa5XODWaarewD3M6f+AndOWhOtgvGOK4XRVT7PvwHetUOPCUgmBZ8p27jo2wZPAkCdCpeKlY -/wQ3tAPv9MSfL/GkqY/U+6LPNmtdrdguEoLxNIPoJFya36IVux8tEBQFNJF17kQ5CRDkZhJcN4fg -CRhEgaTQOXwh8uOtPsjYBCWTvObgvO6vCQhDFIK0nTRUDdOZK0A2bOALkaJ79Kzgeo8r3z5agnl8 -Uymc6FkqAF10OIkiW0LDHIKL0i8ZK4PCXylghXCqkEiJ1OD4pKPLmgPByxe0jYtSurlt/JKccwp0 -4IrgRlWLjl7E3HOoaIOv9B2UU0nBJO7P8yoHdCBt+xB3Hi4kuFPYxeb+l+arUfXqTkGou0siWz1G -Jk2sminU7xyF5Aarh6Z6UTLpXUmVdYyynJHa/QDhTXbJbGgRjGCANlLnoCJJAXPPoFbatloIouEl -d0+JVmtaEsYbvvJgf4Mani3AEaYUnMFSQ7iCaTuBa6GaY/0aajPKXTgOib9UIcH/4PSEnbTsgmYT -yE8gAaQ7V2DefPNkDtBlGC5PIYTJgyIh+iVwlyYiQ6PJuFUwxQ0mjNX6J+Uh4huGdPjk0U+XLAcb -0oaW7Df3GHgZY1axlHDf4e81LwY7zeGPAQww8TXGQSPJMJwJ+6grImvFPgtbKemqjbKsPYwsr2C6 -ZltAF4WWe5h5U8ZcLwAbV+PA1bxn3dPGb/B9VGhFJ6uVlJ119JgjfBjWU8mW5z74b10MpSFpSxup -iM/IUbvuYtkvTN/hq7xf7HyHV4avCBrAByg5zLC7VCuKKxcr9pdh4rY31kmFnr58Fg/MZqlJ7Cmz -oi4DhaNPKTmheVJXk0lBI0DzJHEgQ1wxWP+/iA/Wl1ISQSq6/P2AavPmD1AsfjlVeXzqg+s/vYwv -0IGYpXBx5mg+jQFB3IuRgfj9tBBMuaCak193z/oFLTH+97anBWhlwj1FEI/MzQb3WCz+aNGNEBh6 -9pSOnwS+45+RJd2JRbhTobrSV8YP/VPC0GnxzIXSNytmNtwDy+/u7bRRR+tw1ky0YWwj5KCqIvJh -WJM4sF4GnOwmuZMK6Eo6oMg0/6KAvZO/zj3T9SVJkAugrsxe2c/6qMbgOij4COIDnJq6l1nJx7rN -YZFlUf4RfU2nr8LDI2IkkkEtijHGaPwPRNvHa79rmKyofoT1PekoAUCyqiUuQQsN0tbjuHpxoaqT -CXjD1HE+3KYT9HMLUIiC5ZtlMn297LUCQIyFqjnbGQph/uGnTWY73Pxa0LJ4rg+L2tiPJfgn+znW -AUsYd7xNEX7Jc2fDXgbfGvtREF5HKugLsQ9V3pIABU+/KQIQR0PjgYfP8pZWL9hZ7AFi7i+B60c3 -IB1MmjUSEwmv0QygIjUX4qdCYBs+N95GzvV1MEyhFHcKJu40bjgupxUcjiXsjSZvyXK6xnhlacSZ -ukbSfLGJruE9WOG2LTcaE72t55uZ0B4C/mgw4TISfA+o5E7ldzAYUHZrvQhRUt+2NPJFwLZxFjIy -+VUyW9K+pMVskUwn8ODZa+BSRxrYSUVyBoQhpKDeZoNRK9IVqYDHlOIF97wYWqWHCd3AO5R4GgnZ -UaVEKrPUwicsobf6XqSbehlCJWMzXiqjghx/Exuj9y4tIaFoaUUtZlocd6eTzThGCINh09YQvPCw -hfAVregrrSB2s7+5sTFc8xEEwuECadDDKE+DcqpnB8wWHrxT5DkYZ5IqcB5BWIctS6v3OIYR10+H -MoZeaOYuQj77LbPnhSOoOKoDiOXiAFmWTtllcazL6q74TiA0E5+1a/xBK3y/WBoOud4uPz6bNaHT -ElijuURBuZnQDsZoVX/aDis+bycpRG6L96NArT6OQ2BUd7vEdFfg3e4o7+XWAdbs8D+tDh/R+bcA -pXrHc9eRwzihCRgneFt4t80/DNknKUyWyHSUyIAziwoBitzTE7X7BcJlqoHhHFHO0HvprtSfM8HM -gu1RiIaAuH3aYLOcjKzldOrOdvGnrdx1f4baOxFhcUkrhtK0lixEpup46FL+T7G2cO+e25tG44Dx -1f4SGyV9CXtwKbXYe9yNXKx/rURzK7kkkHBiFmPqVhMgtkGVy5OgXpgwvUDXsdNwwD9jgThUIroO -y+xrTypLc4zUqNyoMAoTi1w2Ir2MJPiesNH/n92cWyuV/SLHyHlrDG0wKkpp8/T+9CLj90YmzAow -SZSyA0JkAtaGv0IUm5JA7ekKX0fwKMdfSHZKTno5JMgOL6TQZpmorcjRmscgV+NiC5JNuRCLArWu -jtjKmNcPEhFTvUrZT7CpT0fy31frKihm4cxB0o6wYZO08RkoTsGFsJMesx7hj4jgdkYoZHgK+9bR -uk7qvzSX3Dt6q+BG0+NB4AQii1Nh5Sdrmh+6KwY6skD7IIgwEMJhI7hsz7a0dmyKE2SLhIeNNEV8 -BgsH7tVnpO2+1Q977PxZH3+yiJ8AokcynXG/ZyWSjezie3eLsANVSfRskU3iEFilPX6r0UNktSeA -FwNNGHAs5Sqe3YaIpDrYJ1GeExYNRhjbTLRxBk6gKxWNVWvAibXnY2jEJM4asb/FtfHtSune1o0q -XxJV2ebaQSyTaINN/OYfquOhTUrGp8wlj2owpQKVuE+JZX8YXu7tvmpVCCxuZq1nG1pdvHDB4Duz -E++C1c92sDhiSmGq1KdnWKYHQN4R7CWh40Enxg2vF7lqU/f/Dvr4FrlQHhyKBGHPIR62JRZvtMXM -CNG8EuZJTRpLca/F9YpjWmCBTsSLr8+ugWu2fuiGsqmjQVsJtCjtzjjmkRVHGpMp6HG3zs9KmR3n -PTwvgUkhLfLJnPtnaSYsQG4Fof2jYlMKeWpCM0Rzphoz+u8IDaoigDxD0uob/GM05nLtILQjmnJn -JDodougR/N5DFA8TXsswZCnc5nS9dL3BFgmhZ/h6DXCBRc8iiSRKdUEHI9pNzQ66StQ5a8skmevP -wg0AhqeIIq/9Ep2qa9uba8E2X6KNt+jcdW+JptflEGtcYusX0/YKUq5MhbnOc5T8R83MgmRGemgD -RuxFAU0IkE0YmXMu7R8BA4SENB84O15MCbGrrE/rkMMJQZ9xdkuVvVvQVYojBQBHbgUTgIfEsPuI -1r6UpBwgU69I/zlP+7MWaD4NaPEKx/T7XVQsEgbQDsJJBeaxaY1JwGzh55XZs9osdUU9CWiqxTG1 -T/sXzwyr6zIfrbFypbXkyaPSoeCz3dkur2ktOUDNmhjQhabh07csKv48zArbRerAA9FYPxugN1xN -ZcO8NxgtR7ul/WMz14G9TruE7LZHFJgWS5BvSc1XPSNF1toIEtv/Nv0s51clkblLIN0s0fIQRsyk -gN9gISr4MeXaf4OG/OYsc7N/MtYHJwphiklTMIaKtR5xo+lfoXU1Tn9YPAhsBg2KFY/zmN44InYC -NsFFAYtLvZ7eNOu0Sx+mK06CeUZNnM6dK8xCB1h4vOR/wZCD6UK8ebH5QYi/SQigKxbjSyo8n2lv -HiA1jdIgD7BXguM3AiX85K6GBCCzWJbjRWxCTgM4+Es+GvXmqCsBjQjrUXOsfTbA+NesQDsEA0EJ -3UPLYvyBxAMEA3MXHJvXuTepWCa2qjOcz8VoFoQozmH31Xf6Gev8LYyElbzxMy7vlYihKZnPk/CW -F7JKIowEpmqBlWDBOjte5Fx7PMW2xrLmmOm0OLEk3sbCJTlsT4JEYA8G2+GsLPelmw== - - - MUvQqIuSPLyslrFlTCBnB9Kpf+stKx0syXdFLuOKGVBVa1m7W7G1t3KbTKh9BGYv+b5TC/icfAAw -cYFyOdAApaeHPk4P0TaModjX3oZpJQMh7xazK0X2kxrMeB1CPJk8hK9eESMlCHjoMcQn1oW6NXGu -8DnvJilLss0XqdSzGwwbL7SACYhG9qAsPRX1VqrNspZeoZpDXRWVW5+f0RdEoiIEw6AfiYPRALXd -vURg61CaxX4UJl0CkFmSSbcGwCv7yz5xV8jJidKMgDBH60+wpComlG/YtdcSWGi6Ng77ME81C9mY -ABjjvvpwQDB4QNNv4qPKec97HGjHwko09b07YWWZkczTPcrg97H0izZccRKA3/CcD/LFIDzIEHuh -d8OZXoYZcyMXIh6kVIG+yV7kmwZZX/5vmcJE7vjl5NDu22i4DmrS+I90QypcEVZNXRdhN7q58w9L -Id9BSdM4WYu3wERwJBHhJSMRZXg3BJBBDqPpJlvFZqYNNS/fMxryRx2njbIOLVr9iL5IN6T8EmoR -gQDQPjW7Qkvou9RYVMaBtyGFEgBf181F2gSFSiYp3BLJPiqLwKEm46eP5CSFfvM8ARID9E3GJyPM -9OrJehEfywuLzfuze5ayOu360BUiA1oPjKrABQlJahYoH23EYnYVnEBKI4lM0iEDZ5nRT+wb1A5u -1YEKGzSuQI9HyjJBlYvHleaAKqllKTOeeA56Y5KYiwgjXD35f8mp36kRrGSnV6d7CU5RI87PMOSA -rcukAB2z2MmSLwaqHRySeV/P/mdj89owtcu1WQZtiR868LWdudo/8GmKvI7WAE0x7jGHMQ95/PGG -96aZneLBY5Up6iO1UXhMaSlqdA01T0kH0bGAouKgZpAXhlL9gp/R2zoCE4p66LpVfAMROyP61W4X -lyjcYzibCgmcGjhk3hNpDMzqaTxo9wjfDAUuMk3U0LKOdwENep6WIaQqBYj4M1bdR4IrZEDh9k6D -M6MJPJ/xfCiz7Jqdood/E2haPuZIgqa6ZSsTLIikVK9w8AWKNGyCTluHw3bzoLWZGzUwlT34ZBtQ -93VB55UDY4ZCGYlSCogAvQRkLdC0yGBs6dYmendCEoxMY2Ic2S24+m2TqD0kWuYJYPCyiTQZOXgs -WwKLrbZhHxkk17htFVXSMBNAuJszAftG70NN+JBWnkA7snD2NDP62ONRnMs1x4BDyhHAPBMTri2G -x/GF31CIub0KZBUwMvHWiVtYeDW3HRg4okeez3GHZmX17XRxke24GgNk5Ctma8JhYmKwGi+4Wjek -PPvt98mDUS7eyhWKrFlXkFh94j7nFmmTAq1oAfNmMYuKXZtcTdya8CShYqrUI6VgQ0A25IjKUcOS -u2pEpNiN9p4yVuk6ikLU7KlTrBKEA3Fuf/1S98BqkUBu5EIJWQFhM2fpTNK8FdvuoGuipa+j/rfG -0Msw/xMYcODAL/WIhnhGRZOjoIpnqtB/eGtB9QswpUuPajIxQJq0m2RUIemvkOUNUvwlu5FXhwuH -LLToixTRgFz3nPYjbYqUuCvUkrlSS+25iQZDpQA9tPALOwnvFEg3vj1Rvlin9M2mOZHpg7xouiXs -kFwhdkWO9iXiHX+u45MxOBUfwApQx2QhbEQT/A60PvApYE5NtfD7MTwKid0PLCFatWcbIKLO209Q -AfuPGWIa6KVnHawtfrH3Ca0X+IpXXUeXAsv0WZZZ0rrernCjv2s8aBcbmRgyef564PY04gyOiCwi -Y8hoe9He9Kqk5FaShtv3+nOeSRQd9/+SEGNIi6ijR0p6GCPlSOxfyNIdAgZynNVlGMQfFomHwArn -elCLGwMr+g+AmCoCN4llRDvh9+GfsNts17G/L3cbhvHCBMq04klyfyrwTUcB81RBiCkzm+KZydYO -Hf2EpRaiZvD0bBZDVwgsrK3tCrdwAtV98xu2eYQrQvqgKLyCq8wYXRo3o993kVHuOFTKgKr6ZYaM -Ttd5rWZPW92CFJ+2aT7Ma0XlkYCs8IBp00A9urVXBiluNviXhB7MOoLzSJMbhQubYvl3Er91Fn4h -/CUPMpVVe5/2k9/GAdzSmhIAwZ75wBTSFNtJixY8ag6WKBI978D4RyEN9YDEDUJrkZ75wcFHpAMP -RGeg1/3Q5yKe1cz2jPD7Y/vU6fYIovLU8zBMBnmojFS7ipp9wFBEiROWPyXIOOUh9B+tiGXZmkxV -bMpkQQXwshGPiGgGYJC2rBEdICuEth6+EPSN/uTutD/jWQ8eyCnem9ANz3sWNpU1/Ys0gTIYInC+ -y2KVqe32C8A+nGQLmvFOg+MMRbpB3UygpOTPar5PPR9nW6Uv2Kx0Z04L3pyfnCHK/dxK/caCuRy6 -i4X4ENfu1852EUdYwNV584q/hj5EeX2IyEw7aZdH9CjbTZMqnGjZh9VKco9kNcow1tHMd5uqOZLj -Qw+3vyBHDvG4l3Uca1JEiLns+kGoIqM2jlw3B8aUpYu3ExsiVfmsI6n7nQhzJm3V83gYihc+d8aS -2USypI3dRzbusgQYmhUffUJYRn8fPF2f8To2eX++9VsroaJnBo3TunZ0bGKb0q1B11LgUh18fpfL -plsxOXQyfJcxF0MiX/AW8LosAnSFf7Vki0vDmFmx6TxfU476aiiHB2ay61LwBnLtVkOKPtLSGIuj -R2Yh/1fogkVR4jyCawtyR5YRePDV+VKLl7o853J1Mce8PETHE2eWXxitnzr8kcvjNL57Hi7UqbOj -f3UCAljZyMCAKvrL46/SyaosRqBbbdgwzb/VqTbOUqcYiItVy50Ym0UCe/ewqIwZqpDNKnmhwvSs -m47DEvF1A4+qQZHNL1/DpSOoqrt4LzYBGHS9l9Gk6qtETIek6oFl6yAccXzUkQ3de0bVY2PShzBr -US8vQ+OiWJGnUGFdQc1hP9Lra4o/AV2yFO9GQlGzLGzbCNMxa3ByI/i2pwiFjNGSV2yQ842aylCO -IZH8pxdHCfylNZkZ0+qterek4LJMQ+rKsz4VM5RXzCA6PeAfJruRCRfnavJFFdBZ3Fh/SyiUXlpu -bIGswT2e6aa0gig6bEFxDJIhXY05Llwgs0vWk7YtphO36EVkaiTI7Rdbpwmx5b/nZeLRqdCKg3uS -bt3hDS/KEDWlA6kcfaTG5Pkp/Ss0Cq+Fq4tC/+cWFHGUWCSFalhvI+h+4k+dxybE7Qy5W0aj6X8t -+46nIQYyrkZxqEeWVMhKaLm+8kUZZljRkE5eg+ZmZOpyaPUyBrArbKK0F8gQp3m+Bfz9wX6dnDmn -oMMPdfg2wRpqVIe4NiuXjBXOD8fa73hoVZlp6OK+nHknxFpysIYEHh2X8dzr5e+veEPya/09Akat -YQBGpa+HACWmXOE/WjwOHpZkemOE0OIrK4/YO48CkpmNJlT+mGV8VJqNrowAKDImCotdfqv6HJyu -Be/DmPjMBJERMcv6YMSpi3XbMSWT8jkJ/wvYBBIvlfOSj7sNRCuuSG9kVHGQiOlETASQPcZlu8hO -X5BVuuWTrPnZHiSNsqmSryoOn0kKPLcZOJ21dOGw0YdoAjgxfufQff0quhb/Wy8/v5oVmwVaIJIy -DWjh6FID+U+q0IknnqnqMjQDwl7Ob59CHhZ0qfeKEjUa4CCGwP0/wHi7BYJKIYkGhpGEL9PuRJD4 -hMNlkjvR5I4ZS08djLgySoJ0IH8iRfCiNVA+hgMd/nUmiC/SgREUZGQoJwdFkIjFAwvdh1v9Blui -ZF9iAPUR0QVWnMKbqgQ1YUMQEHkl74Id79H8dh4iajSmxzxi0sti6Dwv5HwOo/kUK46TySGHDIeD -kZXWgtaLQmX7IeU6jFZs+JzHawG+8qVtRQyrCj3qkSHpikk0zDHWpZ7xGApTx/7Nmb3QZpghC7XK -ziOrZElrWCxYF8lxifj8+neCoBq7v5u8ZvTc+fJly9oBsJv/44/9XTztB/DKX948TXy3wubAvUOQ -9tk1zLhGojox9ce8F8nLXMverZeFl3glDAclKv2EtpEr9zFuyMpq+GscAFq4W2MP+1djABJzeL5B -jUVu3m5CyDz2B/GZ7bbQcYB24gDvewf5aiW2u8sU72QnGpBztiZjloll4DSZq1SRRB3BSSrVPtPt -p3UF7F7Mt8YX23ZpwNK5mdqdaCR0cyQzYcZKrE9floJlE4AcCQsAQRFZJpTflO35Lesvd7q2RWum -BecVL9mYAwQOLbYDaff3SkiG8cO0Zi0dhmOd58UbSCcM6p4tw1S+3Qabx0kdxQhEaC77hPHJKDTL -KjGgo7mJq81QtpIYKTU4yXtJAC2N+CYY2gsTX5P+XKMofY4netepsajdjDgXx2nR0lWewefMcgCV -W332i3Po4vSoByk8Bws7J0phfU0m4te8FOPcoh6K6N1anQZEE11RnhzLcWudOEIWnjwIMQInxXiR -mSwB6n4BxMJFK3tmnKs+hT2E27gjBOCfAITwuFtUHMfL8JgOnDSCTv0gZpd56o1pi4Z0piGpdIt0 -XWNLdecyjoTl8Oywmkfz0O9oCqBA0K6QikpkOaMXQgpctGAysz5uuUP4eKjYHJhAl7RGBw14etG7 -W6FbhBMBJxG7hLN3EhlYM/WDGPv6GF1zd6Ix0Ms864PYJ1hVQMyoOq9smwcPozVkAEN9KCKyLhv1 -KtUIeMsVs0qPdUjWifVJfagnvbEGulPenNEOiDRjResSZayw6F6BJabVSlzYMrNbCNggeWMNPzBT -7BUEd/VAYJw72GTQQxZjFpep6QC9AzN1qDlRMcQhaZ3Rp2OBV7ZXQaIDnKds6A7IZZRRJ6kCI/XJ -LJCCO2CvTeQ9K+TGgitVci8glozInp7ZHeFSzXym8eoJtWSlVqaZRtzo3U4jFIy43l1WJ7fXywuT -zIpjUH645HUHgc75wRjSLyO4UouYhBEsmYGMd2yqUXrTFFIUnGK5qYKyrx1in1rLDtlZbJJRjK1C -Gt6WJDqK2xM98SeqiPWZfhZD848oi0YtCCajD5hi0oRomA1gyJS0jfErqUw9URX8EVH9bfmMjBPC -kgIhxTUxYuPvXbfXOIdY1Y6CJASL3z6T1rioUmEPaTdoHyAsUaMEHNPko1uUo/XlxEYnP05bXHmH -cMylEVVGYAvJL1I6NifiZRN5rztCZgT9wCJlylZLfyBhQUQjLJcolhuy/4NSdIoJ2s3U47AmkpmP -SHbNHWZhV2a6AGkWNIipvHGEc2JqW2kuWhU5pAOgizab5nJJCFjMs/iFtMRzK7v6bQYyzxH0gyQ5 -AF/NEVQ8EyAGEjCbwzPagC2hDLgxjRdB5fTw6flKkuPga1n41ZtF75e7mIxb7GTEv7yJ+BO3OwA3 -B6F8RfO1H6Zdehew4vTXfmPyUrvS6p0iIVgnDATWQKSSARYW212Yjzz7RukDiGONm9ss/Pn891bH -b+9z9/Yr4X6ZmfgGb0SFTP5PJFfHEBFg6HReaMNpFs8U0RCWgj6P/KM3lNko+Zllhg== - - - CUP3jqp8wXfRH4/X5J8JJJa5OgJGy/63zmejgCorct5ipvjbKomllZ1ec1Q2QfXKJ9TledCsnotH -TgrhZvZ6FUkjJdjpLcQpwBskyiB6SEKfmKAU/0O8uzYFhY2ArPECHPnLGyDeMCi54HVim/ZBqhOQ -qOyCcJeT3QGTYPYVDx5I3xUYfA+08gGAb+4hrKWEKTUU3tUFXPNm62m6IpF3JfYJpNIZcQpOY8e4 -cYEhZHehKUQIlAejIexzVpvSQKbW4NdgSSVv8uMFSjpch3nIE0qsnZ4MD+vviJ2EIIbhaoUQJRlA -kdrRVfhtXypyz1CZUqFgLE5o6QaoUt7m0aEazqOUL2wueBg86Bp6+RSRUZS3BS5WB4z9Pi+wwDBB -YFG322xOf7S9PF3lmsFhQp6J1bLMUU0priOn12wtbBaUJjRprq+WIGrE5pIbg0y0lKBIY5bZvu7H -a6TtKAvcBErMnlxR7D9lJP2s/1GCs6jIxczJnTF0dFp0Ucgja5Aa7guJclikr7lMmIPqwiTSDAqs -OD56ZDWWXmF8qYmhy5q7DaJtlNEmUaDBWUrv2D4sxkfnROCSM1V2QPpfD1nabDeFJG0gtDSSP7OL -TmhmdbeNuY5oIqurfGvAE4lFCanUg9Xkf7fxImLm+HG2DDxNkrkD65p9rF7hx4Rgg22dRSmOxgKu -xZyC6wZwrFk/xzcRi5LSsGUQqq4OJmlVpbSMLG/xJfG68ni55TkppwcXKohHV2PGg9eED91OCIcn -YBQNGIdZoEbCTGtyoC27RCZ5OECds+EtUFpw1KxIQdM7NDmJCxlgJ+p0vMYO1pbuLmb8jNQYcCub -SOgefLLTC4GUJbWu8bSBpgb/2qoUmbRhsKIGy3H45rGaEPxKQPWlMo8MxcQeBoxBjNrvo0TPYTwJ -B8dwdaX/tFDVW3X/IPDJdIPwVejZJxyiEngvkr7lSaG/V6R7she6tfIrhIsw4lhXge6tYH+KYKay -jlBypQisWyvGwRvNHI906pcyjYZMA0OijAEorBkEfWt8uYGGTpK+bE9/GDeW/Ex1nZLPGLOKKXbq -ajCtaelEKNKJs7MCrzJEgUr6d0b+kQHLIGwdzOwqepInFKazPIrV/0kOuIODc4xFTabEQdOqTOjy -lVvtAHHiAVRstq42dG870UJTcKivoCpbIAYCIMHm4jDPXIwosXTN/8IIj8aB8syjYlomIah9ueJK -jO668ZGsWnnYYbeR8sbTNFYhXdb7SRbsUIyUpnadbD/C+rqmU3Lqz8vio0ivsyqvH0KvOwLIzHNq -NdUqAS0x+s1YIioVVmPtmLE2y5drNTQUfJbqFpQRgCrK9j0pZCVsblFs9Qt0rgvah5tQhUUvbxcr -evZgVnk7ndVM8iCTSb+LmeX4lmUk6+UJjQpKmD8Pvquqq1MFZljT3xzm5OykPtsKnGlU82vURGCU -dagV62wilNuuQzke47QIpFxCtdtfpCzMzPBnYx79xUKqFENjMIFoSiVsMK5x3akPBgFBW4Tt0pvD -fFT6xCpo2H7OpcTeqozVUNc8EA0kWutbkUhMPU6nY9Eb83QVYFgbboY8CTrDxMEOEocW3poQZyw4 -rLzck0Xaha3dJumHT6xUmoYe5VurzlPssxFLggZpyievfyLrTUsjScxyZli+xm9VDA7lCZZXg81A -ffg+sEhW6WmsbeBJzlCG522Ne2rpBkJke24JQLBx9UVSwxLjCM/AtyNVo/XjFRYwkNOJ5dC2QjPE -HdJwTfgOrhH24eVv67JnO2MNjwS94lI5ETtYywy/gcJ84R5Xcb/CZkkTklkFZgsCiC2PkA7z5ep3 -dw9krLNrx368hVho1KaTySxfqRV8n6lwMogmEqsaR3bJliBF2v29l3NH8hk3CYiv/Y+aGbaO0IRi -rL7xsOHlZmVZ46BV8e5TkDj9OFAjtIOgvPusmUPJc2B+DkGfrxSzQA5dQPDBObyHqNp91gv7yLwY -SCjbmtNTdnDDEcZpQx08Xja62wZPl22YK7Qh/JkNIbaCRkKws4Ir+0q7frb+YcE/UU9ILZHwEg5n -Y6BCTwar6C8SRmgR8w0MGWTTIdLCSkIORUtmHMCHZHny8EnahGxH9H5Fiu4c1RjN2Ik0vbkJS7NG -U9Cis8F7wkqaLlAXi1b1rXPTA8aCD1g0SosOaTRoNAfhVfeND8mIyglYHjVD7MjhT0yItN4GRp9O -szRTzIxUR1ZZ1LOMXJSc4ZdDtN4VmmgEHdDvkOniB9DyTuuuNU2uP6dkaDf246TTNpZmy88N/kzD -/kWioqQYO0KaYzEiIdCQV9ytYcBMVwyWhuB2or/dseZqW5IXouJpQ4zTrZMFibNtsachNKZIzF1n -YQ70ZnNwSK1hgSHPavMoyxrO3dwQHsvy5NhRi6QBrkE/IatcWMNoN0ZdZSlZ0mgwEE3RVegSYmJ+ -45cZjiZp9AUe+26qeB+P0LmQCy+H3WSsNcMN327VB1iif4AkpBU3FljTcxVJadybEbkHtkgHrv/r -E3ELJabOEeFu/rQFoXZ+D4YBYhlNkTuZo1M1IqHcQQERSlTUW/ATX5KWucSsM24+Db357Gy0bkMP -5h7gWtGfXLUbTzRrHas48cWPdDUsg8P0EBg9Lae6rgxfICHd2/uoyxlJCYd6wtHYH7G3kxl3YFCJ -1CVISEtFRnkru1jfKsrXfMX9uYvDfHlDiOg1er+h5r2cPemBO4TcMgRWSgduyfHwi1BroAnn3qK3 -K9zqb9YWva+JOduZxgjXN4ZQbuigwOkRbQZO7WPs3bN9nujaLJPZ+Yc9DMyzsg7uS+9AMbOjgMa2 -H3KONc6qOxijeiLrhmJlW7Gm+sM0LOfMsDxPAg4MqLgV5cGm+kdjJMbI2oFc3KZ0uXdWhNMp4+hW -epWjX04ExsacyyTUDBW9Lmcp9Fs7vNaJQWYEVNH6G9uFxRWDSb6HClf/zvtHo/XK93zWLBF9hwVB -h64wf6J8SK/0V3Rky6nU/2x/EH9ktMJhhEEFOZk+l+A6pWp2otHz9ohGL5NDWRowG7IH75l3McDE -XqdJZ1s5NRpD40FDoteGlGIPOyarUaylnh84abbSMSJPmg9sDC2rlyOxApfKD8RvYD/of7M3yVYQ -7PKoY9SJClSeSGo7I+K778nPydXmNu5r6ZtIXI2SCEhaZxYGxDT9BMH3gPYLACXeP7L5mPQ3DMrr -PCoyJ1DMMfR4om9h2NR76VlNZEpjLJQaiklA8BpaCWU7/8pQdn+vZbIxfk+x1OP5MSB1GAyDoi8d -cbEuYJKePwYzU2WAc6l9poEJbOBXZ2qMjSdO5Uxo7zSVCeXQYtVYYLyliIn8OWZluUmmzVLbwzPT -WvMuT12voKzPKmtC60ugg+Zgh9hyu2MuxMoXmkGhJxrzhP9P4pZlCK0yJrRRdaUM+qAW/HwDe2wg -BCZ+tuyht9c2N1OV4bmVhL4oCCM1pLv7PfZBCpOUx/vErBT7Yc83jBgbdLVCniorV5DFjg4HZ2X4 -X3KCm+jtz4wjkDFHXBzqG+hVcTcIlFsoWBVboHzdFOlH/kxOH5OrUuvZzfR1JlrN5s6UG2fU33Ni -841nvvpJYz7WyMRBtx0A9xmlWIZMVsmqDzMDHkmirFHaqa03wmCKWEYZusNiGfe2KsroGFaiR26F -Fc97CyrMyhu6gr5PMiJ+adApdotS0zw3HOlp7mr8yL6nYymE6YXXJNY0+RYUb8hJweGeHDFZvSmv -92hOws8uEfPkZPwLNnYnAFbo5Ka3fNF7PsHenZuduBIbnDOzBOYAiZ0CKq0AA+Sf8N0mT6LFt4NV -M6s/ohMhCzhoyQ2RBRbJlb5vV6X/DmSv59yqldb8GshQQmPPARmcxj2E7GhY4GFC6FJy9yPJb7Eh -YXyWcE/StoSaTgr7JHASK0fAcK/cCMDBVCTV9vpDOIpJjpSNegP+aeuFGsWvEW0Fz2zuW2Xd8bkj -DO8fql16mHcsy1R4B/GfXHndpN+FaZx+J33aehZOUOikxTynGhyrnk8z9qHBBJ8lsGcNXAsIuD33 -ZNCVQwYk68rQ+FiMJgD60yAgvkeLGB0r+PN1wkbu6r2Dd8+p9OrPv4dZmkCEdo29nX5obgiNatIK -NnoQejuKLajR9QiNdYWMCTHRzHCm0IflZEPzX6GO0HAWrCAajUZueunwtu8R+bcM4d1aqRHPUGP5 -VSR8Ax9WABaGELtUNCmN1aYTbqhUI15rP3tgB1ZgG2N2NwATsZ2VJRWWHrOd/In59AJEaQOatSqH -KZAATO3e7xZoAWeENYw+64pjIO4cjBr/tWQ32eqNxtEmEgEAQIhEAAABdwdQCOkI+ebuv5fv7Rvv -7DXOv+/L8c3954uzxvzi7qlCGb7ec629nL+//uLrfeY7e9djzv3VH29v8+7/35d7uGvsddzx1r/n -jLffHH+P6659zl973t6fa3/1xp7z/7PHnP/+9dV9392567mb8fYZ36u7p3XX+GMPX6/rvHuvgCzn -V3eNt8473+15/r1vrXX3/P+cu5/r7vPtev+9dfc539w59i7ml+/sMf65a8w53xWQvZvvjv++F2eO -98Zf78rJ8pwv7vdr7vJ7u/756pwzz1zWu99+M788c461x/fNPPN9ufc/xph3rvu/+F+Oa10BIffj -jPPH2uM+c72/x5x7unfs/a+93vhy12rvendrnC/PmnuXw57nfP+/7+Z8e47nioHl+eZ88+YqJ8sv -5vl2fX/uXtZ4Y609T1/9L8/c2/9z77fum3vP+/a8XTlZ7j3M8dv99b73t9eca4+9n++unOz1bs/X -4//vjT3PL9b78tu7/7h7z3Pec9f7Gl99ude6ArL3V0AIz/l6W3v949uz93u+nv//crw5xnhrzb3v -Pe/73Tvry3k69+1z9rh7Pnvu+u+97t3Lu/+f2xfnj33G2W/tt775/+15rHvPHv+bu7kCQryufcba -+9ff6++92ds+e9l37f1bAVn+P7fv57jWPXOdd8Y+ezlvD3ve9+6a838v5p7HPnPvuffv1prv/Te/ -13v3Xu57/17b9/++YmC5VznZ+ysge7l7td59e5lj7T++F3sXVwzs/ZWTvRdXQJbjCgi59m++ve09 -FldzbImgMVZixAGgOY5peFqNImtwAoGQl0osMZBMXICoQlkWQCo0rutYiqGVqUH9zkXDJQojRw9r -GRNZY6ZBvBdRXlGbrZqOZnqCtvfM9Y/x9jtj3jfvGF97scb4muyqGkvWKLrWd4+7tvOOr5e5/9/z -7l3uXvvQudfYdp4nk9tgb2QUosaWSJbn5mats9fbex9z2HsP881di733s/cydznGntbcjeDtuZvV -dRzT1pjhmOTHJNFMYiOlyzlXlbhBlUymSK5EEWpcxfVMxwBI2LkyxZFETxAWM0+raixZY1paQyjO -GOCEwdLzZ7xfakxNx5K1K1NEBWhsx2aZgtjV7LxScbWmY4CUFNFSpeLPKDSqMa0S0Q== - - - 9HSpUlWFnmnGomeauavKOjOJjaCrKQEjS5hrFUOuVQxZ0UsVQXZAAAHENtzn7/H+c88RzO/KOke2 -HAOMGO7C3DWGAOH3Yp7kGlONAjRdhsHYnKUwCGVJblYI5hhAM6oKZUluVuZYYiIDSNXsQDwOdzay -qkYWS2PHAOTHluSmsxGUFDlsLcRmNlvdbCmdJEUo8/g603W0pmKos9nASsZW5qkiVRHzUonrqEyR -KlnqLM4ktrMmSbGblRnrxgDkqhph4kGXUawJwGkadJn6r7Y6Z54zzhmSRXi2PFt8fe6e52/n2EKy -ie26a6/tuu1shmQRSBYxxQ1qZcZOEYpfy0cgakAqpsjPWK4qmWJQnYvtlnPYc9faC8ki6AmCZJGd -7cXa8j6x99uLLbecf275KpYbfi22tmerrdaXY4shWQSSRcrzJFnORjqYOI4sjDTHDHqCbLciA5CZ -dHSt4rixE1uKpyoVXaDtXKrYSbLdKpabFlmKARAst6JWY0g2sZFuZcZOkeVW1HLb2Ug6rlIEm44t -0RRB1qXG0gzhcvjufjmtPX43h9kRFV2qXZkxey+Ivdt/5nlyuTfR1t+8s8ae5nj2tsdxznu2HucM -5nGN896c1hkW9rvrzXsGWsy9zHsG5sy3x+HO5QzUeev9+dbfczwDOb0xvrtr7e28MzB7nanwx5jz -usXc+52B+Wfs2Zy/zztn7Dfn3fP4X629th7zrbWnNc8ZaD1tt/a8nIEWe9vb7W3NN8f8/p2pbM/8 -2665zsDtPey5p7vOXOu/+9ae77u17b3rDLzYc7l/jXfPu/t+c9/f8173OgO71tbbYPfbexl4M9b/ -ep/7xjfr7633Xsc68729n73nsaex5+63H2eP+956H/8M5H57/3q7vUkG3u6953ndcrz3brvH3m++ -sffe/53Dvd+M+eXfyxzmtvv++9fau3drn7PWPOPsse0dZ5wz9llz6+08ycDr5eth0HOe7wnf3cPX -y797+Prs9f+5bTG/e+O9O4ft9pPN4Ym3sd6Ty7HmkzvhH3/Mfc/7BPeu8f+/T/zlnL+ec11PtL/c -5x5jP/Ge9xOr/cR/P+FYa857Gd8M/NlnT1/dJ193/Pnnk545x9n7mU841tzDe7Lz5Rlr7ms9yd/L -22s98ZynJxN8uZe5z/nek4w5/LGeePt6k0nmW2/O5W33xt72Fm++tzfZHOs70XqSM5fz95z/OAO/ -nnjZc1zjjPXEy/hzns5An7fNfOuJ3lzrzvkM1PjzjLnFOHMMsztTLzG7L9a4gxZ73bO7264t1rvj -7DnP33339WzPYJ7vWmc9yUDf/fc+e8+z3p78/v3Edz/JYH5ivf357rt37Lnd7fc24831zmA2a/u5 -51r7nie6e3licde6d8v19vp627Xnvez3vt7GHAw47DBU5nxCz42dEKDOlHld9OZAa/IBSGB06VQ0 -0AXBVCHcj5NoaHVrWUIEVHDTXwSwuEU0aDJl5wEcOWARDOdhy4DLkmHIfFDogULQUrsC0YhZ0FRC -UsTncLXjXhn+bRZPBOc6XidEhnhhRK6YQAlOG1qirsEVCfXBwMeFtSxzdUT+MDzgS3fKkBceKs5J -VyH3fqfLyogVEYPzCj8rg1lJFj2QoCkJBDuDtu7q1WXZOtDW3S5Vsmw+gn+blknsuDpVY4Z7nQ44 -unSWYrNVwEjC4ipmBkaYhJAx3SiksSZpT9P+iyVX82I7FxF46S0OFaASW6PJqSi5miKHCrjrqHIq -mo4r0aVyKlpyKprJFKeiqZjKrSbrZKVoueJWk6XCJaei91zNU8WpKE45VACHCnCt57iaJAdTZZhp -iioqgMuT3j/uoKZjMaFIhagcKuA1AKbiYCqVGWNxarpKT1VshZ4qenKoALJUcagAVACLdaZScmyJ -aKoaTbJkjauVXFOnBPeCtUZULNMxwLmaKpXKrVJViarUADiAi2txq1SFkiWLW6Wqu5ojmZ7cKs3+ -RNVVxaWliktLVeqUUMVUXnGpU8J1AqAKQKYZOyBlV6NJssYMhPv087XkuBRFPfw9l6Io7imKpii6 -QstxdcJWaDqWq8qVq6qOakx9pSIsxbFY52ocyxT3grXQFBVhK5niUqfEPVlmJ3V6LJc6JdJzVNMx -wJhyqVNibInlqeJSp4RYplDypXKpU0ItS5FLnRKY5ABwuszRzeC6yYQgdqAkSaOqkElUBDU4q8ay -PFW2YWWK6yifLLMztsRQaxRhlExV6pjhTABO82XGrEqyTjuqMVuKptki1TFjdqwqWpcqplrzJFHR -rrFzgFha0ZqkXUk7qsQStedqV+No2tg5ID2thLQmKbZaJrmSq9GapzXFErWxc8DKbTIhU7SqaMeS -ZFlTVK05ugCwql3Z0bXaMRXtqI4uEmQkS6lxYVXFzcskPyIGo6iYkvJYYlRnBrXJhPZJrqJoNc/N -HSCmIQmzVrNzksaSJPE8liTrTEMZt0wS5zxATEMsIlnkao6rTjoOED+rmDpT1QWPsDN1qU7zBJ2p -iwnAmTnNE8T3wisVQTAyJeHMkSvzBE1yVcfMgAxhjZ9XegKwphfYmW4GqMjyDAUwTzC/UhGUjpc0 -ME8SdoIDxLSTopmCxVykcRXT0RxD1CYTwrhzwaOQxuLRJD8rU7S2c7EZdy6Y487Frir5sS+zYzFW -catavkyy664por9zEdGwNFJTsdFqnpvVmIJpMqRMWBqlo8G5xi5haYRPlakJSyNUNIWlUVgakaox -DYWlUV7NcxOWRqxWKCyNBIyksDQqy4s6lii5ljHQGEBcVfHT2QF7kiwZQHSNmHEVVWSJxjItEUZC -BqAnGAKZ7Ko8WanYiAQJIE0FAM6VSS7YVeQb7+y79vJtmWQAcWRV/HH2NL/XwY7oAJJdzdEcS3Jj -82gEjqqCilzTseRaV+RChqQ6PylyFVHYCY4ByM8ZqmM5YC1HcMCKwjSluKrpqBLR0biKlSoTFUED -Vr3YUVVIWy+ViLEfEIljFzYj37E9SRYlS9AubEZqy66x86U6zddYpuy4iuWpkqsyBiNVm46oiNqv -2hWZtqz9nUtOtVKLrWh/51KOAcaPHbCSpRhLsC2T/J2LKpKlaMnVFDvuXASMqx1Nslxj57nGLrZz -OVUcia5UshRPVIWtRFSLK7nS2FXASLJjgBSrYgBTBDFoPdERa/yspKlwycxYpkRSppOOq9lRR5h4 -UIqq86M6M6vIKccRxA6wxk9GaWfLJAEYydIeWc15X1njx+OXUSVu9qgsRzBdR2UZ23Qur8tdbmMI -QuwEy3IEMUrjmGcAZHpysgizssYPR7BWVccURWMj6zF6huzYEmMtU/ysMXSNIdjfuWiRdakjyP7O -xa6jOqYhm47muFqLcefyYGExcjWCGiAoLZOIpZgKMEn9SbbG1AoYS5QsVepqkimajgFOOwZIR3VM -UZuOLHtx51LG0FFUiqmzDNV1VNXLWKbEblWRmTQAuYrliD16kr4/VePIHFcBmrIcQaw9i/n3mL09 -iz/2UFpKbgSMK7PTMkmXSpr4dy89z3KzjgasZEmOpliGVmQarhhfXMWVuI4wAFiqeZKrGAAJI1f0 -xKmIYtBpjusqwjYMiEos03E1yZzpqC2TXNdxtI6tVFzHkmSJsPTc7BwehCAZr6zxAzvX9UwJEJAH -DJjk7vm92fOylzf+l9NaRZYqBoCl4nUcreNIXMXMWKIwUaUEwLBzVWMqlGo6AlBSIpmKAfD4Up3l -OErFAJhMqWqAATUVA6BU0wFZV6PayRylqWdIdJLKUSS6hA5QGsgkW2SKkI5lTASxKC1bpeKZWtPL -nUDEMb2gZwqyxg96klZXixStxrHEoLSMYjuU9lemBrVz56LlyChErSr5wYT6vl/7/7fX2+vPP75X -e/pujK/f2Xub78+73/fnjm/m2ON8933j7vm+Pb7cd671vRx/7e/e/+a9vcdvZXW1yBQDsZh/nHn3 -9t/3czfnfDfOl7s3c9097P3v/PKPMccd/7719W72PI/LueOd991e739v3LH2/OV8d3zvvt7eG39/ -vd3z7thfj2Of9fb+xh7n/GKd981YX93zxfjzrbv2tuZuzxx/vTXWGvPdcedZe4x9797de3vsu8fa -25i7+2+Ou+e7b+5a//Xvm3tae/t2nLfnOGvOO8bZe9dnvj398+/56n09jvf2V29/PY67t6+H966A -rZDFNsLv1R6fWJz193C+n2eO77387v3zzTdf7vLtefaY356pQlkmwGSzvXZi9+duEw5hqVQqmcL/ -PVgTjzvxYKEnFHTQCHwDFwEMKpgco4sAzi91fKnj7V7qWQopFwEMRvhFAD86jUQykUwRLhLBuRIB -SCSCc0FYKPxGJgMtgaIN0M4D80z8mAdbPDDIpjS09sA8EEpDe2ACMQ+2rBUt62TQtmYglhPUkYg4 -NBBLR0Ly6HQk1pb6kNMMxLJRJkzWMpSpNEqMV8s4LYdl1SzrlzktnDktic649MqUJqXKI2s/HCuP -LABReeTVe+VwFUpClUcGLUQtK9gsUAsRx3Jq4rMQ8ZlTGoiMgwZrVHLSQDgYDg4arIHQaCBQyenk -tAz1jEzOqCdmm3CEUJ8hpyP0mVtBGdt8/ZNDkf1x2AMUhYTCSEANaLPB8cKGA40p4cAbV67x42B0 -Eunc3AxrOG2HWJ9giGADBBuHI2IpRMsGPi7TVjeKmv5JuFAjRBCJoDF6Aoa0ud1qs1A1C9OpINAE -XByEoBoIURK8BgUBxys1dMS/bTPoMCCo4jDg5q5dAUegYciQThuGzMlbSBvwsXYFmtBH2kAUNP5G -E1sxMiixVIYuhC9NY3sxXm2B8ZcK+Bov49VHnZY9JCgv+IQMGx1iDiKy6lhtWPEVBhezmc6JCeLf -CUKdOJQJ4zmQ9TEYaGg1FaqpUE2FHKhlsZUJkzsOZE04kFWqPDIHobA+BthkMm0pKoRQWCkq/LaE -FDXhkCcLzJosMGuywKwJhwXTwoJJFS1EDE4WmLUtMOuKBCYgekJPYcmkKDlo8IrgoMHgxIN1NXoK -0VP4bR0Ek7Vse6nbS91e6lkKPwUFk4Kp4CKAwe2lRl6qwCgxXi47VhcEHasLVhyrC0IkjtV9aFnG -eTREHUGJo4aFwm9kGplGJi6Cc0Eti6DE8YINj9V9oMTxGqCbHm2uKVi0IoFigDoMIgkUA/XEbNrD -K1i0lkCxGCgSKJZYQdcxDz4tMOt6YHniN7SOebBlAyVQLNoDg3gMsMVz0L1+Q3ckwv9FtEt9yDlU -HzRYy9YMxLLwUsfbkdCyR0e0PmgZQwOxgFrWUWggFo0i/LaOemK4lPqQwQYOZF1OK/zflmX1W79N -yzjqlzkWp48BtmxaxmlMmDALy6pwmTCZo54Y9VtTH4GmqFNojsJvg4U0s/Ff4UqE4LGs3xaqJ2bT -shMkCVcQjk59W7g2VB5Z9V45XG2dwjreAjUVfuG6ELGWJSBsRM1hoIFYtk0DVpBgCQ== - - - VpBgRsy0EDFGJCY09EYUwBGdqmynq9MyjEjkXM6jIWJUcvo2LcuYRM51RCJMEw/WPUvht2kcXGi8 -2ZYRCUzAzWEQgkgli9ayk4NmcpJoJN8m0WgNRPi/BFFmdHWOtOOgwZnWQEQ8nwGTTwcDhMK6WsaY -cAgnAxsJjAA+TwWUOF4BLWMsRoqHpvkMMLGH3LmWR5aAKo/8iKE6/7WQqpCdlmka91xH6NsSEgRi -KM7VHBGcG1II/xdOTt+WQdAyo6vDZLRyEcAYkciBTE7fdoIkmub7tgTQ1mnxsbqZhvB/EC0jrSDo -J6EwyK5g5FhdUGACbmls820JMEjExeEigDEiyXZxBJMGYoLRTVgMArZiACN/9EDdK0OaPBQoGP1T -UFMte3w4BYHLQ8YHo2tZKUISbnWzUB9OuwwhMkzU0DJGP7h/c3MlIpaeIlvLyrAB1pj4OJ4WjS6G -ynA4ViPMgac2RnulQnmwY3TA2lwssVmoWsZw2g0lqsBg9IRWJtgW6YSLiKWaxUUAR1IVsmOACFgf -zTkWBGkaM1W6+zA9UPcpebE5ntpxD834NKymk1DlkbVskaLKkH+N/9HcgigjUYCijESxeX2bgpNw -SRQkCZdEcfqeiQJ8fZuiseZOI5ITKOkHhzgah9ayD40VaAemc9AJ3I8Lm66HVwH6R1z+MFSuy8LE -oLL1CIxINEH821CCCPo5QKLR7q5IstWdAMvcrFBTrw/UUKQoDm4OBepEHZQBygQCPvV3gPf+GKzA -4ipYnJQ2/r6LAB4hWhCmDYFAgLwetgbOkHFxIA69EWosxMBWacJhwiuU0JMnS9YU4RSRMBrX6P/S -6Eq8YghcY7dKBUgVsUKRRJ9bauAUfO4olKwINDd1hMqz8m2TjkorYKGQ1flZAQuF37Zp0jRVeByr -K0CQMUk46JJ3R7u7qhXMCi0z1/z5KFg0yUNacCYG2LIw6SpbbONY3ZOHjA+FFhFLtYzbKGg0N8FD -WR9yCtW4GsfbLOtFDzRqgWN1RSASQdOyjnTgSTTrSdlCEQ7ke+QU5lETjC7wXyUTx7RsguJYXRWB -t9gKMoK3vUKbNFUoCDoBiNNCyyAmHTGwuQTQxYawLxAQ1+LgeZSUF6ODFqkHiIBKITF2DiAqEoZL -NjAGIJcFR2myYDlQQEqP//keEKXbadha5uoORhK53pJvCD+jNaZlkVGHdHfDNtjhx2vQKD05zoDh -YbDQshFCiXAhUhAakDeyYJ+rZduC2X7ixRHQv/O5H8Pm5aARjV4TnNEhk5NGhQ9Vy1DvWN1RqXtp -d+HAY2AkhHcMRwSQg9G1zEOem5uQOdjah20WaojAYHMbTtszxCYYjK52nJZtRAME20ODBRLRcEQs -TR3+oUIWBFp2nhrOzdEPF1X3h9lVm8hod7ekOSBSUR1IUy1bFwgl3xBAnNuxuhsIquwGTssiB578 -kJ7UAU3qIoBX5TqgH49QFyUcTFyq8yiYhAtVyxQYGOGNuFxGIY3RMwukzdWyg4jIN/pqswAJ3M01 -nTZoWxoCLk6wVQOblnkaQMr3qCSETiWG2qAgYOhSJYOjZSGGDnFRgQkeURm5UA8phDkSnVvLQGpW -t0MRflvM+2iuQAB8SF1dVEHAjtWFQBIKtEkLvS8CwbIho91dA690SEvqQJqqHy3LnByrW4b82yA4 -DEsOPYkG53+ZxffImceDQgVHlMFXGFzRwohwTbIF6kYSWi9I10VE3rBASkEFTG04BI647MKhdaJl -XYXcA/XEbJmSQLD3qdJdFAxFcC7Mw79totosGYmlwMCP8kEEpsG1WTIahXMuHL5hyExoUiVnhFQx -G6ZwHmL7SHDEvBDX4xZAsC6mcPsTmcCEEzptENAyRsdwwoWKO40J5vAFUQ+XDfqAQNRACRZYv6Sj -KEggFNZ9ZbYF1rKMqU04TFGQWHAPHG4QwZgcDepWKGI5TVfRWploAuaLYtm6HaEg0HQB6r0+hoRW -hkBxBCfcCxE7NJwwaaplmu5UmBYjQndxLL8QvNayM8S/zeagwWLG1BhfBBsgcCg1g81EILv0NFH6 -KBKy0yh8ZAfjHKuLwaFpgzuMQ5VpYDSFPn1IBk0IzkqaZkxtdWEXzuZCgR1SIavCwFM51KxmDqFp -KA62CM4VYERwbla4tAYaOsKI4NyLEHb3ngSeTFfQ4OAD/m3cboUH/NsQWgkE24MohNjzn6xuUASC -ZUcoIQYtWfTq8ooAOSX/bddg9BASvDEXJeaVUh8yBPy6i3YWIt4qX3dNfxHQsoj/FFYQ9DM4KFm0 -RzPQ0BtFQnKriew6BLGHLHlQFDzyefq2beLBuhEO/7ZtlBgfnBXFv42DrN2F7NB40xP/tsmEiI64 -wMVBAzlVus+pNoVDgjlRfCUZUZAsEYmCQ4ltCs+jmyggDAcRhWkBJFFoIEoShUnCJVFoWWzz0Lmi -TDYpxnyJOBiaXGl9WNfjKEEXiR2OtxOCEHUHETt019EC62I0tPIxdEpqvBy2dtcrgTSbTcTbMuCp -FLFJ2A+7Bcr4gX8bZOH0bfeBf9tFiDg098C/RukOFEBEvkSjjcp8vUakM3CJV+OV0QwkRI7ADJeh -Y1ChGPi3ddiAZusF/m3nAscL/NsiD6lvuwv86xY6MCGTJwsqb8lsEv82D5Q1Gw1xKoCIPeQITOLf -dkMrBg3ZiI0uLY/hIRwboZVrWeWTEMkYgg0nkjEaOFJ0DDIflip0EWhxJUY0UGCJ5AmJf9tkTyK5 -kW6MCM5lEDC+TSfwb9MKCaoE/m1ex6LCMEfo27oE/m24MlFhDEjyUXxDhSUJ/Nu4rZVK4CILB+MD -/m16M+HgW9DgYG61W5KDFEQhFDjg3yYwgQm1DIOoBKO0AoLbfB/LI0sKPvVzwi4ClE/LKBDI6j4s -LBhcOKaSZoMY8G9LFZ+BglYBBOsaNERQmwgCgoaWjOrDpIB3d0JUeeSNwrt7FjhocGTz7j4Y3ELB -ojlGBOdOXOpDbmRGVzeZELsrWXFQefIydfdPvFQac0ToLu5EEiSgQGhwp8OBbGKaJLNBGBGcC1kI -P812wuQPw/MArkSNv7FU+N8OIjrnckBSYBV4QJgFTQEnazBdav8tI7B2BaUJzIJm59NBeXhLmooO -UokCTRJy6AaXYnSJwSajbqQyR2kKfyY0hU0EAgGHVoUKGCRCMiJ0F+VLmptw2mmqQG2623DgVTbN -xDewKf5Hc7ADBFNkp+kq8lCxVMu2yUGaRiAIIu5E7JbupiSE90Oem5tJMNhcykRCczGUcmDbJ8xE -8ZFwSRSq2rFQtIBbG/JFy0INm02vigZNh6bwoIutIFL4wPExGpVAJVgjPQ5WOH0Y/6O5gdNBTTsJ -jeYuvpaRQg0prqY6BEPtLHhqCvkRaSpy9PB6VKzNxRhgNrfgoQm20kQrKwogNk5RGpEUPsrocO4G -hisW6XQaWFoPIbrxsBwsKLTsoJsFqTbhURMmxDKeJoKS8jIQkRYSmR25LDRYI6Q0wQ9Gkmuhg0Yr -i8JLhInY4YcrUs6AM21Anmpz3DecXhNcNIEAcnAGPK4VRMQmGHolOig6JjbB0LLLQYtzMROYRwQ2 -gQgoJPyH8tt4XKneaIOqU5iQy3UaBw2bwuNSSyFGWYCgSi/aI1IkuMw8QgUxiJao0zJJB11YxZZ8 -OUODUAEJFdtoSOMM8S8CyqUWAW4cNBjTYAr/dwu0DFRTHISSokLTq/LIGsNVeWQwVXmYdIoKFSqP -DD4WFhrjQsTgArP0ArMmHMIPnHiwJBMPlkZPpUgJ1Fp2lhy6VAq/zRyNEuMdJcYLGSXGCwuFsBAs -FH4j01qJ4FxQUykRnAvuCM4FUeJ4RyaI1xQsigSKJUNPoaZg0VqRQDFIoFi2c2sD1CCBYlFoCha9 -higWLfNM/IbWMQ+2eGCeid/QmNLQBtiiPbAFpaE9ubNmcmfNQCyPbWUsJtSHTu5IoEyYjDJhOC0U -h4NNIbLDppBl/VYtm/jWkBFCVO/1bVqGai3TmJKTAoLD/rBupmFg8Qh9W+gigB+PkCOUaYA5QjCP -9kLFUkUFYTEyEFaxA2+CFSR4kaI4js5mIVEQKHSGg4Lhaakp5YZiqtS9NM7D5t7WZqGeThsVWCgQ -cPEDhXJgExUkeA8KAo6nT2kYckUIcWJ0hI7Z3AnEZuEQ2S9RIwVx8bNxu5AHURC8zsrnX6buahlH -GYRWKImiX0gCCtIKJVGMIEoSxYIoI1HgAQMBxep9NEdq2Dx5a6Q2evNkeEGZengVxL65yh7yc10M -So1RJ/l905IV6dDdw4HRWjZBbdBT50DW5UDNgax70jKTCQIxTSYcFhiphYhRCxGDC8y6C6YIXrgZ -B02XcdCAGQcNBh+si540ekJPpYkH6wpMPFg3d9yAQPZSz9JZChVMWjaChWAhg64pWLQBaqApWDRF -waIfCRSLAepgbAoWbXBXkkV7YJ498RsxD/bAPBAD7HFwlEbDAFs82gPjxvDbOt/KyVrWsKwkybdh -EqfFaXFa4WYLFyIqOX0aCE3GQYM1KjlpFpOT1kBoJCctMyWn78xk8ukIZT6OUApmsAZNjwtFIOLm -C+pYqmW5qwjE0kkjbxQ0mlsyOPBEJwZGQtgb4QIVkTnYGqNz4mbxENllgwUScfHMQ54aURC0uFTn -ocDACDW6WagOp52mWvYQEfkGo2NKRCw1RU4NIOXjeCLLgadq2YMRwbmrjYMpFG6WTN8izgpptFky -I8/IyCx4OgyIXxlSBVWBSDUfzNoVjEobhoyWeVYDy3N4qTUSCjaR1mSHxMKTOROFJm/Eied2VBTU -lR4beYGBDlhXVHDh8gZSH/KAmtJWEyaDi5cJk8HTpqbCT4UwYfLkZMLkBzb1FBV+KQpDKClKa9nC -hEOcmqikU0h0VRFChWhmAAEAAABDEgAAGCAWjkjFgsFYD6QG8AMUAAN7WipEODosKpAIhLE4FIph -IAZiEEVxFEKIKWWUqaJxABBnxtfHzOuGtGyr8+s0kq1jJs/82QMlTZogJ/LkpKUzr0liwDRMkfv/ -vCT3t1ZiWu4RX0jr2Z6CBUvoTHarDgb52Wp50Yl34s5KI2ruidPfKWVy7VsTis0MBijy15OhdAzr -xqZaX6sWA+Pv3pSOi/ITxkFupEYzjtQj/ODAKoGJP3bu5FXzk46YYoAswI9w7LX1xAV6B0DjcSN1 -Qw5IFfc60hwNwcfFJ57BXMttAIvzzCPph4DPEUNQAz8KgjWiC9gA4mtSBAFVe5GOaZG6jiwx8GkI -XrZFs/1DBS6stN5LsJHXzHOsZO9Ty3JogOQ0Xls10KGYRz7eCu5ZB9wxpFpZHNVQixnaH/npEgBh -QxalIY7HG+JxepgDc0n96uMZi9WyEwcnwHvkusSlz8A8PtY2mvDaKYz5C8iPhH2ywtBq6hCyGyy/ -SpBMZ//3m/RNjREzQZwSRv4XF7eYIqpE4fA+Iskfl0SBwl/CghXHXYSXOQm7rYzj8g== - - - YIkZAa6Ex9o46gaedtP30ocKDDomvS6dZqsXfL15o3oBzPfmi2QOtv+IndvWCrxpVQHwKb0sEtY8 -0+sGT6sN+b1eLwFh/bb7zcRJVtmFDSEA6dNd+ILyPjbSyi7FJTAgJSBtMHAWRUK//FUYDPDX3i8g -D2HK03osbgJ5JNR4KgQVl7AH9f8xLoq6lOxR98SZz45dMki2euE46ONpJCNMDgfKLAgYH5k/h+3G -yF0G/n5ihsxPRc4y/TlZTQn8+il/U35PSfXVhlIZdXm6EMKUDt+PLsHd+PPtIjptCGm+0e1ivU4w -XuWpQ7YT++MxyV3l/wmiF0capM9NaKU2dC8B5Y5J1zFLFYZZcWWrINs/baLh0Mn8q74ku5jfUdrD -RTqin+T9qGZkZjk4ELhIsUAwxuewpmEXU5gvY8zHYk6jqH/t+RqJpb/rT3glmJAk5/AGbKyHR0KN -LT7FHA//oNPrIoWQdk3CsH27amy/heOxEsu1UtfkRPJGhsfv2DLsUxsQzvKuzGKl1CXm9N25Db+C -izcUHfbY+rzD3EvEDAzXjKnYckYwjLCb+gF1hMJ9Ys4IdrKlAMsbv1lKVDdlsHytklfnpmpY8r/I -JyVon6GtnnLH/PTJK7N/zzB3xo6lnDnvxYOJC/ieesmL36yC3BXued5l5h6JagqNDZ747hASPd1H -lEGU+1wKu+LJWkTsMoja9laj4snAk7J/H6kR8eS1OfEAr2PwXM25rprgIJ4qKz6ph4GgeIr0cS7e -WW7Et7cAdnbCgeJJHvGZ3ab0iHgyXGpuI5sNIp4gR+bGZw2XUTxZny8jRmvEWqqG3gMZ8+x5SLwq -5uaKrq0VipgESZSxwoksI21dF2DO1yZgurs7ndNy5f7hRHyXVzRzsFAUfKeRsbVLnojMfM17Hu3v -NEc5Fioz0F3pp1plc9lIuVd1KSDd0EJt9iWrRTTUq+BSgLlt4RG3iW3wHeN1ZGLbMREZU9SEsBf3 -AiAFsrROHZN4RcxadOR4dq3zg/LZ65tY/CX/MZrNOtV+od4i8lNL3mXF0kkUAZpztNg2T9XRNbtx -mqv1JG3pvs9zQSKYwI5DApycjQrGJlJNEqmO71P2wwt0dK/gZZ0OSkVDbBB2eMbk+5fRVPHqw7jP -wOpKWpvXxCEkKZGwaQ13nhLA6dbXK7m1hhs61HpPvy2EUo0mZbEaFJQA8EI6GM/LCJZKipeF/kTp -vCIQSuFLQPt6Qw6w3BkMpN8DOp9DOHJB6/ubikNlQwtfr4Y10SxBR0epCDYIWeaGMdfXufgCl4uL -r0UsHGWf4pJHWdQ0RK40hCndc0s2sdTMuo2nByt2hthSwVW2m+LPv0iyVPwdMvhRnOuPp+gCwRpP -eeA7Kxoap3awT0nk/001l30zY0ABtRSGIrfwzN7jKQbFozvWtwzPmnEwcP1DdssLbHYFILsphbz0 -eFLQhIXeaTwFOQivLMLn+4RVNp7eaj+M0dMt/Ou0h6gp8Z1syDHCnweZTFj/2AmAZ/PNp5b7VUih -KYROZrOGTE7vTzgQs4rc2oiAd796rQ3JtgdccNsLlm7yGlAGx5Sc+VpJghRG3R/JQCHGQpOV/HRu -MLcpDPwXs5gu8/YuyxhlFDEGa0irQOM+GtZ3O88DLsPpM89Yyk8oHEHXL2pMpOjQRxB7JLMoo70k -YtZpzR9N6lY0u3qHGOM3c57qbESs4N2TCCOsbM8fzBVCBny2Fgl2DTPqyi28aH8ewwT3Gm24aYYU -TldX0jUqjgtgzrFDKen/hBpHVkWvbbFzmbuFIA5loltzCZcdk79BcENQV4LvpKsQcpUo8x3Tb6e8 -8aF0iQ3rVYv7w0pdXJoCEs2Utyc4w3e9QU8E3g0DJV+Wsxet43+jQRbvQD0nkm93yLwXdWSCX48e -UUMt0hiVaEAnrc5juA/AXdJ02cz88vqWwhvmFaZqB55RBPmnBjeGWSuhuQNqZ+tYXvqW74WfI1MV -e57yP57upb/mXUl9C5Dpk/KUvJABpZ4OwISQlw3CtOiE5UWR04YbLTEpyc4Kf+aBU9ic5CcXAvBn -Qe4jCkgg0/PFJxYV/Bj9VYiPbRltwPYLtW09BKdBh5xcxoN+XeZ2CmPiacV1tmnrJDociCZO+xyT -dDp9q9yeacJ7xP4GjJ8mtx9Ht4YWamYMELSnOraWRbPdS+wmayUhm6r9195ji+MCJRdti+xPnkWD -7p7qDltVxko0tj5G3x+QEE19WDtb6HE9PFdiS9W2YWFws5RDp73Wp6iv0y5ITsUXa25pVYVtB44n -7aJYkNTymDWJHLggInMxWATuS8L9iDCOkRgexHovk1Dr+i3VFFul0jHQ/ot7JHH+lJP3nlRGAoQA -CDs1zbEb5btBUDsiXQEuMCLtaVjnSX0QorMMy9L3v6GCld9y0WSBf33cNWQMggc48zCoj6C8qY3F -46ZYOjsJnhqITgssqpb9WSRagOh3UbcZgokNVSudM4H6F+dTqmGSrbnpiE8RTt/+Y/N98WXeOtpC -/k9AbpKkEa88A1cDJ0L1L+IJWNo/mz3Tis3cdHUhApwFO4J/vcI2fWKKw6WBzNKI2p4xb4u93krA -6F+LybhKb5T6F3vBv2vCziWqvMeHf7FmSbZiZQCoMCL3qCz6V9DRL5bs/3cw1GEBIoRvs5uwvwqQ -VC5IjtfK/5SRhX9Vgax4Ye3H6d8uS0Nh+lHNq0RL6x7vrmFLtuJffUYoHdO/QqasJoR/gRQxEwwQ -RLXGMnaAf5nWnc8Xmr+NFpg3FJA7eCvSB/1btr72lJEyVvYk8O+NopSlx/9ySKerpQsQi3QMJuXI -4NJtToiJCDzVla2o5o2oJhWG4PpyW+mzNBKzZEmldo4iyOLGsYamd1nESm10ZjrnpK5kUbT4ZyD/ -30GzTmnOAldmdP2OI4FWVFEQQSc2DAPxe8UjAaLRhS4Z33EAQtuF5Negz8LGtKbiT01SWhSNEWhC -W6KwGGZxNvZJtXjGPhpjxX9FhWQ+c4u+uDiwkQ/xMVVJnyXWRrzKVDMNqPImaAsDQqb9ugJCw7dX -JQKZqnvsGDqpRbyk21JhcGT8pno8EEyTvZBYyZ1OtHMKx8lXkTKBY00W+sd8pOFdLjWXj9xaXump -bqY1IxzRmnz5m8L/JCK1hjOXGjFqDd1I4/kCjqODQraBbKhOFcJeimos9+uGwqrlurSP/iRY500a -eqFNS/7cpKNCrSrk2KWyDaSVnhtmOvSJU0TJGJFTblePcpagRqBxEgVfqEVkVjWA1YKyagLiu3gh -qjFMovSNc0ejbw0THJCs3BEP6TGovA0sED/H9D4Q0E0GSEWQbMv1fEt7tZBYQmB98P3ogJd3fsLA -mRQckvGAnQOpN8vyP3vkU1Op91KvINzFFCPU603isVfbQ7103PKskwbQfg8mPnN2DVjQUvpFPXLc -LGTpo9z/2jzUqy/dHTbIlU3oCfWGw6luyzGXkXrbkgVJdQPRpBs3AAoIqYmmh/elXoT35kHVoTNi -Bba0HypO4y4Ac4OB2mvccIq0JN0Y4lKQRqr6tsREAnUCgyV30r4QLdNc9Ukc7Igz1xR3RZiu5Uhz -4j0uhjDb9aJKsU67DKZBOpHKizacdXEkps/68BxLVmzgIr/IBhtFGwQvg/BQIoLGFoKu0qZC9d+Y -UaLwYOvCJeHLsJlU24mZXKXsZ0P52XUV47vF0IDYqUcpFc9d8VcXO9aBUK8VmCxvAICWBWZ9BH+0 -lPQXkbMcNRAfJy3NeNP+U3VjRog4jZRRzBropBSaZH1ADJziTFLhGUAa/xIiLiBNKWZTRbgbFcvI -VoiJMVvepshsgSuCL3HU5kSdLlT0omqvVJGkCtrCGLVSgGG7esiY5MtFrO8EUY/FHrT4fmnfDFgS -Y1Ai3H/U7h8KDCAo9wt47f8CKu6kVdaSIdAJJfiPvAQ0o9c3fZT2MYtC11VFYLl9t6n/6HWYzZzM -Ilr19vTSRi1A341snK/eDO0INqcKg68S0vPP1Vuo32GXUfUGqhHt+6QVuepF6CYqAIE8JlRVvX+E -tnXmpFkaAqc2NtmLFYO5sMKA8hfXExr47LVymY0DlQtgb9XrBeR615/I6+odbEfsA525RtX7vNmF -TVdvYBFZ+kG2ABNScKOjLal667i6be90aouXFTWUdwS/mch48jx/z0Bj6jSbcBbzWh0qyXvvdb5u -K2bVB6ayX+i2fYQ8KIAgunvY5Kh82pYFyZ241oQzHEf9bq5LdcDZdTnEvtfvDZ9dDXoYhrqZ8Bwz -eDu/Sb8o4kkIw7NjvD2nAT9BOpVASavIz0/CrBsGigDSWp8iVGw1utAl/K33+YggllEJSuvFYoRe -2rZJE92PRMrI0OVfS6TWWU90OKiCVN6KSlmkahlVwonbAtgF4OHL197Azs4DzB6lFpCkID+lLYnJ -IwZAEjCkpF5o4DRHQkHRW9F/CBJqEYYZRkF0lLh8DQSLGhg2QDLoXay9zu56wbdKx4fKCvZgWYID -ESgDwKlfhX1oCVbGppWaj9PoUzmG/uYGft3fTcBqRwxnUecM5Fn4vXDqLJ2blqPuHu7e+d2dOVbs -UM8c+l3+RwJEasqD0MBRjNL/okHQ8xbx+5ug3v/SFhcKEKxVlIS6KQRSypCi46Q+yvrxB353f1aj -Ns7SM/NA3137uvXe3MPdjHcNOOP+F8S97y4r/6Yv/iIrSTU/ToJ3l7Ec6Z62kwDHnjicYQ+yf+3i -8AmSpgFbSH8SCgbQR/Lu6d0dRLLNWRe/jd7dkX631AB9MeSqio89T313O5IFxQMmGJNpXbwbvUw/ -TdK1kX9UGO/SaFd1yvy0vbsJ0Ca/Y50ET0pRFCjCaampZpVGnZ+6s0TAM/k/U8bV3eP97xGlAjqO -GxhSv+NFCXGw/zhbnCtw/xhTOPiRTUBgprH3Ifa3Fc/FN1YR7WVWl47rQ4eZRfCtdUNbBvct751+ -LTtb0VoFp5wkT88x3AtSqSXU8DOvTBI9WZM7Yzw4H7QwBJ2P4/HMpb7l+++Q5T3rwNhN5UZziXaO -dAuu+42g+kpNRKJkmLlPBj3MUTe+yr0sEi1wP6RAVC2uS61Wnr0bQX9nja8yxPrQE7ZgLskbdPjD -/t2NIU6OcebMKl9MLCuFUdHaP0aZRp3qIdHrvm8ScJ91H23sDXQTBGMVCd1A7zwwwT+/rGFFl9Nb -roFOFORbkraZMRd0Bqgjh+GAHSxM2b7o51PG8WVkC/crKDLrmCyjXDaB4xsHz8/Ep0+WNo1vHKBw -E3ZvgY21H6usjbuB9QeUFq1yB5XXDYYq+Kw4T3293dWZmeV1gs3UhPvmcFUrsVmjAXmFlyueVTFz -awPkvbz3nv2uzeGA9GyCDg2Ck/LeJSnt4IWJMtVhgVW4rM3apOWtWhjYxbE/BzWg0OCKao/qeijJ -eOymgUhCjEH9TFTg72iI7iB78XX8FNFdXmcFaab4bZxOaOaNL3AHave22pJ474mT2g== - - - fmqg5A3CaqhAKWd6WBnUDux6g2k+TsUmhHSnEsOD3G2mvDligW+m53QFPRxYFJcjpElAVm6PLTYC -SZmz+ZtyjDZi9xNLW7T4VFPBoRGUM6ihvFVwG41lbmd5OJSph/zb/xbXXr7S4oGeSaRqy6H3l2HB -1xyxS4xQDdmgavvzRO7XcEUN/URH94fL+20WrPCyvBD6ejIqKsBkEu7eaK3JlpkeLj5T22uf0V7F -rRmY34quHo2h+MXX0asRhhldbmpadItSXWOYWUfXYkwKSk56dO99lQhHYd+8biq2z9F9dNIbj65Z -3wftqzhCBatpRmnuwBqQNj95dFX0MrFXdLESNoMXjN0DnuJXUjT5TuBwMG+5YWyQqUfbMjzJPW4d -HzAjKp4HVEImq4iYBy87ijGGieyxVEfEaIrfy9PvQ1GfHALF5OgNHCW7C27Q4WtSEzMuaCn5WPu9 -ImG++HZhSyB7X5vl99ZCxFJ7emYRKg5G8o5lp8MhxIvW3FfFcK6pRWyivKa6CyOPht/LXQQkDYUt -NOivsvfcrEE+rR6XjGdp3pNiakCuH9uXmX/FMCUs/3mP2mUupCQJNExp0PRwtVrdIiSsAomUHyTS -cillM32Gtspu6JBjDSgLhEjKJmDSW4y59z5s1d8ZAB5dsTDldzV9YnQwdHsQoqgj5NrfejM2Js0p -EReO/GtBZt5aq6F4lPt8XBJToLG0gsqUVevFEpbxODFmJH1KnURi60xHyjXbtKSbYi/MEPXKFEQq -WdyLRcM14ukoKE10Dg4ezhzRe/iDKjqREfWXj14Vba6ZrWSzQ4mQnokCViwckR9BCO6MZ+qJZb+a -VYOIIDNugWVwNx8pavBB616KnFh7Vtv8ZXY3NtPlPR2ndN0yTDfkglGzS1elS1XpnZsh3kn65sQ8 -FnJNKqUL96yYZbpVTXINeao5Sb7NdI+FKokWYW8wY1WtTPeyZsH0kXTwO57pBhe3vAa/aazBdK/d -s/YOAQexZf+UW3umW761DVttgv/8weyKK4/LI3QMcnmBoBtTc2/2aaAU1Pmxq/8pKuPlVAC7C3hl -rLk3s0cm15L8QA3fkQUTGbwyODss09Mk4hwqgweJ4r6ZgYSX7nLVDeX9CFU7sDWOpadbfJyyHUAW -ubkXqaV3aHaSmamMOn1yRl2uK72fl51iS2W4tpAgzNYv45ACW7kkZZbcrVyqeLoZS12GKlniFePX -9vpKop6ia6nOxq4auyJdiWoGTDmxl1a31VNsXMylgZtBL8ALonvPsqRYPMxNBsD8038UA+szAvn4 -jZSjixIMYGeXBaZ9gnHrmtcpVbIHL29fi0viuWVok9Q8EozuNq2fayB+gpJmJHg0kFsyEMBP2ZSj -w64Ua9KYmYnsA0oxR+CLC2YVzOp7Crq5BKWyiwKG/V0p04wVgfXPJPdVStLYs8Hs0+8xlUu2Q8fO -GHcNnUG4TX3g1Evwc6N2mXeKXBKiC13skRwF/UqKix6sScRyUtTgjpOnEKNuOnV7aXNlKN+GtFPF -G11aqVfxNkHsN6cEAvgPGbfqK8OaQC/mqNXTyAC+LuaTHbdXj+l3LH76X4wqzGnWyS4gc0wCqp8/ -FeJ1/iIrcnFO90D6MYoyHSqnon1863Ec14til64pcxn+FJv+C6dxKLHtfOZWCjEUVicFJBlWdm8K -SKc9vNSQAJ4rvyinicFK9eNyXU9GgXDDuyKmHzt5PwYBZDu45QaIkZNOl8VRBKE4IaoLfiSwEhdh -4nF9P/iue0RscBFoPxx/NGUK73Puyp7wrzUgHyIh/Wu0WRzWw/9/j3O4Es2n+ZYEvwUsPzOxXJN/ -W7mZ5n1Km870owj9oGZYADpwmkjKDbYm5p+l7HNKU+l3+ZxROlT4+bjKWOb8P9lL64NFqO9DWuIt -6Bu/jJlQAqo9i3N47/5b3ID6iqnJLZmNKk9U48jLTqXKqzEGQuJpF8i7QNEs010j4y+RuygVg5J4 -1/0GnkffjFlDvnoI2knpANVMZ1dIM8JE27vj1c2gIO8CzY7byj05R4PO4AP25qiNK8ZXsuC9B09g -aXBjaKnWOr3fLGCAi8/pZvIfV/mjMrZMK5FJci/XyLrdqfHtHGAQgfqqumfiLxELuYFkIcqR/xgw -iuO4AeBkvabbvL5+dcMhAOiI4kHqs7JBIJqQvsAZbQiw28tN8hatFSvV0L+ZFgB/Wy1RfMhyaOu2 -HHWxId2SWT3g3LrNqWMHY+98nLsosNtM4jyZMEn/y0Kj+0Sy8XzkW13zAghHZsoJgzMT7F5GDlM1 -6faa0tDrtggoRai7wNJjEGkJdhGrT55yiobez+Jtx2QFUqmYDK2fOKLC0wkYamJiu0D9sIr0UpSO -SGRBWDBQM+Y70BsoLBGgR1OjNJdEu1CqG0L1Su0D8zch/DdXKG6F5pRBx9Voo/FWqfylZQKbjiUg -fSzbMsKo6jVkkf2glqgtp91kheRpGWrVWeyL6hHStAogi5h3ntgryP787Kuv9UFdIZYDnFjR9t0Q -qllE8oJQIxRvYS/guh6mTB1SN6/Cr3de3sWfMteXiPqeJn7XQPhDQk0i6msR1MKbYxno2B5SikEz -oHKbiMX5Q2ix4Cmcj/wfcU5YlH2ATh4OOpLfecRHLGOwh6sJpwIyPoj8qAX5omnWF9gJy1hL+5YH -IsYVPqtNVpnsjodLk2XjcXzdWkTOMsoerrneFXg/vgrm9sPgaPzV96Xw8a/MLsenub5HZOfT/OFF -a98PULzNkTgpPiImIW9oafV+bqguPSoMNQjcXvZhgHEiZ5UxvJdwCxN23FAZCASbSOLBMqTwpkZd -9n/y/4BhBwSz1FqyS3yVL7QoT60g0qO/XEn8W/4NEPF1iuT1rijvlA3vqlqsED6uZtiEiZSBc+0v -PE844sNr5QAbLiS0ZJW/PKAW2hywnG4Zpw6rJpAYqX9NmRZemqv5T0eRBvCq+Wj/A5GAANV82RJe -MQNVgwCG6+aLruYLh0dwAsrijcmKc24bmk3SZusXggg0dwXI4lIkWc376Ev+wnYXJ5LIBrz7PnrN -4coczy0qtZxAqpsqlABGorbcMuJkNH/uyQbuiyU/J5iscSNZ4+qm5l+xErYw6YD9VpR9g4pEPnFy -qNbYMbxPcoKFAUmSUXjUbPIDJTuTqVl5F9+8cZP+qXrGLU2du88xKvq7rM7HK+ZY1wBzZa4cZ3I1 -rlxkrrQQL8Z5d5O3WMav8SYVFbI9U6CW7A3Ny+G7270D4W7AdnwDTz1/ezhD9DV2k4Fts4C7OVRP -oh6OcezqalxFheP8mTV1Fe3NhQAPb4X1kxW1gvb9CUkCCU+W1wIXNrOUyrpnzByP1xFT+K0YDh1W -YduFP0F+fnmm4EqlBqsHAnTK2zDFZSxZ4XrmLyVJ+FbmmAZZ3pKdpjQpCY0KRmudprINhNgJqM0K -0fmBDb/Uqu9+FlL52I78YMyAcMZhP1K43zjiBFcft6iovLxP/6MUB5nhWmuuH3IQLqMPBmde+ntC -dFpW+TBJP2hpRPy7/BXu4lHhp/OUNzr5JhLQllXuE+gTx3h7ZX6po3Wcm8p2lfzmc6mzSPJMdvJM -waTUzPwTZYBalXVAPnUBK5v/gVJYtEhmFb28ZwPo5VvxE8x8J/AlYx1LWwMdvt6cJZRjdfS8qYsI -aKHSacHCwbO+W4MA246vkgg4vzzZMrKeLSJAuV22u3Y3hYxjlSvQBGiqxr7m4dc9iKy4gxCCfX75 -6WEHyXyFOEkYg48hGRswjQsJm2sTU3w3HBRxVzAwyyN2Y3qDzR9WxooLGvo3ettf9kuHn2GyBF5w -QMUxsosW3Zi36zLolmrwfSaYOISweXsuc6aap5ghJvjwwzlDZg/tTV3wXVmOISxjMgMX2ZgszyDb -OSijXmZHkDvfCy0ONjdqskB4kpV0iwnIYEHUFS2oDBEXQ+V53SEGD2nIalpMNHrHbYdWA63ZVMbI -vFrBpwvYkwrW5j6Vl0aXE4a3m5MyzsAGamsJ7S6yM8ObjFqMTPeTidyZC5VekkCmB3Z+uVChzmA7 -wlgnhqJjbZqyamkfggrNTKhjfFulFHNTr2EgHZScUseLHHRcjXV4/TkQ+KVADTWCzxa4nrHaOG3x -iVxJdpZ+GDBuyTlUljdrzoY/x4lRVkJj1+emA06Lxgx+0MGHv71dCTBL2alXX4kLMso0xNAMxlW4 -Qf3Z/c7SVc1L+A7db+lhe2Err3dnOEE9zbT3lMZR6PhnWak8n+XgyRz8IYYQiRrpqi9L/FUMFRxk -oGI9NuWZNM5MmwIewAuQoMZtkm70s0zhMAq2Qc5o8hRcZi/fry5jHSK3luECL8l8pVzskl9dRg86 -knmScWfKTspCEPmzVRKi+3NHyJsDkt6v/t1rivyQOOB6E+IwfT4oZjPkEr/AJDuopU/kLk5nj0Og -J4pdWDg535KcPYxnZgNdCszKyUMMKT0BnrdDQARzgpXaUZwONukOVw6AMTreM6SXZzVRDBsqtjm8 -4/aV1zV0kycIKZjIGAh5hrekVsQuab6STQnPIm4MtotFkin5vQelEcFlCO2UNhkfAiWI1pmzhpuH -D2rdTCwH6wQaXAwwK2b+MiSoMeQlzgqSHFUOP5LKKC7JTBpZ0GBCPslLgjKfltCgggDfiNWn037A -9i06tZRIZUzKHt7Dm9ad+bYhv8Tk0nrb162eertGBgERGb2L/fpQ8ajtw018qzryUisVZUdpk532 -v+bOcxTikj3GncnQdk+NOCLmeXv+Hyt+oNNEODHq380H+SPJXPwBrPcT9YLit+pZZD20TWosVjtL -ZKDFNuj3i/QQbRv3W4fpPL7Qka4aJvLN8daODKkTDJ8RBp4xFj6GgSCWUKDULKyj/Ag05SRti0fs -qTstNRDpZmx5CI82XEeNmod60EOnu9h4hK9mtHMO+kTtQIKLGhEDXUUUDoFmvFKzmw3JmlhD14wf -hUviJxcTbjJCwFiICGA6HVf+awOhBY+GiMX/d+jCR64Idd9XFwKxPgRwpIYfBhdvokRUhtRmcuE2 -AVsutCVhrkhX1nEB/JOJNYTUVik662mWSV4BPGvlYSjwjdjOZrTZaHv5IEfhfaEnhmDwC/0YBU1S -iIChrprLXNCk4YfsUAwCXHJkWTzzHp0B0KMyRxq2A8NeEURCPBKqf5ACOfGQLPTniM9jCpRWZA+6 -WYClTV1ubyUAzbS3OH2U7OQ1nsOX0KOTSSKP9qE4mNYq3erZoehbkHEGAQySbdvCH4K0cB2Jt1Il -8ol2JvyD1NVVt41o10NI05XZB04VkBCfM9NaC+5Tc6/Znp22Xqt09E7Syoe76ZhrrMZku9Rm1Wuu -TqAilX0NrCFmtX7ZOMxGinugcMv+gCo0k9sPNk77eG/ryTje2+asU/8Y1rY8vQhGPDk03rEmx+A2 -hhPLmZuWNbdhnb+QcJYfFhCcQwr5JvVAdvSd5PU56MXauJWKVyq4Q4RElNBxLY2Cyg== - - - 9MwweE+bpvhOlgye160AKBSE4JVpzWUNI/g6pwLaRmu41ooGUg/GGoUbufuWFT9wp5FOSezp43VQ -pgboYlmIUvbMSOZ9b6xBSsdpc3IS4VNJEEPZdJCacKDN/qit5OGsVP0vb+6qI1AhWfAAYXB7fBet -Z/mc4DycZvgtOu93VrLMKLrH0jU22hv61QmE6X/NmxbVs7bP982d+d5Qnkofv58j0CfUpq070iRs -nhf1UwAKS6/TXECpkq0VC6AIx7/xW43Ew+xSussjXH1ILRVElXDATF5lYPleA92o4aZXceuf40d0 -m3QmC9+XnIGCQjPxTVTlA+F001tcq+/ec6Rcofo3iQs97rJeX0ok/JDEBK5cJQn4hijgfy9zkBbT -ZxH+lyOI/62GhHEFVSziSaMRHS+zM5TUSBZ4Akt6DTL5C60WOsVFRNMRGj244sr3ieOzdMXkli62 -8heeF669wnpU5rR6OqBZn9vvOiq2a4naLeSlMpLkIhTGst89u05C17Ln2/Zxkc7JhPYu8KOf41ih -7Mkf+6Buk0y7c1p9nesddF9+YhJzefhPnsoo6Qt/HFNNps26VutInJJ++okmz2R/Il89tpIo4CKD -sxJIrEjiql5CEgojdVqgNwwWaMj897Ghj16dREIqQjbVg2rSPVS/eFfQawqEQzjQL+aICVDfbjbW -BG4kWCG1pwl8i/TUcgV6LpaPFmkfBahpsl+TDRMJTQbyV4xXCvKG4vQsfRuBSU00G0uHpNzCOZWL -/2pd7j5X+XXgPRQF1WEKIFjSv7FI9ALok1TVtd3YfRO1nfvVTJvT0ZovssIF2AenqGLYh6QayABX -yxFa0GAXT3UQt6vcwrbAPEoNOeFBTCL26x3L4NMVDeiNUp3Ydp2qMFIEgEgc/YUrO79Ifl820A9m -1MOIXh2HP+MXH9YN2xmVwo3Zm3tqGTwwYM/AEOd7QMCSE/IXF5wNy5S7xfPMlbH3bi22bsKHg9jk -x+KJhJVIwm16eMAc2eFDST1oPV2vksNTfIgFqifZ84Ch+7VSCNFD5Y/F30Gi8MjF43+D6pJKifwM -ySIgvoN/iRgMfzJ8q00RxQyiaVUJhHdpRgnaUH1Z88VSPDPLAZSACdotbqQwCA3VSGouDovmABPv -wP/dNKBJBRdK/TOzIhA/ZktBeeE/vKvxYrCE5S39jPUVD9EDj4ae2+pP34500L5XklOA1gfIrUOH -EcG+qZ62W6wFES5TdmP7u/Uss51uutjuBRz2lj8oGGb4QJmoktpptoAYhi8tVaF+VaZ8icI6UKaK -pgwHgTLKou3O4G+S8QDjuTHAGfbJuPPIKqv+UScKnpDkGpic4XnIyOrvS1q7+82qeA2fPxPqO+BE -NQbHLkPOd+JgAJNWMGQr7odzOYrj4K+cWN02iKdZpSmZjiZyxUOjP6fAmKxuLENlWTlbfHsRDfE9 -qvEvUQLW8Hb/IP3U5sJSKaX8j5rvBy3CCAuZv40F5cpapC0zZ7fLSG8oWGYK+bYfXx1r9ZKqfs1d -3ndWD8TfAeDnbYtnhRqNOxgQh0k1N6gm+FFwgYymcsbtKJcpyJeAjPuPh42ZFwD71xjr5RWa3Ufk -ILg4W8aoaG8FwSVB5nS8JsXaMzD/yk54C3HPLR83T+2cGaOgX+rjao3MfUIyiF19rMjltK5aHpJj -L+2SoSA9YXOkTlSfZVmQwOX4ncZbdrMhzUYzMHovWsajBOIgaE2oVCSzZWiZGarE24q8NkL3n62Q -BPZbgCOKEwXYwWmKlwmV7Io16AQYaAgYYYHNFvZFVdrzlgHYAG8AgJN/heB+9FUM/akODC4JL9fm -NrCZj3FZN2ZfNwtRc2F4JNlgntCTSaChlqJp+hOBKFnzXi9LdTnhIrMDLQUr8uo8BjAbmy24Bkja -21mL6IPm827tpYqLTFXhn6hJl2eN8AtiyDUpFV98GOap2rHTOz7Sq1P0yNjQo4q5n1/kOWHC4AFw -Do8AB2MYxIvmuXuYzmDXMy7ROokhRyRpwJ92OPsQvsDhgT6Cl6TgBWBLSDp0vC7Ne9OVL4qwNxDc -szcNm7c4f2au2oYNrh2OFBBCP6ChiLjCMox7B0DxYCZ4nCYVU5OSTdlmuX0ILOcgndwMUNtr5Xkv -oC6xQF8WyUbRkGgXe/ZK5QiS4W/oKQNbkCJPRmeW9bIYRWAI6M46xi9l1hER6Qah+x3Z1pYYuQv8 -3MCjAc0VYhgpQtjg6E7aaZXYD5HxwsmBYEwbZWXTy6sOvhX8OBvV70t9aZbIlFIJfljkp+4KWVkY -qDpGXPk6PlHxvHLfJkC7WIAvp8TXEWIyoCxnTVmhr63XYjifhHdZLNiBWVrYbr5reDItfulXClSH -tM4KPRrygmn92woE25Aw2XLZawbT4GwdcWpiDs4SUn9kV7UnwKGVRL07pywhr6EKhWs3SVJsHfkQ -ccTHIzu0MjN/DGOHvATSwfmTQiQqgsDzDZ4K2hnWKZikaw+Ga8pYIvTYqCef41fgACRcv651kfZv -7zv/xxtYmBCUU3cMFAjZ1gvWzJ9s2mKUTjajwshp3SwzDgc4ebnkuupy5QHnJX6kLQDkWp6oNEu3 -0CiAXHT4QUXRVUFSxdV0mPv0e4fkCxtDwSGnY534c1DCMUdM9onPKCvuY3TTb6AJwjYSR5yfBe2U -AtlUG+ffZ0OmlgaJdF2EUY2R5FlVs2KV4a1i3oBuBwDHspcgVTeWuWy4g2fZFM65nZC0aMF9D/Be -XlKKVHG93JUADgsOyOAMtJ6/3HBxdjC8V21Peytt4LKR4aswNVx8r0ZdckN8OI61Kkw4OKgjxQKk -i5H5VYXogn+DebhC4ppDxWjtqZHBEtLjWCGyDSu3ra7lDabWNQAEL0aDz3QuMRWEepJ4/jbbWS5S -D1U7GAaBI6HSBGLro02vRvO49Zuh6Dmft2np2xQEK2doscK50SVm+I6j3CoBO3xnIubPmB/Jt2E5 -XquFlQGxiKBYSKZpdKL8LSeg17p29EXPFQoxBDIRPyHyK10f+aeHYqz90snv0AgGj6i8ONqnp4zB -vnTpEZws1fN/NgCTjpPGLntV4DIknApc0Wwywqiw75eLRoqjgRk397tROML7K186kdw6L94ecgrP -nKBCBZETFLy9W3CURfXynO/xwcfT7GBOoan7HQHJ3CCzCH864dSNV/ZjqRsB6gSw+DZegeRa/w2g -217/PoHcYIDrZ1TD678aBDB8YcVZwo46n2zdZaNOXcQL6H5JcdASyj5daCuYJwFZXBjsi+yA/U+J -t6g4RlVNHNVSNIdVXNbWQY6yQjBJ0Y/iWqL8mTE0k9C7MBprtHSRZo12oR/YDYC+XxxAef4gE4Hb -piWxreM6CEWbmHE6wKyix1EVgY30x+GvcKqRhHrG9S45/2T0klwa29LeBq87EQT0gn83Uu/i6AEN -VlFeJOwG4E1Mxp9sbI+fMNaOq49RyblbkEmhfoC5+BBTdDfIygOKrrX+SNGE1o8ckER6Px4yV5Iy -F11uF9zSGnuSSEUsjoQKgJESsdczRf3mxwMtpLB75ONAicfxGF4HLQ2HEnZe0dWwao5MEMb4N2s1 -pnD4Tdzgv1H1lZWZeoX+0Anzxte7UUazRkGSJQfF1Sr6Oi7TvZcdhFmDxRLFnyvBzHumeyrhUptX -iG3N/4nUTiWhMVzBuPsDU2r+mbJVd0wyma5OTZQH9ZmqYb9tNpupZovdW9p7jOvlLX6Y5AC62z7G -9KQMPFV9BWFk/EY1/Dk2/Zrp64ILife5B57VVoDamCFuYrf6kpaJLQHn49Ccx27m6UwGthTUDWws -Peo/zS64EZ6WZf8D7GzomuNrB8O3+SUjeL3uJ7A+BpjTY4di38ZFQgDRogE+PPL9Y2cACOLWJdLu -agktIEFb7AiVQeILJVINPfJbBUEoEx6xEk8pInAI0kuG58ZYncc16JDWUyFLlk3/QgQ5Mb5RNKL7 -u8k2avLL+xuSCfGKmTsKJo3OBq/eTmnYGx50/ihUlXcqXKgJpGe4NEgL4gLKj2sbXYjJynH+ilLM -i1w9mYJ+ncxnDQ1gxu+QRWnB0MPS8Ag7MKFbKAPqk1zRDENVUXQk4Em8oblY88Nb9YQSzB4jJds4 -085NUrP64g0mQq/PqUBI4IMDYbjKLnEdhPH0GaFiVkauwjS4DMaZ7cyDNZNRwX2Ne9YKK5yxRd+n -P32pR2G+gAYq2PiH4TMQu4dBybjAHuleOrFMPt8ZlJRRaSqS2XBYvOUJ5nDIHlhF9Hp53s2qer+p -NGFDhGsmfJJofbim2QmMWfWhK47PO33sTziVM7XMtn3lBTW6Nzt4c4dUDP/Qzp3cXewMwSHTck5X -c4ml4OixpCDD9Cja2ZC4yA7bOJsNSKrAsISMyuC3fe7Y40LeqFxCKSPGTQ+aYKgM0UoYATA7MgkL -agIVBqHTjfVpO6cDYa48OfOVVRJ6FjnBcxifOoDQNEUuei1hgNdr4WJd9jRedDyyQWnOoC4sbR3l -hOtW3GTtxBgZOzz/pQ6RQ+TWaa6sBXqG+YNhtWaUdxf26EP2cwYtvIlSLbPrzMxqRqqpRFkwhoSn -W6ox8rRrE/z450zV+8kK0Mq5qdxBgvwrBHCr2V3kL6S6cMS3FswRejnmPUNI797PPyqPZRJOo+hK -Q4qhyUlgxJZEFn3J+jpXgjHmJAcRsI8GyAOe++4QxLOKQDtNEgRWTEpkF0OhWui3qbNmb0rauz4O -68fVG3fM9OIDOuds8zgXioRixSSCbS3YlsOlB6gWrsSWMrUIwmKyarVRaKHuo6B4GvKOME8t97vR -Ieg2xUEvTeGIBV4qRNlkRvp0G5jvXxl8/+T6jbt9u7gdvjhlBq/454fKYVIlrvPQPmneY3YRNuH0 -E/SR6g1mrmqh67mMtQPbkB5309LfDaZs3adGMzGXY2ewTeKSnh9eGicHs6G0OnOgsY8qKPU3bjOI -6GBb5OhEkyiaiNmdwQWkuQsOA/pwWJ9VufViP20PomkYqRQ5LjRHVtTmKGqp7gr2D4IITHQpAx65 -fDZJOHdN6oVcOBaXvH/qrVLj3ZKztfOUmtRfA5/LhIBTxXH7yh2+K5mW0Onofc2RMMymkEPYYbJK -qcPNXtNmMw7jy3MyKdwnGtrqeiGc2yPfIMDEWRCXWeKAQ8dZtobKJZA8/GELVBcDoQQh1EvyTidD -wD79PTec6z/8f5vrbD0IDJ+RdkJx+f7JO/Q2XtT6n9amaVdJtHpY0v5yad+502rSBSAn2DRw9Uas -h5wMuCHbaJgk+C5CHDGej0ucDPSuNiDOBSpWEN//WqRp0KqLSGiQ9e1oAyXGe1MrDZm6Jxtnnp5R -VJ+zsEgnln/KKkuyEREiLXzMDKNXzZb60l5pP96QZCtLsiJaojf2uz3E7A1ca593AurQ02ZvbQhh -0rdBCaU5Baqwjl9yDdscSRuim47caCWoWf7dPeiDUkm60/M+cgjdZq2MNIbokRVsaA== - - - AIg/YSit0Z0IViQIxpxO4PTiswG6wxbKSV4dGhz0D95law2uAA/NgIhv4lL2siarE0O0SQAyuMcc -HnU+fVUgnGfg5maSigT2oxEHUnVM4LiLNkzEEoxGL6bVGaPntplhGfmG6JnYFbeh1go0CuSyVE4J -eggr7m+N/M79MBwDbVRZ1n6QBkLNvTnFwmPW4GSM/hkPwkqw7cCEu6TmF20O6DYxXYRrvC3iLu0s -nJMmiHHVKIWQFNqCP3RjEnAoiRv23Jx9dLs+ovdDM2qkRYtKVZBDAglLM/ij/VgGYeLcIPM21UDw -NR0pq9gbji/mzTi7Pw5mWAz13g1g/ujfnYdz4pBaB3UmwpZ+Baktu3zAzLmZUUg32WaDvHEVhwXO -5SgviWwQhcCRw8TgSRygMKwqLJB24NkQGjbORZcmFuU0BvEC0hIv1MvB1HnVrN3jKVJjph2yThQ5 -CwJEAK4Dl3PK3LXrwAnTyUY2rztj0z/DSNBKfqU9aoVF9uGOQB4m9Cld6mckqkRR6EtC7bW/NpEI -zgkJs3W2MIUmcrNr+PwE9eyVyWQycoNtgARYFGj7jEN8xo0cTd8/TQAtBgQQsJPBoFDCmyTECov7 -kZpgJgdVQURCc9gtpy1UJ6VRNVmr2PBT8JSwB4KDfPtLqvE39bGCzyNckXKChXTtbahVGTzLhlBa -u8qQQ9N+1GXchs7snDUN0aA9DUx18jCiB1OhY8GhZ7bbLUkBXNEGV9MnpywYSigxpQ/tAMSuzoHm -ofh0ICociRxPBOe5QnyUu4eCKGB8vp9ondMtw6sjWZj6fEY3K5eciJQKcYeyTAEoKoUIo6tbMa1r -Igsihng8u9DENmeoharphdSC6bUuZCfLOBCjpEBmwujioJmCaB/zas+dtwGwJC0tnLO/qTPtZLkK -JFmKV322KfQ0Wbx+5C94AhJM6l8onXF8nDtRpowaaGz4GW8ZRoPGEkXzpk4/vAAxg6FPaWM1HIbd -QAYmK7yHRsVIWeDplCfNyt7pfePtiESrcE6MXWyQNtzH71CKMQxuHsufUyAJG26kX1uPA5joIfzE -0xjU+gSA5OP6x4dGFJzQkYCzOtgVgo6dkBWL2RoLawEzhDzbC9pOyXm5LwlGJxNt3eQgAXP5O95h -H934//f5sM4gtEUO+9a4Udd/OYV1KqcLx1Ctic3WDCoaYviIvwpA7ArGcB3LmDtmG9194GMjx/bK -6WLoVpgMBZGBkZmqfJRpWssev23E+Wo9T1ZOzudTvuFxSVCl7+GkgywdYvDUtrcjLWb1o0zntSaD -1M2bPviSYaZJ50ng8LsMi59MscgG8nK56pEArxd5lp1XGiTMXjohbIy1o6wWi5GIx/6NzqTZ9COa -IVwc86hIgi22iEClJzrza1YIIDH4udOmsykCxlQvVWhS+0D7RHck8gmSlGEgEzNYpNVEowB+74/u -D+ka54tJ0tfeQiulndl/AbTUESoWpLI3SC2pjWgnbz+5nAPt+7Ne4mez2qSNqIkRraYE3uvYHXVU -49XLueqhx+p7wiL00UfLwTOUcB0QM2eymFiLzpFcAkQ62lrNZsfsvouQzBJmtYDTMrimeEKD884C -OjJ+kUqCRoZwvfYyhHFap+CjNslTAUwqiZ1m0GC+E2mBrRlfWm3IN1ez4Cd7TrtlPJQumR3EuCeq -Fa55NrRwT64ZyV2NlHlJNXdscuNSPbtPuCWCgKDfIjlCqiG05Meo+fUNPidLAiWaeR889Q3m+z4X -eYtCoXkRuJbMdmKs2za2kY6eEFptyev3OE91oC4vjlVZZ4DQqnwu+GJVbIaVXBrsugKuEndeWZQg -UaJd+AvUtFXlKS7wek1G7nSTcHgX5xRGLj7VpY35orCg65B0FWPb5ghWnqlrJda2choJtfFKl/Re -4X1GKKmXb6vsX9IPF/tVhRjjLjP9ehe6RUjMB2vquRxaLx9ikvisw88dCp15AsfYNgh7FMaimDRD -0Q/Poyj1rLViQIkTgebQsFCasT1uCFBPEBTkoAje5JESzV4JBMswQ2iFZyUsRM3+DztDXZuu6C6q -GJ91IokQtVGvznK7S8z5h6QaxFoaDnz3+0S2hb/Bvpos2kz1ximkl351A2jkYlAFCFGr7Ea+HU3e -pvMKUfIf8obYjdVFbdpquxTs90Jx8o+p+EoOAOH828bamYx/cfHz+VU5rhI+oNjCyf/dTSvzl7sM -5B/Dr/0mxws+AafnAV9C7WuVOR5j0o8pnXJIcEjH/B1j4+mFh+NaPQca1wQoLbo7nwJqRgqN8b/1 -JHEln53rboY6deGUIHoUKMRPK9aziZxrbW9NwaQdD4665VcpFklRrnEe7me1gecG97fnhi4/8T+9 -ItsRuJMK8zxsv0NJ1wbKO9MjZoOKuWUta3vH4cMSDIxDaSlOEuiZ3J2noYjeoojzS46XmWE2W9Vq -Yh55TbofgxcaHNoFVStQwpaGVCJGoTTwRBDRcAbRycX20uAyVKxPC0uZ3evwb+zd6nEgrQP4KcGF -E+zqYSiBxPEhbZ9D73QY16+jXINhJsbMXItsOo4d9fPZj0pP09Ue7FChPal4ECVEZQddYz+kKUCD -A6PFKeg9qHAOWgYD7MsGfIAfYjtKIFgMKbRinN0VRna2efAJN55vYSGeV6xdb4x4yDbp1ekVswV7 -fITY/uf0cane9AtubEvsqJhJTW+/Fa3e+CJhb5SfRAY6iBXOQYr4ZEjaoxJBYJ0h3xIW6c0L4YD9 -xhaE4sJCrtBfJgnPT5HH8ETBkneBZ3PYU72oFuJUHeYCMVnkpdBDUU2WovK/awi+h0tEwsNhLQ8I -3lcCJrNmJppsIb3n6WdGbInlj2CY4FCUNgxJoZCCdw2f5Kaj4pl6SXVmPTvMdQbBrXaYTTcN7s2c -Wf02sOXtAuoEsspizx45kJWaGamXcfBqyNnWVKKejqJ6kgop/RH6QAMCm32DkHucGyNWwpvjU8xe -RdRcDxbyM4aiBbcevdaeZLemTeb/yoVc7N+3QKjl7VYESAVg1Qb+cqa0+70bT6I3oLnSOh5sgBHX -wwee8S1vGumZsypXaItbeXdO1QN0LnwwPScg5qzkMM+ef6p3CNPC8f1UsvfiVrsXRBPRp0SJ4p0J -dYq2e/zRw0spo+UOCxd3BX37gwqRHYUZ+bCgi/S9NMgQq78zDT6jJVVY7WvAEq4wLGyPrpNYAXJI -qHFYkvo/J/K7d2nl5fVss8pYtRBVJn6QzHgvUDVVE655CtVjWVaV0DrHjbQzOyVAGfa4zoenVHZJ -vd4D3zPsqXgWakmHRRMtd2xnzWi8cs84mIDWnXpn7HnR2asllQX4D/Idoy6tnk6OOgVUTAQuILMr -zpoppQhpegCwnkkLQcMYSLjWp6rUn7kgLGWJ3qwWGrjxBRY/yMvJjrDDS16K1JoCOw00PDl+QTrN -aIKJYHnGV/0BEyagE2ZnEovEKpzqo1m+g2zgFwffdwqJzHloqEBB2UcHnu5BglmtwopyCJS445qf -97TWetuaAgCaAR/WMqEzfQhsHS6EA+DmiF9O5WfTxQJXQwkFgf56GK8vv30cd9n05rzJwd2Ue63M -XIv5iTKGCFR6/hHoQH0fiVMKinbz7Qm/M/n5d4mBGKhmV0d7nmgM+t+HBBJ2sw9o8kohAuX+faF7 -+kufS2/ssQJriWBQV1EfHgiQdTLP3MbRJRDeD314PVX34vAgh9lxoWL2XfEgj2Eu2g6aEO2QD4vp -RqtectAxZwcgBINBrJ3IjTHFhozNjDWrxp9dxS8D8wnYcnCjteHOvcoNaLApvecrZZBmDhkUfcBm -cPST99uC6ItwZy2zF+SclJaKKKX62YGyYodN514ijspyzALq8T467DByjYbn4VT7FWBLWbgS6aj/ -4k+p7YKlFn71+oKnik5JJ9banpzjUPbHYEdtAbs/KpHknPKZse5ih8vjwj71f+niUBefCVmvTASf -Gr2XrO5jPxKPezwlRfjZPiW5jE9rNZ4gQuOtDZNg5rRirlPBSOjc02fWLXfg9VMf+dqIDOpP9eUY -Vp5U9rGArE7YOoU36Qxi/n7+z76BgkxtaHr1nkfglgzF/0XORZemsSgBvJHlPHTaA2WJW3PGMm7U -WsWTiy8VeY+NtpnJO6wr0K9SZGdz34hEkibh2gq8GTeiDz7BiXBeTEBld9hNmXYjHoMgpD4Dgl2G -tzR7JWQiTWUUnSroI6s0zYtF1cjo+ToiSfyU4C4+9YrY9Ybjk0jGQMsUrtc6hhS7g2RtxHCuv5I9 -NyraxOACejaj1oyclBBM+DzoFileIEQ8ZY9gCEDwQkgLljb8pesQhgazeuAz9JOkHXA0VFmwgKZZ -0GRBPONfFzC4eKYvV33OYckJ57ZEjXYZDQgx4JIB2Fzm98jRbul6AdrqUl41iSAdTTmcXHORYnTQ -E8JKJLYwrl1pjLiaZVx0RJ1xdwoHLZhMcJvGPqxdmWS6c8dnyDwHMQzIlQIjMHpgkt3JTB74Jtgw -vhNniO0Sy2CeGBXZwW2dZmm42IhTcnQ9m8zJQ0ocTcpwA4rfeSQjfmD1j8UkqXT6/GTrwOhgux3m -Ue0Rg0dYYCgtvcNAIEbVQO94Z4sUpSYtj6KfHbCwbWlp/DSvacQa0wSAQaxj1VTGnjop+Hqr8v9j -VSiyjQwumlUYsLSyFq8WE7BJpNmg6KM0R7IXhWLAWxRftIiRO4SJlk9fml2mnv4IpIYs/VRo70E/ -gTMtEuv6sgMPmT5kHQhSQYmfJkOEnoM25cN4FnV5x4pS7gr9vwg+iar40A9HXoPYWDItThQCMC1Z -bjQtz0dtau3W3tGLcCHQQuJOrCE3iHYJ7GFcT+hlC8tMm9Ofo7iJyAAwXQ5HypFjDVHC5OaMOnGI -6pCWEzuYEsdO7/kpJMay2WucQrJaFGnk4aW4/xE71pHMKG5hLCOuAEAMTfpfQ10RzULOQeIjIPhv -Sud830HjK8WisQg9VUx8+AjRGhRiSZ3wYySE2Im4+UCaCY/GSQcFFk37BoAdp2rZrKH8xhn5YbSw -1560Rv8afRtFKMUlOTxW9MsqzmNZS/e0AntaMcv+FXn5sz4a5q+XtvS7I7USSWkgVcX9wMcUOqjS -U0AWz/lW3YS77ZFWS7W1gCTVHiZnjuACQ/cpwvpypEkFxnDmDSnmYyHcKdL1bZ1oifKUu4peVEkc -dGpdoEo6/LkiQXIl0fHwux6fdc41wj+79ySwZv67aTIhCIwsnUGYYLo6IoaGYLnlbVNFqbmJT46C -/eYrCDYLsHZ6rQbE9WJo1oeQACLxl4Bcqv5Gfv/Ilwtp8fYrtDfEBIl10CYYy1Dq3R1tMv6463ZP -HCIVtjZAKoA78IRVbgoC29KN2xq4Z/ACONw6P4u72vk2xZPnQl+x/ZHO2Q92QR89Oa8sEGjx0AqL -dsFIFFFDEtYzFktR/7OLBKT0cFtJjOQMiX7s/d1L0qusAayv9ckjojBD42H3YCnKpw== - - - Sdc1Z6pxZbplV0U0ksSmjZFkZj6w5kctGPcVEqLIz4vgKt8++Xb4UEfPkS4S8w8KgnxiKhr75lz6 -hNrTZocT5oPY+vB4HQww+PxfD0ZeIMd05jx+P/8cfL/AtsdBUYkCVwPIIakZu3wzJqfD9QPoUNV9 -omSqP96nlRumpj3bfsazEwUAJIzmjItiMocGGSGcnhtOzQMsrSKjM1AxE8qvicJ+gpPvIwXYYcF3 -rUUvMITgMs0HYkixDs12HUYReHgGCgRn8cgKjey65TXExksKCKo0sDGdlPmzYnZHCujPvVtBbBWx -WhjVkz7YnDTjiXNvnuU6H7yuI78I4WR0JiwHC4p+BdW4BdDzd2nl7P7CSKqjeafDtqbvNQ3pOCqF -ZAnoQnPk21JqHPYSy5pJbGTChUiuz68b6epL/hU2SE5NmIhxDqAsCA6VF9zcA28yt2J4QNMtx6ag -dz861UWlvyfAcwqbF+frK83o/YsoOrd0Z5xV7OtYF7OIOPmsa6VmIX744+z9xj5A4ku1vLazv+cP -Ivcib/pRop3FrZRmovWfZx0VupTmJGzgeYpP4IoyHxbmcDkRniBxtgAh3moEfGNBqXwFQ13INAvJ -o7wreisg4g2SsrdWW+9UwTvEHLHIg9mgPcL78DXOVR2Sx29XJ+SKzkeKw/TjY/j/rCR2P/RMrxmE -XPFrfqnzAjqDkv4DbW8qth/QEyWd6W7RbIJMGKR1gd4tRfz/CvsJF5r+RWs8aQuNuGjir0QHb78T -Egc0Jwn1Npofb3SXXBVZOi4hVOmD/5bvjqUjwxhHBAeqVsayoBECfe6QGH4lGQulUu/V5DgUk3xM -2KvMt4nfEiSFgmKjtm1Oj0nCwXIO02LcL4oil0hiYzIj12tBZRhgg/LkCB6C8aCPoaY3RJomxOkR -hMw1GOBNXQY3xnz/vplfHGkyAz9zhwTRxCIaDAIRn2npDWhFwUgsXxEbfiT4Ez7aDXMYxswD5Z84 -xPfnVSi/DGO3Ng6Ilunwgf37lu9SNZVR3EDw2BJjSb0YQXP7swVHDnQONkOnyG/lJQFiYXg3vsSM -t9wh7iJECIlDP6xiGONwAsuEN+ASJAnuWgzeRiUBvJLIcA2LG/u9U0W+GESNJ+WyttBJtC22mc2h -hTbIPHm9dsVoIYk2wg0C9KDKFKzuQnqG6WegpcV+NaUFr9FaEqWmMBR2QjM4yf5OCp4nonEqMM5S -DCQdK8ky7t+7P32WEOHhAQ7Vn/VYcYoSJSgUlcm1Lqvz9D2mvPf3h6z3BOJMqSrPTZ82sYRinCPs -TzT/RDQ8UqRPKI6g0AvXPqkfLXItIeQ+nr+vTAFLOTl08jer59CxCn5OT7CspIQ1feRL8lBSap1Q -8hGxAkmsR0TPmRs3oz9m28CiUYozfjEgbsZCi30hxCBFx0ByMJncTQecTnGk+V1IIeZKA/o6E3TA -2XXYDamaN4DixkjTsD8F/aRriUVrSt0M4y7dWAkDimgPCQaQby4BxHWjqfynaCcCRsKh894D2tOZ -vXWs9nTZdJyjm99wkrfJARrhpZRbmIrqbRQ7dGcmELkj0iDKaHWeQW1HpNx3wLh12Gcnbeue1dBX -Z5ZUpw57l2Mxm07OaNAhKq2RBCwELnRBrShLokJRP8TEI30VVFxjRRF6Y4vplnQHhakAMlGPoe8O -ljcPmuDAQu8w9Iu1Ex8EaRdDVdLULHiqn1PpCOitWklgY4llq6Uhgmo+wRgG7L8ORhIWwhIUQFnm -1/zGVk6AejsajPsfTX8wkSjVxT7vruuqtKSnfQlXB9lB89M/wZk+UV43QuaCHsB5GCFP4EZ6uY19 -2gmOQTIlJ0JiDn9SEc+YB7amEqWXKSo2ilMGCn+gwgMiYnjInIUui8FY1JC1rEkLJkFMHGExSPBx -2T062BPhQZRGur0VDRDVGhoHlTmnaeoNJ3VaFOnZxPxhlJB2x6e1qOGRze+klaYgSZtf0XvVQVzk -3WDGvSTuSQKaIHjEKsWv6ryTmz90hYMGHTjdTKC+Y7+3NIVb/sRXIlGa5Nk/uPmJaj7UIrT0NPra -k/emYiDyNWMTeos9/3tqXLSeD6MR61IsFTAjggFNwJnMmhecYHeEq0UFF6ktAZA33OQ/yBD87Hkh -xyD64J5+otW1HP6weZUIrzqywX2HOCWtKxwhiI/MgJpvskrk0dfVqmOJ3f2xxXgg8c/P3dL4KMoo -dMh7c8/Ei4g891LU0K1UNazui99KJjAC5UStGH4Ukz6Ga6BfBMIDnN+g5AlxS9DhSjkKSCtv9DUW -QKxxiHqwy2alYRPQvMdALCI1pGFDRbWWDrmaekO7d+up869KpLMoCOPGY8806yKXvpkuCeYrk4Xe -36PRhXM0OdiryUBwXK8xZcEY3D7ogYnmp4SwRM+3WibjBcAvUWxweqN9DwnGPI2WcLb+yPrbweP0 -EpntIhE0OALKHIaEse3ipofix7VAWAwgi4m8MkLQQjAwp6QbtryY3YVPGyOJe42JaTNPBaaKluoF -cJs5CAcgntgEuk7pfQirfSqzsIEwU/EarWCZmmIgI7R7kcv5UQ6ofarOnKEItl3cs5jz5FywlfZQ -udbTkopZ8a3RnDorJvDzpC9IGLsRD0U5qHodOlwLHdRpsK5+H+bK6za0HR+k+xhdjAlhHR+CjjT2 -wMfasO7I+2rDkSgAHA/cXZzKGp0ltKU8/nDEiwQGVCxvmqIcD+f2q9h3SChkKKmc3dsn98SAbIy4 -e+oAlbKYgfzYQ7bnGG2zP5ByIv1kdv79CG93laCRY7ubT+HJNKzPlDbzmZBHi0aIjKkE6DbWgkIi -gBo1TFfpGzwvnS8fWcOPM6WsB+luLXGsXxVlecagEBOe+mBEld34aQZ4z2TqHHsUtsrr1umGK3vq -o1xvM6Y8QYHtAJXsoEthcQ9HlkOlvIjWJ5Nr0yARCTwqVWvsv1auA+6OmHkWXPxD/smvzGgNGCxA -UXYEwfTIJTqlQRPkXOOqMBSjQpn9igRKC3d4JNWfmFg3H6tvEQkywtoTxwgkANoKhgJUihgqlfvD -0EEbbA5QQjEGxShL+eeFUhM5iixHvlACB5Pn8seUfs3wrJMPMFhVSFvJbZh6wJ4q9pFJHehkv4vT -lr8HUOhceWukqkfdRuw2hnr5+P2zvBBqIdMKI4rsEkClwqLW7BY3yaoOqjcK9LQ8TOC4jmBVFW8K -4130Ec/UEgAMJDx8HvAIO+m7BtJhfW1XdM5IWgRMFVfZ4+A2DUE9qN1yFSd/8pzIRBl7gCZHqOcd -D5dvTDU8NSJfHWAAOmWkEyywyHQDfEtukQOjdcwiMsnYQ397K3DMUZzbzMxM6f9vtVx5mzDqD/rs -oP+CA0oBQwEpARQWEI+VVhAdOjoQ7TLYrBrjA1PdQDE0XeNjQXotYmSSOzgPjN6hyZmQgPCzYAA+ -YQh5C1KpTGhIDiYDAFhgq+S9XlpsrXDoFV9D4w8Ol8qMaLiQ/tVRAB3iAUPTfR+FiI5JQF9xbCoJ -yqaBhR5GLw0YT4WIUzEQAA74XgHaPQVaqspBSwRxA4zQijLhgJtupXGQoCCgEyyKFluj+pWVg6mW -6KTkS1aXVOqFwUC1PAwRkkVvAUYj81rUoha12IAJtahFGAoWegERSkXIEKEvA5YyLJ8RN7HQk0EE -K3h1ELEqnxOlA5pkJrb3MOH2Espk+wW7PQONLMiE7R0uQBXPBIUTTh4mp+6zp4jN4SWJnPwmnCDu -8s57cZzK9NBEJm/wyBgNvfNe35lo0TM29MZEQkpCuOACXYtUBTpEihQ8oK8sj4MMqMVOooK4F4/x -Jo+ToOpxkgIafbWoHldVf/lRabu86CLjPSzLV87J8g8gy1tUj5OS0PIWK1TG9qS/CGBAAdpeARW6 -lQ31ePbF4OEaYAidd1cRZcWC3b6ietxcUWg6DhPAL0AnTnjy/s+e5ERCZKJ6XMRdJm5CE5l+Uz3u -Mzb03myqx/WCC9xIEbg5yIC+bQg8JER6gEQFkSj3QCK0D+KPCFKrIa5FLXrGhlqEORBIoRYzMKGH -QQwjOABpKloDQvqJARz3i6Vsj8DBcJOhE7MU3SMjZXnOwVy5JJ4WG+Sqz9VFTlyGK8XyFqHFEQEH -xLvDyK92/br4OLwDIqmPW7tWcIesXUNCWBIeN2ppRAEkXTvuinMFBACqx5kMbFjRooAPABbotTIg -BtGkWFwkVggZw4CCdRSIhlhHOUB9G/vpgKHvk8KALBmfZr1VNpuNcdPs0jG9Pym235NS6rhnz9tv -JyZ+llqftD6+7l3l/XjCuOut0369tent6Ve613ebM82NK5ZzRur758ftVlKffr/mnLOkz8mqJ/aq -jDrbfJQtZJYHT0bz6S6VrGMrk22eKURTJuusa5bh9yzfrDNHtS6aFlGty8g9egtgD4pE1xkGnsns -gF2nugUX6JGNCHRuUz3OM5AQ+kMCipzj9eeaRJhqdw+eFiX1up74gNnrh9ph6vbhgNmLQCS1a+4i -YvlHWD0OsoKlWiGsHidHpVSXLhYTLXatPBxCIXH8I8VpaWqjq9YV6wg0ZB5GLSgR08UhoKJTOR2w -LJhQxcepHAAwQyVLY14wNCb1fGN2odRDhjYbjc/AgmSiIAMoBtKDPhupkzH6DGsUEcO5aJqmxZSq -5FKAQQCWpV4YMVjqpcpSqpIrFStlqQQlmCq+UqwCpVdFJJI5WXrf/au8NP+kTZ3mWjPFt9u2XxtZ -1PtaWSnG2XZfp3h+fvm07f1qvTqNrIydxg/jOS3GP2WmOD+uM/9LjCu+Nkv78YQzpX6pZ/vT86WS -euS+X1o7srL8jWnjt9VvlZZ6+7Wy/9psb1btnf/1pdOn895Zsc/vxvjKG1lNa/wkzTLta2dmL812 -9pTZPzduKudXa/HENU/v27W69J7ZZvm2b2fP+N5JP+fIyuj1p57b1pmvzS1n/DKbrzf+Obt9tt/+ -nJs6ttjbccVTZo8nOqvFb2/t/4J+qBJklLQMzcgIQAAIKAACCQKEojiMozjERAhSwT0SQNBZDgQ5 -DGSIMwgBAggAEIhAAAAgAAAwciUAyBHvySPUjy7WRcR4Iwi5AlCNPZAJxXE9a4nCeNU7ilHqdDM6 -T1qV4E8hAXUt9uxBbA5c43cophVraa1iLrGYUDMVwufuNOMLuzOi92NzY0QrM+NnQcZEFwJI+D0I -gQ784p9iDs5loGm1a3d07PwcsKNqas9jDCWUxIP6RLxLFPaJeofDjiPsELvfvYJDakiMyrMRN5WP -4ioTbZdOYV8lSzCUd1VBrkl6oObMGu7DRaBIofClR9g2Vxd/k/TQEtWLLlyYW54hgZD24oTT6/Ur -ANLZ6lGUDubE5jHnapvSScu14Jg3wCcoePMYdDG54mj0T2dpOhk5qL+CHYsBFweghAgCMI0FbvyY -T8ozKOkw0in6oqrplaGM6Mf5yEyHlhm0RKJigiHpDI2U2mB7iN+fmhOnol4krHpEmQ== - - - M2jmo1/8YZAxAhmN3fJwcBUjq57tsRqCSpAVurSOIF65EluPj62AuVfYBz4NEktU37VwwSv4ngpz -6MTcATYNwlaMCUoXJHqDO1nMS2GEvvrTWx2GIcuvpMW0q7tmoPMP4NsPRsiGPA7+u3OB4ayrZODI -8o7EO7GqzEjUgIe15wh5R8PQeFcDWQBzeKE/D/fF8WIp8QMT/KbYAMI6lTIRbv7ic2kQZHGewfLp -q2gqykj/h5GiwDEcxagZUAxQoH1t0gQQi4KPrPaLBlKwzZUnf6RLvPqE0gc+Ope0CiByzmW3HeUK -ughKCmQrkDRlF6P8+ll8K4lmCgUXDNRTn4D8fzmfMJ4qBZE1tZTkF0kSnedAgM7ePvvhiJFN0djN -N6f8iSnRrcPEp5alAmIrFWTJXxJsrepXRP4QLSu3mmAIZE3nLrT1xPCgZtNlVNu2S61uXoIUKlhN -iKuwuNcv+qVpU9YTiL/fsKZ3VTfShNn8nHFEJPoRr3YjJMYkkxSm/TC6ZLvxm9OCa0dxTZGCcWcN -fJHnaF+l3NxmW+sZJBbHLYTh9/m4OtrXcMRoe6A1/jOSkcNmGSzxpBkN/eaDqSR1M/UlCSiAZPgW -+dwJCdDzsMBU4eBNFlEcDODjEJZU8e49XTs9G4VYLehxp9xD4RPHsN5mwqaUaq4/9Vrgpn1BCSRj -0GP3rJVKlWysNKvDAT5uJJQJHMUieYWGBE48CQhEDv9Ii12rS6VzKBJs1EBQQvrmt6OjdLk/MhDz -nX3PlV2FCBE1AVXLmZktUXqn4qAXEOOVopebec8uOSQpVqUmRIwDkDXHmPIS+Aah3RztaB5jUoLu -fVZoc9QQOTBVHe04QzuRx2Jk40hMvwnHHve0O65w8msopkvZcVuPG4AEVL7jJd22yFf+XeH2YUiA -azteHJVB0YsKYSO2eLnjPG6kado6HCABV+54yRKpU2N3O85Bnf7AWGjpAivOaGfH3QhoVer1+LYA -0Bd6xprsuKfHdcgavdvxb1ePm/njJHcc1x1IU4L08JyYeLPjI0xJyqyPHXcjVlN5VgLcoXqcICNV -oO44FVIO+aOF7LitxxXoJlSkU49/f8dnBNEZLEp/Iu94NEAfApF0tTve7gKmfOPOKTve6fGwaxy3 -44JztziN8TeLiM6MaBWBO16d4USPB2769o4LmfbrcQPBWGzHDfRb1OMq6BHpjtswNpxGft1qIdCO -K3v8yJOD0NDjNmTHvT2un/rLjtd7PHAen3XHOTWQ2+NEZ2ZSdrwlubTUT/MD7riJ6Q84TK/17h1v -LhsDOJHRFHvqjTGAICNKPc5pjKH2OKyunl34/mMMcMjo9DhPjSFjDHPI8OhxK0J2ljteOcTyDt30 -bYxhCxmSHjeRcjXGAIKMSI9zCEHFO25K2ZryMIeUFQ+FR2lHrLmb6Z0RFnUL9tWQtCrWQ7UQhEW+ -DKsVWZ8TlPeL1BKfocaQhTYoEXXu7f/5R82Fe+mPIhQhlu8+7KMFKYnBoSSwrljGTS7GhWXa7rSH -suQQSchVZbz4yjCUDMU8ObVbcRiDJYw3pHZICGaHHPBm+eZvVrrqLnmdh6oaM7QSXhkTwZx2pWl4 -pfWVXjNpqzMFr9xvRvDK55OCV2p2ZcKrg6tqpVxQoL54k9o+Xs2aiSWH4NXNrmgPr6oHJtWuyIFX -bDrGff4iu7JxvHqWvtiV+fHqL8aMXQE1Gelw7+4BVTLw7C6tqIRx31VRexWzE2cxlzEP8/l7Bfyt -/l+8BTQWSQCndE5VuZXBa2LphDto9JbiqPs22d/4SQ8L+zFZ3Z9+wMrUaJT0ZJIiFvgdx8df+UmI -+QeEl+B94G5eWIkwJiGcOokrAsMigWBDzGBhl9bPN8MEQHUiYJEwma7C/kOYEoSAtlQZJOVAZwGk -ysG8YVzK+TyYwYicqrI/8g0= - - - diff --git a/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020.json b/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020.json deleted file mode 100755 index fe1d2df1a2..0000000000 --- a/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about file type indicators from the Anomali integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Anomali Overview](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf) \\n**[Anomali Files (This Page)](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020)** \\n[Anomali URLs](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020) \\n[Anomali Other Indicators](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a overview about indicators of type **file** ingested from the Anomali integration, showing statistics and general information about all relevant indicators.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":33,\"i\":\"1bd7687a-adf0-44f3-8901-c6b12861d90d\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"1bd7687a-adf0-44f3-8901-c6b12861d90d\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-87bddc0a-425f-4285-8f79-be027a93a959\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"87bddc0a-425f-4285-8f79-be027a93a959\":{\"columnOrder\":[\"08e77c71-b1f6-4148-bf4a-bdd39f116a3e\"],\"columns\":{\"08e77c71-b1f6-4148-bf4a-bdd39f116a3e\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: \\\"active\\\" \"},\"isBucketed\":false,\"label\":\"Active\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"08e77c71-b1f6-4148-bf4a-bdd39f116a3e\",\"layerId\":\"87bddc0a-425f-4285-8f79-be027a93a959\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6d74f2e2-daf7-4179-9f87-0543253de626\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"6d74f2e2-daf7-4179-9f87-0543253de626\",\"title\":\"Active Files [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae\":{\"columnOrder\":[\"11748ed5-b26f-46e2-ab60-02d08d54c0eb\"],\"columns\":{\"11748ed5-b26f-46e2-ab60-02d08d54c0eb\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: * and not anomali.threatstream.state: \\\"active\\\"\"},\"isBucketed\":false,\"label\":\"Inactive\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"11748ed5-b26f-46e2-ab60-02d08d54c0eb\",\"layerId\":\"f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e20ccd15-7449-492d-be61-a474d10cfabb\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"e20ccd15-7449-492d-be61-a474d10cfabb\",\"title\":\"Inactive Files [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b287f02e-afeb-44ac-86c3-d1e3146c9f20\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b287f02e-afeb-44ac-86c3-d1e3146c9f20\":{\"columnOrder\":[\"35782be6-2bf2-4270-a8d7-4398103dac80\"],\"columns\":{\"35782be6-2bf2-4270-a8d7-4398103dac80\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"35782be6-2bf2-4270-a8d7-4398103dac80\",\"layerId\":\"b287f02e-afeb-44ac-86c3-d1e3146c9f20\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"bc2edce5-01f9-4e47-9b52-1a1dad6958c0\",\"w\":7,\"x\":19,\"y\":0},\"panelIndex\":\"bc2edce5-01f9-4e47-9b52-1a1dad6958c0\",\"title\":\"Unique SHA256 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-fcf982ec-ba1f-473d-b92a-691b1cdadf7b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"fcf982ec-ba1f-473d-b92a-691b1cdadf7b\":{\"columnOrder\":[\"eae8b738-1d51-4fb9-b04f-b0cd4e35f47d\"],\"columns\":{\"eae8b738-1d51-4fb9-b04f-b0cd4e35f47d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA512\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha512\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eae8b738-1d51-4fb9-b04f-b0cd4e35f47d\",\"layerId\":\"fcf982ec-ba1f-473d-b92a-691b1cdadf7b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"07ba9d35-2423-4793-9eed-997e86d1d1ac\",\"w\":7,\"x\":26,\"y\":0},\"panelIndex\":\"07ba9d35-2423-4793-9eed-997e86d1d1ac\",\"title\":\"Unique SHA512 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e11a6974-ae88-479e-9fca-8615b7f454da\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e11a6974-ae88-479e-9fca-8615b7f454da\":{\"columnOrder\":[\"3475c1c7-964f-44a2-a554-d7ff067446e9\"],\"columns\":{\"3475c1c7-964f-44a2-a554-d7ff067446e9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"3475c1c7-964f-44a2-a554-d7ff067446e9\",\"layerId\":\"e11a6974-ae88-479e-9fca-8615b7f454da\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c3e37351-081e-4e18-b134-2e51bae9b53a\",\"w\":7,\"x\":33,\"y\":0},\"panelIndex\":\"c3e37351-081e-4e18-b134-2e51bae9b53a\",\"title\":\"Unique MD5 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-be91741d-d94d-404f-9549-a0b96c92d2d0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"be91741d-d94d-404f-9549-a0b96c92d2d0\":{\"columnOrder\":[\"074c9303-a56e-4db0-bddb-461819a9504c\"],\"columns\":{\"074c9303-a56e-4db0-bddb-461819a9504c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"074c9303-a56e-4db0-bddb-461819a9504c\",\"layerId\":\"be91741d-d94d-404f-9549-a0b96c92d2d0\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"848432ac-28c9-4b18-b504-ac2cdbaa20c9\",\"w\":7,\"x\":40,\"y\":0},\"panelIndex\":\"848432ac-28c9-4b18-b504-ac2cdbaa20c9\",\"title\":\"Unique SHA1 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"08036a92-d500-4966-98ca-feff7f9ecb36\":{\"columnOrder\":[\"99f24050-c517-46ff-85b1-f3ceea4c9e15\",\"67920793-58db-49b6-aca9-273945fffbce\"],\"columns\":{\"67920793-58db-49b6-aca9-273945fffbce\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"99f24050-c517-46ff-85b1-f3ceea4c9e15\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.confidence\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"67920793-58db-49b6-aca9-273945fffbce\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.confidence\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"99f24050-c517-46ff-85b1-f3ceea4c9e15\"],\"layerId\":\"08036a92-d500-4966-98ca-feff7f9ecb36\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"67920793-58db-49b6-aca9-273945fffbce\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":25,\"i\":\"664c2738-9f69-401c-af55-42f50aabb9c5\",\"w\":16,\"x\":7,\"y\":8},\"panelIndex\":\"664c2738-9f69-401c-af55-42f50aabb9c5\",\"title\":\"Confidence Levels [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0e4aff17-8462-40ed-a84b-8de853628b96\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-014a03d0-3a35-4aad-bd2d-d8380365070b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"014a03d0-3a35-4aad-bd2d-d8380365070b\":{\"columnOrder\":[\"5e92fb09-af89-494a-b0a1-736b4cebc269\",\"5731c84c-3f1e-410a-8638-212b04df7d78\"],\"columns\":{\"5731c84c-3f1e-410a-8638-212b04df7d78\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Last Seen\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.last_seen\"},\"5e92fb09-af89-494a-b0a1-736b4cebc269\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}},\"0e4aff17-8462-40ed-a84b-8de853628b96\":{\"columnOrder\":[\"4ff561b6-7ec6-433e-8023-572ef88eab9d\",\"2d0d9d07-5f5d-42a0-97ba-03899f504862\"],\"columns\":{\"2d0d9d07-5f5d-42a0-97ba-03899f504862\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"First Seen\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.first_seen\"},\"4ff561b6-7ec6-433e-8023-572ef88eab9d\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"2d0d9d07-5f5d-42a0-97ba-03899f504862\"],\"layerId\":\"0e4aff17-8462-40ed-a84b-8de853628b96\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4ff561b6-7ec6-433e-8023-572ef88eab9d\"},{\"accessors\":[\"5731c84c-3f1e-410a-8638-212b04df7d78\"],\"layerId\":\"014a03d0-3a35-4aad-bd2d-d8380365070b\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"5e92fb09-af89-494a-b0a1-736b4cebc269\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":25,\"i\":\"c9a937ea-517a-40b0-aba5-75d2611ae760\",\"w\":24,\"x\":23,\"y\":8},\"panelIndex\":\"c9a937ea-517a-40b0-aba5-75d2611ae760\",\"title\":\"Indicators First and Last Seen [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Anomali] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d74f2e2-daf7-4179-9f87-0543253de626:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6d74f2e2-daf7-4179-9f87-0543253de626:indexpattern-datasource-layer-87bddc0a-425f-4285-8f79-be027a93a959", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e20ccd15-7449-492d-be61-a474d10cfabb:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e20ccd15-7449-492d-be61-a474d10cfabb:indexpattern-datasource-layer-f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bc2edce5-01f9-4e47-9b52-1a1dad6958c0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "bc2edce5-01f9-4e47-9b52-1a1dad6958c0:indexpattern-datasource-layer-b287f02e-afeb-44ac-86c3-d1e3146c9f20", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07ba9d35-2423-4793-9eed-997e86d1d1ac:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "07ba9d35-2423-4793-9eed-997e86d1d1ac:indexpattern-datasource-layer-fcf982ec-ba1f-473d-b92a-691b1cdadf7b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c3e37351-081e-4e18-b134-2e51bae9b53a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c3e37351-081e-4e18-b134-2e51bae9b53a:indexpattern-datasource-layer-e11a6974-ae88-479e-9fca-8615b7f454da", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "848432ac-28c9-4b18-b504-ac2cdbaa20c9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "848432ac-28c9-4b18-b504-ac2cdbaa20c9:indexpattern-datasource-layer-be91741d-d94d-404f-9549-a0b96c92d2d0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "664c2738-9f69-401c-af55-42f50aabb9c5:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "664c2738-9f69-401c-af55-42f50aabb9c5:indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9a937ea-517a-40b0-aba5-75d2611ae760:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9a937ea-517a-40b0-aba5-75d2611ae760:indexpattern-datasource-layer-0e4aff17-8462-40ed-a84b-8de853628b96", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9a937ea-517a-40b0-aba5-75d2611ae760:indexpattern-datasource-layer-014a03d0-3a35-4aad-bd2d-d8380365070b", - "type": "index-pattern" - }, - { - "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020.json b/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020.json deleted file mode 100755 index b16bc08354..0000000000 --- a/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the Anomali integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Anomali Overview](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf) \\n[Anomali Files](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020) \\n**[Anomali URLs (This Page)](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020)** \\n[Anomali Other Indicators](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a overview about indicators of type **URL** ingested from the Anomali integration, showing statistics and general information about all relevant indicators.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":37,\"i\":\"b7e43e7b-9f77-4c99-a68c-a2e0588a1746\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"b7e43e7b-9f77-4c99-a68c-a2e0588a1746\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c5d7e866-9673-4d61-8420-73f253f3708b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c5d7e866-9673-4d61-8420-73f253f3708b\":{\"columnOrder\":[\"e4aa603a-7867-4b27-b806-99152d2fef81\"],\"columns\":{\"e4aa603a-7867-4b27-b806-99152d2fef81\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4aa603a-7867-4b27-b806-99152d2fef81\",\"layerId\":\"c5d7e866-9673-4d61-8420-73f253f3708b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"88ee89f5-502e-44aa-93ef-fc1af8684fe0\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"88ee89f5-502e-44aa-93ef-fc1af8684fe0\",\"title\":\"Unique Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cc619527-1f00-4919-a5a3-512d90ac0452\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cc619527-1f00-4919-a5a3-512d90ac0452\":{\"columnOrder\":[\"fc976f3c-3e2c-4ac7-aed6-99b26b995153\"],\"columns\":{\"fc976f3c-3e2c-4ac7-aed6-99b26b995153\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: \\\"active\\\" \"},\"isBucketed\":false,\"label\":\"URL's Active\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"fc976f3c-3e2c-4ac7-aed6-99b26b995153\",\"layerId\":\"cc619527-1f00-4919-a5a3-512d90ac0452\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e928abaa-186a-4917-bc20-a749527acb18\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"e928abaa-186a-4917-bc20-a749527acb18\",\"title\":\"URLs Active [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a37deb72-83d2-485b-8b8c-a3351feba020\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a37deb72-83d2-485b-8b8c-a3351feba020\":{\"columnOrder\":[\"02535cee-7d24-463b-963b-90c38a8269d8\"],\"columns\":{\"02535cee-7d24-463b-963b-90c38a8269d8\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: * and not anomali.threatstream.state: \\\"active\\\" \"},\"isBucketed\":false,\"label\":\"URL's Inactive\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"02535cee-7d24-463b-963b-90c38a8269d8\",\"layerId\":\"a37deb72-83d2-485b-8b8c-a3351feba020\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"a8d31131-9e82-46c9-99e4-c9f9c050ee9c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"a8d31131-9e82-46c9-99e4-c9f9c050ee9c\",\"title\":\"URLs Inactive [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e\":{\"columnOrder\":[\"afa8759e-3b03-4c1a-9411-b4c4fe3fb423\"],\"columns\":{\"afa8759e-3b03-4c1a-9411-b4c4fe3fb423\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Providers\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.provider\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"afa8759e-3b03-4c1a-9411-b4c4fe3fb423\",\"layerId\":\"66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"49b4bbf6-4445-495e-aa36-35ff50877eae\",\"w\":6,\"x\":25,\"y\":0},\"panelIndex\":\"49b4bbf6-4445-495e-aa36-35ff50877eae\",\"title\":\"Provider Count [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f119e9a6-4546-4496-8a01-4476e87cf3bc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f119e9a6-4546-4496-8a01-4476e87cf3bc\":{\"columnOrder\":[\"eb218bc5-0828-4ca9-90c8-05de914ecec6\",\"066e1f1c-655e-495e-8cf2-37bf61f81fba\"],\"columns\":{\"066e1f1c-655e-495e-8cf2-37bf61f81fba\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"eb218bc5-0828-4ca9-90c8-05de914ecec6\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.geo.country_iso_code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"066e1f1c-655e-495e-8cf2-37bf61f81fba\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"eb218bc5-0828-4ca9-90c8-05de914ecec6\"],\"layerId\":\"f119e9a6-4546-4496-8a01-4476e87cf3bc\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"066e1f1c-655e-495e-8cf2-37bf61f81fba\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":23,\"i\":\"ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f\",\"title\":\"Top Countries [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3c97e09-a95d-4baa-8552-2b0c252d995c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3c97e09-a95d-4baa-8552-2b0c252d995c\":{\"columnOrder\":[\"cfb90886-11d3-471e-97be-01378e9d5105\",\"2486505b-3319-4955-9bd6-d035d9631f7d\"],\"columns\":{\"2486505b-3319-4955-9bd6-d035d9631f7d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cfb90886-11d3-471e-97be-01378e9d5105\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2486505b-3319-4955-9bd6-d035d9631f7d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"cfb90886-11d3-471e-97be-01378e9d5105\",\"isTransposed\":false},{\"columnId\":\"2486505b-3319-4955-9bd6-d035d9631f7d\",\"isTransposed\":false}],\"layerId\":\"a3c97e09-a95d-4baa-8552-2b0c252d995c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":29,\"i\":\"a3f75519-9e37-4548-b60c-e340d1c5f8f7\",\"w\":24,\"x\":7,\"y\":8},\"panelIndex\":\"a3f75519-9e37-4548-b60c-e340d1c5f8f7\",\"title\":\"Most Popular Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564\":{\"columnOrder\":[\"518ee324-e4ed-4eb7-b4fb-0e964204bfc0\",\"a527fe96-066a-448e-91c8-348993d78b91\"],\"columns\":{\"518ee324-e4ed-4eb7-b4fb-0e964204bfc0\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a527fe96-066a-448e-91c8-348993d78b91\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"},\"a527fe96-066a-448e-91c8-348993d78b91\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"518ee324-e4ed-4eb7-b4fb-0e964204bfc0\"],\"layerId\":\"4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"a527fe96-066a-448e-91c8-348993d78b91\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"92c66617-cd3f-4a06-8534-52fe3c968559\",\"w\":17,\"x\":31,\"y\":23},\"panelIndex\":\"92c66617-cd3f-4a06-8534-52fe3c968559\",\"title\":\"URL Schemes [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Anomali] URL", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "88ee89f5-502e-44aa-93ef-fc1af8684fe0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "88ee89f5-502e-44aa-93ef-fc1af8684fe0:indexpattern-datasource-layer-c5d7e866-9673-4d61-8420-73f253f3708b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e928abaa-186a-4917-bc20-a749527acb18:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e928abaa-186a-4917-bc20-a749527acb18:indexpattern-datasource-layer-cc619527-1f00-4919-a5a3-512d90ac0452", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a8d31131-9e82-46c9-99e4-c9f9c050ee9c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a8d31131-9e82-46c9-99e4-c9f9c050ee9c:indexpattern-datasource-layer-a37deb72-83d2-485b-8b8c-a3351feba020", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "49b4bbf6-4445-495e-aa36-35ff50877eae:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "49b4bbf6-4445-495e-aa36-35ff50877eae:indexpattern-datasource-layer-66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f:indexpattern-datasource-layer-f119e9a6-4546-4496-8a01-4476e87cf3bc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a3f75519-9e37-4548-b60c-e340d1c5f8f7:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a3f75519-9e37-4548-b60c-e340d1c5f8f7:indexpattern-datasource-layer-a3c97e09-a95d-4baa-8552-2b0c252d995c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "92c66617-cd3f-4a06-8534-52fe3c968559:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "92c66617-cd3f-4a06-8534-52fe3c968559:indexpattern-datasource-layer-4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564", - "type": "index-pattern" - }, - { - "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020.json b/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020.json deleted file mode 100755 index 660c2e9511..0000000000 --- a/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about other types of indicators from the Anomali integration like email and IP", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":true,\"params\":[\"url\",\"file\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"threat.indicator.type\":\"url\"}},{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Anomali Overview](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf) \\n[Anomali Files](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020) \\n[Anomali URLs](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020) \\n**[Anomali Other Indicators (This Page)](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)**\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a overview about all other indicators except file and URL ingested from the Anomali integration, showing statistics and general information about all relevant indicators. This includes email, IP and domain type indicators.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":43,\"i\":\"7c3b21d7-cfe8-41c2-89c8-bdb5a78fe47a\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"7c3b21d7-cfe8-41c2-89c8-bdb5a78fe47a\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dfdae375-629d-49ad-b37a-66d77c3f38b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dfdae375-629d-49ad-b37a-66d77c3f38b7\":{\"columnOrder\":[\"a160b4d5-ef36-4886-844b-159030642324\"],\"columns\":{\"a160b4d5-ef36-4886-844b-159030642324\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique IP's\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"a160b4d5-ef36-4886-844b-159030642324\",\"layerId\":\"dfdae375-629d-49ad-b37a-66d77c3f38b7\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"4cd050c7-caea-4c60-a581-955f0f5f9c49\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"4cd050c7-caea-4c60-a581-955f0f5f9c49\",\"title\":\"Unique IPs [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ae2be882-73dd-463a-9a1d-1660c611d292\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ae2be882-73dd-463a-9a1d-1660c611d292\":{\"columnOrder\":[\"5773f11c-f2d6-4467-81c2-1be0325c7ace\"],\"columns\":{\"5773f11c-f2d6-4467-81c2-1be0325c7ace\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Emails\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.email.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"5773f11c-f2d6-4467-81c2-1be0325c7ace\",\"layerId\":\"ae2be882-73dd-463a-9a1d-1660c611d292\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"f3d04a3a-0bfa-4460-af54-08fea317756c\",\"w\":7,\"x\":13,\"y\":0},\"panelIndex\":\"f3d04a3a-0bfa-4460-af54-08fea317756c\",\"title\":\"Unique Emails [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7e5894b7-2ce6-439b-81b7-18cd6acdc0dd\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7e5894b7-2ce6-439b-81b7-18cd6acdc0dd\":{\"columnOrder\":[\"a2682d1f-8a12-4033-8444-185f7bce5d97\"],\"columns\":{\"a2682d1f-8a12-4033-8444-185f7bce5d97\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"a2682d1f-8a12-4033-8444-185f7bce5d97\",\"layerId\":\"7e5894b7-2ce6-439b-81b7-18cd6acdc0dd\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"054ec96d-8e77-425c-9d79-adbfd3f7e28b\",\"w\":7,\"x\":20,\"y\":0},\"panelIndex\":\"054ec96d-8e77-425c-9d79-adbfd3f7e28b\",\"title\":\"Unique Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f5c8665b-d765-481a-8006-206fa0718a58\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f5c8665b-d765-481a-8006-206fa0718a58\":{\"columnOrder\":[\"2ef98406-f729-4988-b927-615a2071b945\",\"f3d622d5-c221-49b4-bf80-33543307c23d\"],\"columns\":{\"2ef98406-f729-4988-b927-615a2071b945\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.marking.tlp\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f3d622d5-c221-49b4-bf80-33543307c23d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.marking.tlp\"},\"f3d622d5-c221-49b4-bf80-33543307c23d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"TLP Tags\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"2ef98406-f729-4988-b927-615a2071b945\"],\"layerId\":\"f5c8665b-d765-481a-8006-206fa0718a58\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"f3d622d5-c221-49b4-bf80-33543307c23d\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":28,\"i\":\"ef8f1c25-a119-45e8-84d1-0968bb60a9b6\",\"w\":21,\"x\":27,\"y\":0},\"panelIndex\":\"ef8f1c25-a119-45e8-84d1-0968bb60a9b6\",\"title\":\"TLP Categorization [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df7a4f5f-e882-4b90-adca-edf9d34f5acb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df7a4f5f-e882-4b90-adca-edf9d34f5acb\":{\"columnOrder\":[\"b69cdc62-7d44-4073-a64b-b09d6da41622\",\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\"],\"columns\":{\"b69cdc62-7d44-4073-a64b-b09d6da41622\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":15},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"},\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b69cdc62-7d44-4073-a64b-b09d6da41622\",\"isTransposed\":false},{\"columnId\":\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\",\"isTransposed\":false}],\"layerId\":\"df7a4f5f-e882-4b90-adca-edf9d34f5acb\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":21,\"i\":\"80ea5d9f-04de-4c10-a120-32318c3088c1\",\"w\":20,\"x\":7,\"y\":7},\"panelIndex\":\"80ea5d9f-04de-4c10-a120-32318c3088c1\",\"title\":\"Most Popular Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3209cf18-1f83-44fd-aff3-336fb07d35b1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3209cf18-1f83-44fd-aff3-336fb07d35b1\":{\"columnOrder\":[\"a90ded97-4816-4a10-a653-51bad5dee996\",\"26f57b1d-7680-4439-9a32-ee0c5c441c37\"],\"columns\":{\"26f57b1d-7680-4439-9a32-ee0c5c441c37\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"a90ded97-4816-4a10-a653-51bad5dee996\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"IP Addresses\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"26f57b1d-7680-4439-9a32-ee0c5c441c37\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"a90ded97-4816-4a10-a653-51bad5dee996\",\"isTransposed\":false},{\"columnId\":\"26f57b1d-7680-4439-9a32-ee0c5c441c37\",\"isTransposed\":false}],\"layerId\":\"3209cf18-1f83-44fd-aff3-336fb07d35b1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d6840366-ab4f-4029-8e25-c887353b566f\",\"w\":20,\"x\":7,\"y\":28},\"panelIndex\":\"d6840366-ab4f-4029-8e25-c887353b566f\",\"title\":\"Most Popular IPs [Logs Anomali\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-75accf45-7e81-45d7-b901-f488f7634041\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"75accf45-7e81-45d7-b901-f488f7634041\":{\"columnOrder\":[\"bfb109eb-e0f5-4fda-b3eb-5cc691ecce18\",\"abff64f2-5712-4582-aaf8-79f1b9d9d421\"],\"columns\":{\"abff64f2-5712-4582-aaf8-79f1b9d9d421\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bfb109eb-e0f5-4fda-b3eb-5cc691ecce18\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Email Addresses\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"abff64f2-5712-4582-aaf8-79f1b9d9d421\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.email.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"bfb109eb-e0f5-4fda-b3eb-5cc691ecce18\",\"isTransposed\":false},{\"columnId\":\"abff64f2-5712-4582-aaf8-79f1b9d9d421\",\"isTransposed\":false}],\"layerId\":\"75accf45-7e81-45d7-b901-f488f7634041\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6811183d-2ca1-4f18-8dc7-225ff757f9bf\",\"w\":21,\"x\":27,\"y\":28},\"panelIndex\":\"6811183d-2ca1-4f18-8dc7-225ff757f9bf\",\"title\":\"Unique Email Addresses [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Anomali] Other Indicators", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4cd050c7-caea-4c60-a581-955f0f5f9c49:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4cd050c7-caea-4c60-a581-955f0f5f9c49:indexpattern-datasource-layer-dfdae375-629d-49ad-b37a-66d77c3f38b7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f3d04a3a-0bfa-4460-af54-08fea317756c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f3d04a3a-0bfa-4460-af54-08fea317756c:indexpattern-datasource-layer-ae2be882-73dd-463a-9a1d-1660c611d292", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "054ec96d-8e77-425c-9d79-adbfd3f7e28b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "054ec96d-8e77-425c-9d79-adbfd3f7e28b:indexpattern-datasource-layer-7e5894b7-2ce6-439b-81b7-18cd6acdc0dd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ef8f1c25-a119-45e8-84d1-0968bb60a9b6:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ef8f1c25-a119-45e8-84d1-0968bb60a9b6:indexpattern-datasource-layer-f5c8665b-d765-481a-8006-206fa0718a58", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "80ea5d9f-04de-4c10-a120-32318c3088c1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "80ea5d9f-04de-4c10-a120-32318c3088c1:indexpattern-datasource-layer-df7a4f5f-e882-4b90-adca-edf9d34f5acb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6840366-ab4f-4029-8e25-c887353b566f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d6840366-ab4f-4029-8e25-c887353b566f:indexpattern-datasource-layer-3209cf18-1f83-44fd-aff3-336fb07d35b1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6811183d-2ca1-4f18-8dc7-225ff757f9bf:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6811183d-2ca1-4f18-8dc7-225ff757f9bf:indexpattern-datasource-layer-75accf45-7e81-45d7-b901-f488f7634041", - "type": "index-pattern" - }, - { - "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf.json b/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf.json deleted file mode 100755 index 71442c0ccd..0000000000 --- a/packages/ti_anomali/1.3.1/kibana/dashboard/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the Anomali integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[Anomali Overview (This Page)](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf)** \\n[Anomali Files](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020) \\n[Anomali URLs](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020) \\n[Anomali Other Indicators](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the Anomali integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from Anomali. \\n\\nIt shows how many parts has been enabled (Limo and ThreatStream), the ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from Anomali.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":38,\"i\":\"12dc83c2-c8cf-4583-88b5-48761c63a1f7\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"12dc83c2-c8cf-4583-88b5-48761c63a1f7\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1636972155400\",\"indexPatternRefName\":\"control_d0d28809-695c-4190-9b91-b62c60dff1fe_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1636972320770\",\"indexPatternRefName\":\"control_d0d28809-695c-4190-9b91-b62c60dff1fe_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1636972345166\",\"indexPatternRefName\":\"control_d0d28809-695c-4190-9b91-b62c60dff1fe_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":true},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"d0d28809-695c-4190-9b91-b62c60dff1fe\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"d0d28809-695c-4190-9b91-b62c60dff1fe\",\"title\":\"Feed and Indicator Selector [Logs Anomali]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c28e58ec-5377-460f-9d19-81c5b0655d84\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c28e58ec-5377-460f-9d19-81c5b0655d84\":{\"columnOrder\":[\"747a0b3c-a82b-4c1f-823e-3337619e6117\"],\"columns\":{\"747a0b3c-a82b-4c1f-823e-3337619e6117\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"747a0b3c-a82b-4c1f-823e-3337619e6117\",\"layerId\":\"c28e58ec-5377-460f-9d19-81c5b0655d84\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"444bedab-0363-4e0c-81e3-d8e370ae3aec\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"444bedab-0363-4e0c-81e3-d8e370ae3aec\",\"title\":\"Total Datastreams [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-78c9288e-227b-4cff-979b-d89a75ece8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"78c9288e-227b-4cff-979b-d89a75ece8e7\":{\"columnOrder\":[\"ec9f1c6f-2142-4695-af89-30d613260474\",\"a8876e88-a694-49b6-8117-6a949ecc994a\"],\"columns\":{\"a8876e88-a694-49b6-8117-6a949ecc994a\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"ec9f1c6f-2142-4695-af89-30d613260474\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a8876e88-a694-49b6-8117-6a949ecc994a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"a8876e88-a694-49b6-8117-6a949ecc994a\"],\"layerId\":\"78c9288e-227b-4cff-979b-d89a75ece8e7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"ec9f1c6f-2142-4695-af89-30d613260474\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"5809310f-2beb-446c-8b5d-c84f44c041b3\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"5809310f-2beb-446c-8b5d-c84f44c041b3\",\"title\":\"Total Indicators per Provider [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7fdc4f94-7863-4914-b99d-982d353a54ba\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7fdc4f94-7863-4914-b99d-982d353a54ba\":{\"columnOrder\":[\"da5b8cdd-28c7-47ac-a991-4b995d7a62ec\",\"0116942e-4077-43f5-9dc8-297c469d18d3\"],\"columns\":{\"0116942e-4077-43f5-9dc8-297c469d18d3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"da5b8cdd-28c7-47ac-a991-4b995d7a62ec\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0116942e-4077-43f5-9dc8-297c469d18d3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"da5b8cdd-28c7-47ac-a991-4b995d7a62ec\"],\"layerId\":\"7fdc4f94-7863-4914-b99d-982d353a54ba\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"0116942e-4077-43f5-9dc8-297c469d18d3\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"2c98de99-50a0-4a21-86f5-005f80dab887\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"2c98de99-50a0-4a21-86f5-005f80dab887\",\"title\":\"Total Indicators per Datastream [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a531c764-6567-4a71-8bf7-c30e0f146526\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a531c764-6567-4a71-8bf7-c30e0f146526\":{\"columnOrder\":[\"85c9e822-60d0-4aa5-b811-79b0c58aa6b6\"],\"columns\":{\"85c9e822-60d0-4aa5-b811-79b0c58aa6b6\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"85c9e822-60d0-4aa5-b811-79b0c58aa6b6\",\"layerId\":\"a531c764-6567-4a71-8bf7-c30e0f146526\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89\",\"title\":\"Total Indicators [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8304fb06-3af2-4279-9b88-b3f18324c042\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8304fb06-3af2-4279-9b88-b3f18324c042\":{\"columnOrder\":[\"645fb806-bad6-4c07-b65c-1e5eb559cc06\",\"b9f443d8-7811-4d09-9339-135a3a850ca3\",\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\"],\"columns\":{\"645fb806-bad6-4c07-b65c-1e5eb559cc06\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b9f443d8-7811-4d09-9339-135a3a850ca3\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\"],\"layerId\":\"8304fb06-3af2-4279-9b88-b3f18324c042\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"645fb806-bad6-4c07-b65c-1e5eb559cc06\",\"xAccessor\":\"b9f443d8-7811-4d09-9339-135a3a850ca3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"aea6ddeb-b045-4372-bfe4-5eb52cd394db\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aea6ddeb-b045-4372-bfe4-5eb52cd394db\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs Anomali] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d0d28809-695c-4190-9b91-b62c60dff1fe:control_d0d28809-695c-4190-9b91-b62c60dff1fe_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d0d28809-695c-4190-9b91-b62c60dff1fe:control_d0d28809-695c-4190-9b91-b62c60dff1fe_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d0d28809-695c-4190-9b91-b62c60dff1fe:control_d0d28809-695c-4190-9b91-b62c60dff1fe_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "444bedab-0363-4e0c-81e3-d8e370ae3aec:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "444bedab-0363-4e0c-81e3-d8e370ae3aec:indexpattern-datasource-layer-c28e58ec-5377-460f-9d19-81c5b0655d84", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5809310f-2beb-446c-8b5d-c84f44c041b3:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5809310f-2beb-446c-8b5d-c84f44c041b3:indexpattern-datasource-layer-78c9288e-227b-4cff-979b-d89a75ece8e7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2c98de99-50a0-4a21-86f5-005f80dab887:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2c98de99-50a0-4a21-86f5-005f80dab887:indexpattern-datasource-layer-7fdc4f94-7863-4914-b99d-982d353a54ba", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89:indexpattern-datasource-layer-a531c764-6567-4a71-8bf7-c30e0f146526", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aea6ddeb-b045-4372-bfe4-5eb52cd394db:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aea6ddeb-b045-4372-bfe4-5eb52cd394db:indexpattern-datasource-layer-8304fb06-3af2-4279-9b88-b3f18324c042", - "type": "index-pattern" - }, - { - "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.1/kibana/tag/ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf.json b/packages/ti_anomali/1.3.1/kibana/tag/ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf.json deleted file mode 100755 index 89444d8b1a..0000000000 --- a/packages/ti_anomali/1.3.1/kibana/tag/ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "", - "name": "Anomali" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.1/kibana/tag/ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_anomali/1.3.1/kibana/tag/ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6.json deleted file mode 100755 index ef4b8a7fd0..0000000000 --- a/packages/ti_anomali/1.3.1/kibana/tag/ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "", - "name": "Threat Intelligence" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_anomali/1.3.1/manifest.yml b/packages/ti_anomali/1.3.1/manifest.yml deleted file mode 100755 index 2a1c8eb300..0000000000 --- a/packages/ti_anomali/1.3.1/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: ti_anomali -title: Anomali -version: 1.3.1 -release: ga -description: Ingest threat intelligence indicators from Anomali with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^8.0.0 -icons: - - src: /img/anomali.svg - title: Anomali - size: 216x216 - type: image/svg+xml -policy_templates: - - name: ti_anomali - title: Anomali - description: Ingest threat intelligence indicators from Anomali with Elastic Agent. - inputs: - - type: httpjson - title: "Ingest threat intelligence indicators from the Anomali Limo API." - description: "Ingest threat intelligence indicators from the Anomali Limo API." - - type: http_endpoint - title: "Ingest threat intelligence indicators from Anomali Threatstream." - description: "Ingest threat intelligence indicators from Anomali Threatstream." -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_misp/1.4.0/changelog.yml b/packages/ti_misp/1.4.0/changelog.yml deleted file mode 100755 index a87319514d..0000000000 --- a/packages/ti_misp/1.4.0/changelog.yml +++ /dev/null @@ -1,51 +0,0 @@ -# newer versions go on top -- version: "1.4.0" - changes: - - description: Fix pagination looping forever - type: enhancement - link: https://github.com/elastic/integrations/pull/3446 -- version: "1.3.1" - changes: - - description: Update package descriptions - type: enhancement - link: https://github.com/elastic/integrations/pull/3398 -- version: "1.3.0" - changes: - - description: Update to ECS 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "1.2.2" - changes: - - description: Add mapping for event.created - type: enhancement - link: https://github.com/elastic/integrations/pull/3042 -- version: "1.2.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "1.2.0" - changes: - - description: Update to ECS 8.0 - type: enhancement - link: https://github.com/elastic/integrations/pull/2448 -- version: "1.1.0" - changes: - - description: Adds dashboards and threat.feed ECS fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2485 -- version: "1.0.2" - changes: - - description: Change test public IPs to the supported subset - type: bugfix - link: https://github.com/elastic/integrations/pull/2327 -- version: "1.0.1" - changes: - - description: Bump minimum version - type: enhancement - link: https://github.com/elastic/integrations/pull/2063 -- version: "1.0.0" - changes: - - description: Initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/1946 diff --git a/packages/ti_misp/1.4.0/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_misp/1.4.0/data_stream/threat/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 8172ba39f7..0000000000 --- a/packages/ti_misp/1.4.0/data_stream/threat/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,75 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "POST" - -{{#if url}} -request.url: {{url}}/events/restSearch -{{/if}} -{{#if ssl}} -request.ssl: {{ssl}} -{{/if}} -{{#if http_client_timeout}} -request.timeout: {{http_client_timeout}} -{{/if}} -{{#if proxy_url}} -request.proxy_url: {{proxy_url}} -{{/if}} -request.body: -{{#if filters}} - {{filters}} -{{/if}} -request.transforms: -{{#if api_token}} -- set: - target: header.Authorization - value: {{api_token}} -{{/if}} -- set: - target: body.page - value: 1 -- set: - target: body.limit - value: 10 -- set: - target: body.returnFormat - value: json -- set: - target: body.timestamp - value: '[[.cursor.timestamp]]' - default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "UnixDate" ]]' - -response.split: - target: body.response - split: - target: body.Event.Attribute - ignore_empty_value: true - keep_parent: true - split: - target: body.Event.Object - keep_parent: true - split: - target: body.Event.Object.Attribute - keep_parent: true -response.request_body_on_pagination: true -response.pagination: -- set: - target: body.page - value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 1]][[end]]' - fail_on_template_error: true -cursor: - timestamp: - value: '[[.last_event.Event.timestamp]]' -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_misp/1.4.0/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_misp/1.4.0/data_stream/threat/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ce9f44b3b4..0000000000 --- a/packages/ti_misp/1.4.0/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,385 +0,0 @@ ---- -description: Pipeline for parsing MISP Threat Intel -processors: - #################### - # Event ECS fields # - #################### - - set: - field: ecs.version - value: "8.2.0" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - ###################### - # General ECS fields # - ###################### - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - fingerprint: - fields: - - json.Event.Attribute.uuid - - json.Event.Object.Attribute.uuid - target_field: "_id" - ignore_missing: true - - rename: - field: json.Event - target_field: misp - ignore_missing: true - - set: - field: threat.indicator.provider - value: misp - if: ctx.misp?.Orgc?.local != 'false' - - set: - field: threat.indicator.provider - value: "{{misp.Orgc.name}}" - if: ctx.misp?.Orgc?.local == 'false' - ignore_empty_value: true - - # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - - remove: - field: - - misp.ShadowAttribute - - misp.RelatedEvent - - misp.Galaxy - - misp.Attribute.Galaxy - - misp.Attribute.ShadowAttribute - - misp.EventReport - - misp.Object.Attribute.Galaxy - - misp.Object.Attribute.ShadowAttribute - ignore_missing: true - - remove: - field: - - misp.Attribute - ignore_missing: true - if: ctx.misp?.Attribute.size() == 0 - - remove: - field: - - misp.Object - ignore_missing: true - if: ctx.misp?.Object.size() == 0 - - date: - field: misp.timestamp - formats: - - UNIX - ignore_failure: true - - rename: - field: misp.Attribute - target_field: misp.attribute - ignore_missing: true - - rename: - field: misp.Object - target_field: misp.object - ignore_missing: true - - rename: - field: misp.object.Attribute - target_field: misp.object.attribute - ignore_missing: true - - rename: - field: misp.Orgc - target_field: misp.orgc - ignore_missing: true - - rename: - field: misp.Org - target_field: misp.org - ignore_missing: true - - rename: - field: misp.Tag - target_field: misp.tag - ignore_missing: true - - # # Dance around issue of not being able to split the document into two. - # # Make the Object.Attribute field primary if it exists, but keep the - # # outer Attribute as context. - - rename: - field: misp.attribute - target_field: misp.context.attribute - ignore_missing: true - if: ctx.misp?.object != null - - rename: - field: misp.object.attribute - target_field: misp.attribute - ignore_missing: true - if: ctx.misp?.object != null - - ##################### - # Threat ECS Fields # - ##################### - - set: - field: threat.feed.name - value: "MISP" - - rename: - field: misp.attribute.first_seen - target_field: threat.indicator.first_seen - ignore_missing: true - - rename: - field: misp.attribute.last_seen - target_field: threat.indicator.last_seen - ignore_missing: true - - convert: - field: misp.analysis - type: long - target_field: threat.indicator.scanner_stats - ignore_missing: true - - convert: - field: misp.threat_level_id - type: long - ignore_missing: true - - ## File/Hash indicator operations - - set: - field: threat.indicator.type - value: file - if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp?.attribute?.type) || ctx.misp?.attribute?.type.startsWith('filename'))" - - rename: - field: misp.attribute.value - target_field: "threat.indicator.file.hash.{{misp.attribute.type}}" - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp?.attribute?.type.startsWith('filename')" - - rename: - field: misp.attribute.value - target_field: threat.indicator.file.name - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'" - - grok: - field: misp.attribute.type - patterns: - - "%{WORD}\\|%{WORD:_tmp.hashtype}" - ignore_missing: true - if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}" - ignore_missing: true - if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') - - set: - field: threat.indicator.file.hash.{{_tmp.hashtype}} - value: "{{_tmp.hashvalue}}" - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null" - - ## URL/URI indicator operations - - set: - field: threat.indicator.type - value: url - if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp?.attribute?.type)" - - uri_parts: - field: misp.attribute.value - target_field: threat.indicator.url - keep_original: true - remove_if_successful: true - if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri' - - set: - field: threat.indicator.url.full - value: "{{{threat.indicator.url.original}}}" - ignore_empty_value: true - if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'" - - ## Regkey indicator operations - - set: - field: threat.indicator.type - value: windows-registry-key - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('regkey')" - - rename: - field: misp.attribute.value - target_field: threat.indicator.registry.key - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'" - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}" - ignore_missing: true - if: "ctx.misp?.attribute?.type == 'regkey|value'" - - ## AS indicator operations - - set: - field: threat.indicator.type - value: autonomous-system - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'" - - convert: - field: misp.attribute.value - type: long - target_field: threat.indicator.as.number - ignore_missing: true - if: ctx.threat?.indicator?.type == 'autonomous-system' - - ## Domain/IP/Port indicator operations - - set: - field: threat.indicator.type - value: domain-name - if: "ctx.misp?.attribute?.type != null && (ctx.misp?.attribute?.type == 'hostname' || ctx.misp?.attribute?.type.startsWith('domain'))" - - set: - field: threat.indicator.type - value: ipv4-addr - if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.url.domain - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.misp?.attribute?.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null" - - rename: - field: misp.attribute.value - target_field: threat.indicator.ip - ignore_missing: true - if: "ctx.threat?.indicator?.type == 'ipv4-addr' && ctx.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - - grok: - field: misp.attribute.value - patterns: - - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}" - ignore_missing: true - if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null - - grok: - field: misp.attribute.value - patterns: - - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}" - ignore_missing: true - if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)" - - ## Email indicator operations - # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp. - - set: - field: threat.indicator.type - value: email-addr - if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - - set: - field: threat.indicator.type - value: email-message - if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.email.address - ignore_missing: true - if: ctx.threat?.indicator?.type == 'email-addr' - - rename: - field: misp.event_creator_email - target_field: user.email - ignore_missing: true - - append: - field: user.roles - value: "reporting_user" - if: ctx?.user?.email != null - - ## MAC Address indicator operations - - set: - field: threat.indicator.type - value: mac-addr - if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp?.attribute?.type)" - - rename: - field: misp.attribute.value - target_field: threat.indicator.mac - ignore_missing: true - if: ctx.threat?.indicator?.type == 'mac-addr' - - ################### - # Tags ECS fields # - ################### - # Stripping special characters from tags - - script: - lang: painless - if: ctx.misp?.tag != null - source: | - def tags = ctx.misp.tag.stream() - .map(t -> t.name.replace('\\', '').replace('"', '')) - .collect(Collectors.toList()); - def tlpTags = tags.stream() - .filter(t -> t.startsWith('tlp:')) - .map(t -> t.replace('tlp:', '')) - .collect(Collectors.toList()); - - ctx.tags = tags; - ctx.threat.indicator.marking = [ 'tlp': tlpTags ]; - - # Setting indicator type to unknown if it does not match anything - - set: - field: threat.indicator.type - value: unknown - if: ctx.threat?.indicator?.type == null - - ################# - # Convert types # - ################# - - convert: - field: misp.attribute.distribution - type: long - ignore_missing: true - - convert: - field: misp.context.attribute.distribution - type: long - ignore_missing: true - - convert: - field: threat.indicator.port - type: long - ignore_missing: true - - convert: - field: misp.attribute_count - type: long - ignore_missing: true - - ###################### - # Cleanup processors # - ###################### - - script: - lang: painless - if: ctx?.misp != null - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - } - handleMap(ctx); - # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event - - remove: - field: - - misp.attribute.value - ignore_missing: true - if: ctx.threat?.indicator?.type != 'unknown' - - remove: - field: - # This removes a number of fields that may be wanted in the future when - # misp.attribute and misp.object.attribute can - # be separated. At the root of .object are fields that mirror fields at - # the root of misp. - - misp.object - ignore_missing: true - - remove: - field: - - misp.Attribute.timestamp - - misp.timestamp - - misp.tag - - misp.org - - misp.analysis - - _tmp - - json - ignore_missing: true - -on_failure: - - set: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/packages/ti_misp/1.4.0/data_stream/threat/fields/agent.yml b/packages/ti_misp/1.4.0/data_stream/threat/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_misp/1.4.0/data_stream/threat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_misp/1.4.0/data_stream/threat/fields/base-fields.yml b/packages/ti_misp/1.4.0/data_stream/threat/fields/base-fields.yml deleted file mode 100755 index ad1000cb9b..0000000000 --- a/packages/ti_misp/1.4.0/data_stream/threat/fields/base-fields.yml +++ /dev/null @@ -1,28 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_misp -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_misp.threat -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: MISP -- name: threat.feed.dashboard_id - type: constant_keyword - description: Dashboard ID used for Kibana CTI UI - value: ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294 -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_misp/1.4.0/data_stream/threat/fields/beats.yml b/packages/ti_misp/1.4.0/data_stream/threat/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_misp/1.4.0/data_stream/threat/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_misp/1.4.0/data_stream/threat/fields/ecs.yml b/packages/ti_misp/1.4.0/data_stream/threat/fields/ecs.yml deleted file mode 100755 index e6dcb70141..0000000000 --- a/packages/ti_misp/1.4.0/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,188 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Array of user roles at the time of the event. - name: user.roles - type: keyword -- name: threat.feed.name - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: Count of AV/EDR vendors that successfully detected malicious file or URL. - name: threat.indicator.scanner_stats - type: long -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: threat.indicator.as.number - type: long -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: |- - Traffic Light Protocol sharing markings. - Recommended values are: - * WHITE - * GREEN - * AMBER - * RED - name: threat.indicator.marking.tlp - type: keyword -- description: Identifies a threat indicator as a port number (irrespective of direction). - name: threat.indicator.port - type: long -- description: Hive-relative path of keys. - name: threat.indicator.registry.key - type: keyword -- description: Name of the value written. - name: threat.indicator.registry.value - type: keyword -- description: |- - File size in bytes. - Only relevant when `file.type` is "file". - name: threat.indicator.file.size - type: long -- description: File type (file, dir, or symlink). - name: threat.indicator.file.type - type: keyword -- description: Name of the file including the extension, without the directory. - name: threat.indicator.file.name - type: keyword diff --git a/packages/ti_misp/1.4.0/data_stream/threat/fields/fields.yml b/packages/ti_misp/1.4.0/data_stream/threat/fields/fields.yml deleted file mode 100755 index 133826511b..0000000000 --- a/packages/ti_misp/1.4.0/data_stream/threat/fields/fields.yml +++ /dev/null @@ -1,291 +0,0 @@ -- name: misp - type: group - description: > - Fields for MISP indicators - - fields: - - name: id - type: keyword - description: > - Attribute ID. - - - name: orgc_id - type: keyword - description: > - Organization Community ID of the event. - - - name: org_id - type: keyword - description: > - Organization ID of the event. - - - name: threat_level_id - type: long - description: > - Threat level from 5 to 1, where 1 is the most critical. - - - name: info - type: keyword - description: > - Additional text or information related to the event. - - - name: published - type: boolean - description: > - When the event was published. - - - name: uuid - type: keyword - description: > - The UUID of the event object. - - - name: date - type: date - description: > - The date of when the event object was created. - - - name: attribute_count - type: long - description: > - How many attributes are included in a single event object. - - - name: timestamp - type: date - description: > - The timestamp of when the event object was created. - - - name: distribution - type: keyword - description: > - Distribution type related to MISP. - - - name: proposal_email_lock - type: boolean - description: > - Settings configured on MISP for email lock on this event object. - - - name: locked - type: boolean - description: > - If the current MISP event object is locked or not. - - - name: publish_timestamp - type: date - description: > - At what time the event object was published - - - name: sharing_group_id - type: keyword - description: > - The ID of the grouped events or sources of the event. - - - name: disable_correlation - type: boolean - description: > - If correlation is disabled on the MISP event object. - - - name: extends_uuid - type: keyword - description: > - The UUID of the event object it might extend. - - - name: org.id - type: keyword - description: > - The organization ID related to the event object. - - - name: org.name - type: keyword - description: > - The organization name related to the event object. - - - name: org.uuid - type: keyword - description: > - The UUID of the organization related to the event object. - - - name: org.local - type: boolean - description: > - If the event object is local or from a remote source. - - - name: orgc.id - type: keyword - description: > - The Organization Community ID in which the event object was reported from. - - - name: orgc.name - type: keyword - description: > - The Organization Community name in which the event object was reported from. - - - name: orgc.uuid - type: keyword - description: > - The Organization Community UUID in which the event object was reported from. - - - name: orgc.local - type: boolean - description: > - If the Organization Community was local or synced from a remote source. - - - name: attribute.id - type: keyword - description: > - The ID of the attribute related to the event object. - - - name: attribute.type - type: keyword - description: > - The type of the attribute related to the event object. For example email, ipv4, sha1 and such. - - - name: attribute.category - type: keyword - description: > - The category of the attribute related to the event object. For example "Network Activity". - - - name: attribute.to_ids - type: boolean - description: > - If the attribute should be automatically synced with an IDS. - - - name: attribute.uuid - type: keyword - description: > - The UUID of the attribute related to the event. - - - name: attribute.event_id - type: keyword - description: > - The local event ID of the attribute related to the event. - - - name: attribute.distribution - type: long - description: > - How the attribute has been distributed, represented by integer numbers. - - - name: attribute.timestamp - type: date - description: > - The timestamp in which the attribute was attached to the event object. - - - name: attribute.comment - type: keyword - description: > - Comments made to the attribute itself. - - - name: attribute.sharing_group_id - type: keyword - description: > - The group ID of the sharing group related to the specific attribute. - - - name: attribute.deleted - type: boolean - description: > - If the attribute has been removed from the event object. - - - name: attribute.disable_correlation - type: boolean - description: > - If correlation has been enabled on the attribute related to the event object. - - - name: attribute.object_id - type: keyword - description: > - The ID of the Object in which the attribute is attached. - - - name: attribute.object_relation - type: keyword - description: > - The type of relation the attribute has with the event object itself. - - - name: attribute.value - type: keyword - description: > - The value of the attribute, depending on the type like "url, sha1, email-src". - - - name: context.attribute.id - type: keyword - description: > - The ID of the secondary attribute related to the event object. - - - name: context.attribute.type - type: keyword - description: > - The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. - - - name: context.attribute.category - type: keyword - description: > - The category of the secondary attribute related to the event object. For example "Network Activity". - - - name: context.attribute.to_ids - type: boolean - description: > - If the secondary attribute should be automatically synced with an IDS. - - - name: context.attribute.uuid - type: keyword - description: > - The UUID of the secondary attribute related to the event. - - - name: context.attribute.event_id - type: keyword - description: > - The local event ID of the secondary attribute related to the event. - - - name: context.attribute.distribution - type: long - description: > - How the secondary attribute has been distributed, represented by integer numbers. - - - name: context.attribute.timestamp - type: date - description: > - The timestamp in which the secondary attribute was attached to the event object. - - - name: context.attribute.comment - type: keyword - description: > - Comments made to the secondary attribute itself. - - - name: context.attribute.sharing_group_id - type: keyword - description: > - The group ID of the sharing group related to the specific secondary attribute. - - - name: context.attribute.deleted - type: boolean - description: > - If the secondary attribute has been removed from the event object. - - - name: context.attribute.disable_correlation - type: boolean - description: > - If correlation has been enabled on the secondary attribute related to the event object. - - - name: context.attribute.object_id - type: keyword - description: > - The ID of the Object in which the secondary attribute is attached. - - - name: context.attribute.object_relation - type: keyword - description: > - The type of relation the secondary attribute has with the event object itself. - - - name: context.attribute.value - type: keyword - description: > - The value of the attribute, depending on the type like "url, sha1, email-src". - - - name: context.attribute.first_seen - type: keyword - description: > - The first time the indicator was seen. - - - name: context.attribute.last_seen - type: keyword - description: > - The last time the indicator was seen. - diff --git a/packages/ti_misp/1.4.0/data_stream/threat/manifest.yml b/packages/ti_misp/1.4.0/data_stream/threat/manifest.yml deleted file mode 100755 index 353de39766..0000000000 --- a/packages/ti_misp/1.4.0/data_stream/threat/manifest.yml +++ /dev/null @@ -1,101 +0,0 @@ -type: logs -title: MISP -streams: - - input: httpjson - vars: - - name: url - type: text - title: MISP URL - multi: false - required: true - show_user: true - default: https://mispserver.com - description: The URL or hostname of the MISP instance. - - name: api_token - type: password - title: MISP API Token - multi: false - required: true - show_user: true - description: The API token used to access the MISP instance. - - name: initial_interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 120h - description: How far back to look for indicators the first time the agent is started. - - name: http_client_timeout - type: text - title: HTTP Client Timeout - multi: false - required: false - show_user: false - default: 30s - - name: filters - type: yaml - title: MISP API Filters - multi: false - required: false - show_user: false - default: | - #type: - # OR: - # - ip-src - # - ip-dst - #tags: - # NOT: - # - tlp-red - description: Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported. - - name: proxy_url - type: text - title: Proxy URL - multi: false - required: false - show_user: false - description: URL to proxy connections in the form of http[s]://:@: - - name: interval - type: text - title: Interval - multi: false - required: true - show_user: true - default: 10m - - name: ssl - type: yaml - title: SSL - multi: false - required: false - show_user: false - default: | - #verification_mode: none - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - misp-threat - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - template_path: httpjson.yml.hbs - title: MISP - description: Collect indicators from the MISP API diff --git a/packages/ti_misp/1.4.0/data_stream/threat/sample_event.json b/packages/ti_misp/1.4.0/data_stream/threat/sample_event.json deleted file mode 100755 index 2f0271242c..0000000000 --- a/packages/ti_misp/1.4.0/data_stream/threat/sample_event.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "@timestamp": "2014-10-06T07:12:57.000Z", - "agent": { - "ephemeral_id": "dcc4828e-8e2d-49de-ac30-3a38de7e73da", - "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_misp.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T08:58:54.124Z", - "dataset": "ti_misp.threat", - "ingested": "2022-04-11T08:58:55Z", - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "22", - "id": "12394", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "1462454963", - "to_ids": false, - "type": "domain", - "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" - }, - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": "3", - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - }, - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "1610622316", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "tags": [ - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "green" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "domain-name", - "url": { - "domain": "whatsapp.com" - } - } - } -} \ No newline at end of file diff --git a/packages/ti_misp/1.4.0/docs/README.md b/packages/ti_misp/1.4.0/docs/README.md deleted file mode 100755 index 79790f5d0e..0000000000 --- a/packages/ti_misp/1.4.0/docs/README.md +++ /dev/null @@ -1,259 +0,0 @@ -# MISP Integration - -The MISP integration uses the REST API from the running MISP instance to retrieve indicators and Threat Intelligence. - -## Logs - -### Threat - -The MISP integration configuration allows to set the polling interval, how far back it -should look initially, and optionally any filters used to filter the results. - -The filters themselves are based on the [MISP API documentation](https://www.circl.lu/doc/misp/automation/#search) and should support all documented fields. - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| misp.attribute.category | The category of the attribute related to the event object. For example "Network Activity". | keyword | -| misp.attribute.comment | Comments made to the attribute itself. | keyword | -| misp.attribute.deleted | If the attribute has been removed from the event object. | boolean | -| misp.attribute.disable_correlation | If correlation has been enabled on the attribute related to the event object. | boolean | -| misp.attribute.distribution | How the attribute has been distributed, represented by integer numbers. | long | -| misp.attribute.event_id | The local event ID of the attribute related to the event. | keyword | -| misp.attribute.id | The ID of the attribute related to the event object. | keyword | -| misp.attribute.object_id | The ID of the Object in which the attribute is attached. | keyword | -| misp.attribute.object_relation | The type of relation the attribute has with the event object itself. | keyword | -| misp.attribute.sharing_group_id | The group ID of the sharing group related to the specific attribute. | keyword | -| misp.attribute.timestamp | The timestamp in which the attribute was attached to the event object. | date | -| misp.attribute.to_ids | If the attribute should be automatically synced with an IDS. | boolean | -| misp.attribute.type | The type of the attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | -| misp.attribute.uuid | The UUID of the attribute related to the event. | keyword | -| misp.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | -| misp.attribute_count | How many attributes are included in a single event object. | long | -| misp.context.attribute.category | The category of the secondary attribute related to the event object. For example "Network Activity". | keyword | -| misp.context.attribute.comment | Comments made to the secondary attribute itself. | keyword | -| misp.context.attribute.deleted | If the secondary attribute has been removed from the event object. | boolean | -| misp.context.attribute.disable_correlation | If correlation has been enabled on the secondary attribute related to the event object. | boolean | -| misp.context.attribute.distribution | How the secondary attribute has been distributed, represented by integer numbers. | long | -| misp.context.attribute.event_id | The local event ID of the secondary attribute related to the event. | keyword | -| misp.context.attribute.first_seen | The first time the indicator was seen. | keyword | -| misp.context.attribute.id | The ID of the secondary attribute related to the event object. | keyword | -| misp.context.attribute.last_seen | The last time the indicator was seen. | keyword | -| misp.context.attribute.object_id | The ID of the Object in which the secondary attribute is attached. | keyword | -| misp.context.attribute.object_relation | The type of relation the secondary attribute has with the event object itself. | keyword | -| misp.context.attribute.sharing_group_id | The group ID of the sharing group related to the specific secondary attribute. | keyword | -| misp.context.attribute.timestamp | The timestamp in which the secondary attribute was attached to the event object. | date | -| misp.context.attribute.to_ids | If the secondary attribute should be automatically synced with an IDS. | boolean | -| misp.context.attribute.type | The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. | keyword | -| misp.context.attribute.uuid | The UUID of the secondary attribute related to the event. | keyword | -| misp.context.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword | -| misp.date | The date of when the event object was created. | date | -| misp.disable_correlation | If correlation is disabled on the MISP event object. | boolean | -| misp.distribution | Distribution type related to MISP. | keyword | -| misp.extends_uuid | The UUID of the event object it might extend. | keyword | -| misp.id | Attribute ID. | keyword | -| misp.info | Additional text or information related to the event. | keyword | -| misp.locked | If the current MISP event object is locked or not. | boolean | -| misp.org.id | The organization ID related to the event object. | keyword | -| misp.org.local | If the event object is local or from a remote source. | boolean | -| misp.org.name | The organization name related to the event object. | keyword | -| misp.org.uuid | The UUID of the organization related to the event object. | keyword | -| misp.org_id | Organization ID of the event. | keyword | -| misp.orgc.id | The Organization Community ID in which the event object was reported from. | keyword | -| misp.orgc.local | If the Organization Community was local or synced from a remote source. | boolean | -| misp.orgc.name | The Organization Community name in which the event object was reported from. | keyword | -| misp.orgc.uuid | The Organization Community UUID in which the event object was reported from. | keyword | -| misp.orgc_id | Organization Community ID of the event. | keyword | -| misp.proposal_email_lock | Settings configured on MISP for email lock on this event object. | boolean | -| misp.publish_timestamp | At what time the event object was published | date | -| misp.published | When the event was published. | boolean | -| misp.sharing_group_id | The ID of the grouped events or sources of the event. | keyword | -| misp.threat_level_id | Threat level from 5 to 1, where 1 is the most critical. | long | -| misp.timestamp | The timestamp of when the event object was created. | date | -| misp.uuid | The UUID of the event object. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | -| threat.feed.name | | keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword | -| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.registry.key | Hive-relative path of keys. | keyword | -| threat.indicator.registry.value | Name of the value written. | keyword | -| threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.email | User email address. | keyword | -| user.roles | Array of user roles at the time of the event. | keyword | - - -An example event for `threat` looks as following: - -```json -{ - "@timestamp": "2014-10-06T07:12:57.000Z", - "agent": { - "ephemeral_id": "dcc4828e-8e2d-49de-ac30-3a38de7e73da", - "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_misp.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f33cbb31-3e5c-4242-8b35-d4631555523c", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "created": "2022-04-11T08:58:54.124Z", - "dataset": "ti_misp.threat", - "ingested": "2022-04-11T08:58:55Z", - "kind": "enrichment", - "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}", - "type": "indicator" - }, - "input": { - "type": "httpjson" - }, - "misp": { - "attribute": { - "category": "Network activity", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": 5, - "event_id": "22", - "id": "12394", - "object_id": "0", - "sharing_group_id": "0", - "timestamp": "1462454963", - "to_ids": false, - "type": "domain", - "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16" - }, - "attribute_count": 29, - "date": "2014-10-03", - "disable_correlation": false, - "distribution": "3", - "extends_uuid": "", - "id": "2", - "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks", - "locked": false, - "org_id": "1", - "orgc": { - "id": "2", - "local": false, - "name": "CthulhuSPRL.be", - "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" - }, - "orgc_id": "2", - "proposal_email_lock": false, - "publish_timestamp": "1610622316", - "published": true, - "sharing_group_id": "0", - "threat_level_id": 2, - "uuid": "54323f2c-e50c-4268-896c-4867950d210b" - }, - "tags": [ - "type:OSINT", - "tlp:green" - ], - "threat": { - "feed": { - "name": "MISP" - }, - "indicator": { - "marking": { - "tlp": [ - "green" - ] - }, - "provider": "misp", - "scanner_stats": 2, - "type": "domain-name", - "url": { - "domain": "whatsapp.com" - } - } - } -} -``` \ No newline at end of file diff --git a/packages/ti_misp/1.4.0/img/misp.svg b/packages/ti_misp/1.4.0/img/misp.svg deleted file mode 100755 index 076530aa25..0000000000 --- a/packages/ti_misp/1.4.0/img/misp.svg +++ /dev/null @@ -1,158 +0,0 @@ - - - - diff --git a/packages/ti_misp/1.4.0/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.4.0/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json deleted file mode 100755 index bd8d5dbf01..0000000000 --- a/packages/ti_misp/1.4.0/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about file type indicators from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n**[MISP Files (This Page)](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877)** \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":27,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12768311-834b-48d5-8aad-d17d139c2ae5\":{\"columnOrder\":[\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\"],\"columns\":{\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique TLSH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.tlsh\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\",\"layerId\":\"12768311-834b-48d5-8aad-d17d139c2ae5\",\"layerType\":\"data\"}},\"title\":\"Unique TLSH [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"title\":\"Unique TLSH [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\":{\"columnOrder\":[\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\"],\"columns\":{\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Imphash\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\",\"layerId\":\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"layerType\":\"data\"}},\"title\":\"Unique Imphash [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"title\":\"Unique Imphash [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\":{\"columnOrder\":[\"b5cdfd94-1e22-4673-8216-59aca2131761\"],\"columns\":{\"b5cdfd94-1e22-4673-8216-59aca2131761\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b5cdfd94-1e22-4673-8216-59aca2131761\",\"layerId\":\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"layerType\":\"data\"}},\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"title\":\"Unique SSDEEP [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":20,\"x\":7,\"y\":8},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":27,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs MISP] Files", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_misp/1.4.0/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.4.0/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json deleted file mode 100755 index a9987e5bf9..0000000000 --- a/packages/ti_misp/1.4.0/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about URL type indicators from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n**[MISP URLs (This Page)](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877)** \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs MISP] URLs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_misp/1.4.0/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.4.0/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json deleted file mode 100755 index e60f8f871b..0000000000 --- a/packages/ti_misp/1.4.0/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "attributes": { - "description": "Dashboard providing statistics about indicators ingested from the MISP integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"ti_misp.threat\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[MISP Overview (This Page)](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294)** \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the MISP integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from MISP. \\n\\nIt shows ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from MISP.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":36,\"i\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1641204819355\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1641204843291\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"w\":26,\"x\":7,\"y\":0},\"panelIndex\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"title\":\"Indicator Selector [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d87f35ee-570a-488b-b618-6ada39b49df4\":{\"columnOrder\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\",\"d0f21543-9576-400e-aeca-babc5407d3a7\"],\"columns\":{\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"d0f21543-9576-400e-aeca-babc5407d3a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\"],\"layerId\":\"d87f35ee-570a-488b-b618-6ada39b49df4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":22,\"i\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"title\":\"Total Indicators per type [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0491a750-3050-47a9-bb99-c45984d3d28c\":{\"columnOrder\":[\"fb93835d-e6a1-49b4-8911-ae15b081da8a\"],\"columns\":{\"fb93835d-e6a1-49b4-8911-ae15b081da8a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"fb93835d-e6a1-49b4-8911-ae15b081da8a\",\"layerId\":\"0491a750-3050-47a9-bb99-c45984d3d28c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"title\":\"Total Indicators [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\":{\"columnOrder\":[\"16691165-3643-4658-bfc8-4bba834f2789\",\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"columns\":{\"16691165-3643-4658-bfc8-4bba834f2789\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"3e085a0a-8386-4f64-a629-44ae27b18878\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"},\"3e085a0a-8386-4f64-a629-44ae27b18878\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"layerId\":\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"16691165-3643-4658-bfc8-4bba834f2789\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":true,\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"w\":20,\"x\":13,\"y\":8},\"panelIndex\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"title\":\"Total Indicators per Provider [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"w\":41,\"x\":7,\"y\":22},\"panelIndex\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"title\":\"Indicators ingested [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Logs MISP] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", - "type": "index-pattern" - }, - { - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "type": "tag" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/ti_misp/1.4.0/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.4.0/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json deleted file mode 100755 index b202c82473..0000000000 --- a/packages/ti_misp/1.4.0/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "attributes": { - "color": "#6092C0", - "description": "", - "name": "MISP" - }, - "coreMigrationVersion": "8.0.0", - "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294", - "migrationVersion": { - "tag": "8.0.0" - }, - "references": [], - "type": "tag" -} \ No newline at end of file diff --git a/packages/ti_misp/1.4.0/manifest.yml b/packages/ti_misp/1.4.0/manifest.yml deleted file mode 100755 index 152925bb9c..0000000000 --- a/packages/ti_misp/1.4.0/manifest.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: ti_misp -title: MISP -version: 1.4.0 -release: ga -description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^8.0.0 -icons: - - src: /img/misp.svg - title: MISP - size: 216x216 - type: image/svg+xml -policy_templates: - - name: ti_misp - title: MISP - description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. - inputs: - - type: httpjson - title: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." - description: "Ingest threat intelligence indicators from MISP platform with Elastic Agent." -owner: - github: elastic/security-external-integrations diff --git a/packages/ti_recordedfuture/1.0.0/changelog.yml b/packages/ti_recordedfuture/1.0.0/changelog.yml deleted file mode 100755 index 6d6f1c66ce..0000000000 --- a/packages/ti_recordedfuture/1.0.0/changelog.yml +++ /dev/null @@ -1,26 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.1.3" - changes: - - description: Update package descriptions - type: enhancement - link: https://github.com/elastic/integrations/pull/3398 -- version: "0.1.2" - changes: - - description: Add field mapping for event.created - type: enhancement - link: https://github.com/elastic/integrations/pull/3042 -- version: "0.1.1" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.0" - changes: - - description: Initial release - type: enhancement - link: https://github.com/elastic/integrations/pull/2757 diff --git a/packages/ti_recordedfuture/1.0.0/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_recordedfuture/1.0.0/data_stream/threat/agent/stream/httpjson.yml.hbs deleted file mode 100755 index 1e7156ac8c..0000000000 --- a/packages/ti_recordedfuture/1.0.0/data_stream/threat/agent/stream/httpjson.yml.hbs +++ /dev/null @@ -1,33 +0,0 @@ -config_version: "2" -interval: {{interval}} -request.method: "GET" - -{{#if custom_url}} -request.url: "{{ custom_url }}" -{{else}} -request.url: "{{ endpoint }}/{{ entity }}/risklist?format=csv/splunk&gzip=false&list={{ list }}" -{{/if}} -{{#if proxy_url }} -request.proxy_url: {{proxy_url}} -{{/if}} -request.transforms: -{{#if api_token}} -- set: - target: header.X-RFToken - value: {{ api_token }} -{{/if}} -response.decode_as: text/csv -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/ti_recordedfuture/1.0.0/data_stream/threat/agent/stream/logfile.yml.hbs b/packages/ti_recordedfuture/1.0.0/data_stream/threat/agent/stream/logfile.yml.hbs deleted file mode 100755 index f2c693bdde..0000000000 --- a/packages/ti_recordedfuture/1.0.0/data_stream/threat/agent/stream/logfile.yml.hbs +++ /dev/null @@ -1,20 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} - - add_locale: ~ \ No newline at end of file diff --git a/packages/ti_recordedfuture/1.0.0/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml b/packages/ti_recordedfuture/1.0.0/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml deleted file mode 100755 index 86c06b7a1d..0000000000 --- a/packages/ti_recordedfuture/1.0.0/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -description: Pipeline to decode CSV risklists from Recorded Future threat intel. -processors: - - csv: - field: event.original - target_fields: - - _tmp_.col0 - - _tmp_.col1 - - _tmp_.col2 - - _tmp_.col3 - - _tmp_.col4 - - drop: - description: 'Drops the CSV header line.' - if: 'ctx._tmp_.col0 == "Name"' - -# This supports the default CSV risklists: -# 4-column for url, domain and IPs. -# 5-column for hash. - - script: - description: Maps the CSV entries to fields. - lang: painless - params: - default: - col0: Name - col1: Risk - col2: RiskString - col3: EvidenceDetails - hash: - col0: Name - col1: Algorithm - col2: Risk - col3: RiskString - col4: EvidenceDetails - source: > - def cols = params[ ctx._tmp_.col4 == null? "default" : "hash" ]; - def src = ctx._tmp_; - def dst = new HashMap(); - for (entry in cols.entrySet()) { - dst[entry.getValue()] = src[entry.getKey()]; - } - ctx['json'] = dst; - - remove: - field: _tmp_ diff --git a/packages/ti_recordedfuture/1.0.0/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_recordedfuture/1.0.0/data_stream/threat/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2c2ec01047..0000000000 --- a/packages/ti_recordedfuture/1.0.0/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,212 +0,0 @@ ---- -description: Pipeline for parsing Recorded Future threat intel. -processors: -# -# Set basic ECS fields. -# - - set: - field: ecs.version - value: "8.0" - - set: - field: event.dataset - value: "ti_recordedfuture.threat" - - set: - field: event.kind - value: enrichment - - set: - field: event.category - value: threat - - set: - field: event.type - value: indicator - - set: - field: threat.feed.name - value: "Recorded Future" -# -# TODO: Add dashboard -# -# - set: -# field: threat.feed.dashboard_id -# value: "recordedfuture-96fe1e60-4261-11ec-b7be-d3026acdf1cf" - - - rename: - field: message - target_field: event.original - ignore_missing: true - -# -# Decode event.original as JSON if it starts with the "{" character. -# This is the common case when events are ingested from the API, as httpjson -# transforms the CSV to a JSON message. -# - - json: - field: event.original - target_field: json - if: 'ctx.event?.original != null && ctx.event.original.startsWith("{")' - on_failure: - - fail: - message: "Failed decoding message field as JSON: {{{ _ingest.on_failure_message }}}" - -# -# Decode event.original as CSV when the above processor didn't execute. -# This is used when ingesting CSV lines from a file. -# - - pipeline: - name: '{{ IngestPipeline "decode_csv" }}' - if: 'ctx.json == null' - on_failure: - - fail: - message: "Failed decoding message field as CSV: {{{ _ingest.on_failure_message }}}" - -# -# Decode EvidenceDetails column as JSON. -# - - json: - field: json.EvidenceDetails - target_field: _temp_.EvidenceDetails - ignore_failure: true - - - rename: - field: _temp_.EvidenceDetails.EvidenceDetails - target_field: json.evidence_details - ignore_missing: true - -# -# Hash indicators (threat.indicator.type=file) -# As risklist indicators don't have a "type" field, it's necessary -# to detect the kind of indicator in the Name field. -# -# An indicator is of type `hash` when the Algorithm field is present. -# - - set: - field: threat.indicator.type - value: file - if: 'ctx.json.Algorithm != null' - - script: - lang: painless - description: > - Map file hashes. - if: "ctx.json.Algorithm != null" - params: - MD5: md5 - SHA-1: sha1 - SHA-256: sha256 - SHA-384: sha384 - SHA-512: sha512 - source: >- - def key = params[ctx.json.Algorithm]; - if (key == null) { - throw new Exception("Unsupported hash algorithm '" + ctx.json.Algorithm + "'"); - } - def hashes = [key:ctx.json.Name]; - ctx["_hashes"] = hashes; - on_failure: - - append: - field: error.message - value: "Failed to map fileHashes field: {{{ _ingest.on_failure_message }}}" - - rename: - field: _hashes - target_field: threat.indicator.file.hash - ignore_missing: true - -# -# IP indicators (threat.indicator.type=ipvN-addr) -# -# An indicator is of type `ip` if Name is a valid IP address. -# - - convert: - field: json.Name - target_field: threat.indicator.ip - type: ip - ignore_failure: true - if: 'ctx.threat?.indicator?.type == null' - - set: - field: threat.indicator.type - value: ipv4-addr - if: 'ctx.threat?.indicator?.ip != null && !ctx.threat.indicator.ip.contains(":")' - - set: - field: threat.indicator.type - value: ipv6-addr - if: 'ctx.threat?.indicator?.ip != null && ctx.threat.indicator.ip.contains(":")' - -# -# URL indicators (threat.indicator.type=url) -# An indicator is of type `url` if Name contains a slash character. -# - - set: - field: threat.indicator.type - value: url - if: 'ctx.threat?.indicator?.type == null && ctx.json.Name.contains("/")' - - uri_parts: - field: json.Name - target_field: threat.indicator.url - keep_original: true - if: 'ctx.threat?.indicator?.type == "url"' -# -# Domain indicators (threat.indicator.type=domain) -# This is a catch-all type. -# - - set: - field: threat.indicator.type - value: domain-name - if: 'ctx.threat?.indicator?.type == null' - - set: - field: threat.indicator.url.domain - value: '{{{ json.Name }}}' - ignore_empty_value: true - if: 'ctx.threat?.indicator?.type == "domain-name" && ctx.threat?.indicator?.url?.domain == null' - -# -# Normalize Risk -# - - convert: - field: json.Risk - target_field: event.risk_score - ignore_missing: true - type: float - on_failure: - - append: - field: error.message - value: "Risk score `{{{ json.Risk }}}` cannot be converted to float: {{{ _ingest.on_failure_message }}}" - -# -# Fingerprint event: _id = hash(dataset + indicator type + indicator value) -# - - fingerprint: - fields: - - event.dataset - - threat.indicator.type - - json.Name - target_field: "_id" - -# -# Save fields without an ECS mapping under `recordedfuture`. -# - - rename: - field: json.RiskString - target_field: json.risk_string - ignore_missing: true - - rename: - field: json - target_field: recordedfuture - -# -# Cleanup -# - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true - - remove: - field: - - recordedfuture.Algorithm - - recordedfuture.EvidenceDetails - - recordedfuture.Name - - recordedfuture.Risk - - _temp_ - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/agent.yml b/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/agent.yml deleted file mode 100755 index da4e652c53..0000000000 --- a/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/agent.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/base-fields.yml b/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/base-fields.yml deleted file mode 100755 index 1fbc652b8a..0000000000 --- a/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/base-fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset name. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: ti_recordedfuture -- name: event.dataset - type: constant_keyword - description: Event dataset - value: ti_recordedfuture.threat -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: Recorded Future -# -# TODO: Add dashboard -# -#- name: threat.feed.dashboard_id -# type: constant_keyword -# description: Dashboard ID used for Kibana CTI UI -# value: recordedfuture-96fe1e60-4261-11ec-b7be-d3026acdf1cf -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/beats.yml b/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/beats.yml deleted file mode 100755 index cb44bb2944..0000000000 --- a/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/beats.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: input.type - type: keyword - description: Type of Filebeat input. -- name: log.flags - type: keyword - description: Flags for the log file. -- name: log.offset - type: long - description: Offset of the entry in the log file. -- name: log.file.path - type: keyword - description: Path to the log file. diff --git a/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/ecs.yml b/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/ecs.yml deleted file mode 100755 index 1a807ca505..0000000000 --- a/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/ecs.yml +++ /dev/null @@ -1,191 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Error message. - name: error.message - type: match_only_text -- description: |- - The numeric severity of the event according to your event source. - What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. - name: event.severity - type: long -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - Timestamp when an event arrived in the central data store. - This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. - In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. - name: event.ingested - type: date -- description: |- - event.created contains the date/time when the event was first read by an agent, or by your pipeline. - This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. - In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. - In case the two timestamps are identical, @timestamp should be used. - name: event.created - type: date -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. - This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. - doc_values: false - index: false - name: event.original - type: keyword -- description: The date and time when intelligence source first reported sighting this indicator. - name: threat.indicator.first_seen - type: date -- description: The date and time when intelligence source last reported sighting this indicator. - name: threat.indicator.last_seen - type: date -- description: |- - Type of indicator as represented by Cyber Observable in STIX 2.0. - Recommended values: - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * port - * process - * software - * url - * user-account - * windows-registry-key - * x509-certificate - name: threat.indicator.type - type: keyword -- description: Identifies a threat indicator as an IP address (irrespective of direction). - name: threat.indicator.ip - type: ip -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: threat.indicator.url.domain - type: keyword -- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.full - type: wildcard -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: threat.indicator.url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.url.original - type: wildcard -- description: Path of the request, such as "/search". - name: threat.indicator.url.path - type: wildcard -- description: Port of the request, such as 443. - name: threat.indicator.url.port - type: long -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: threat.indicator.url.scheme - type: keyword -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: threat.indicator.url.query - type: keyword -- description: MD5 hash. - name: threat.indicator.file.hash.md5 - type: keyword -- description: SHA1 hash. - name: threat.indicator.file.hash.sha1 - type: keyword -- description: SHA256 hash. - name: threat.indicator.file.hash.sha256 - type: keyword -- description: SHA512 hash. - name: threat.indicator.file.hash.sha512 - type: keyword -- description: Identifies a threat indicator as an email address (irrespective of direction). - name: threat.indicator.email.address - type: keyword -- description: The name of the indicator's provider. - name: threat.indicator.provider - type: keyword -- description: |- - Traffic Light Protocol sharing markings. - Recommended values are: - * WHITE - * GREEN - * AMBER - * RED - name: threat.indicator.marking.tlp - type: keyword -- description: |- - Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. - Expected values are: - * Not Specified - * None - * Low - * Medium - * High - name: threat.indicator.confidence - type: keyword -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: threat.indicator.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: threat.indicator.as.organization.name - type: keyword -- description: Longitude and latitude. - name: threat.indicator.geo.location.lat - type: geo_point -- description: Longitude and latitude. - name: threat.indicator.geo.location.lon - type: geo_point -- description: Country ISO code. - name: threat.indicator.geo.country_iso_code - type: keyword diff --git a/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/fields.yml b/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/fields.yml deleted file mode 100755 index a81fd75d00..0000000000 --- a/packages/ti_recordedfuture/1.0.0/data_stream/threat/fields/fields.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: recordedfuture - type: group - description: > - Fields for Recorded Future Threat Intel - - fields: - - name: evidence_details - type: flattened - description: > - List of sightings used as evidence for this indicator. - - - name: name - type: keyword - description: > - Indicator value. - - - name: risk_string - type: keyword - description: > - Details of risk rules observed. - diff --git a/packages/ti_recordedfuture/1.0.0/data_stream/threat/manifest.yml b/packages/ti_recordedfuture/1.0.0/data_stream/threat/manifest.yml deleted file mode 100755 index dfc711d668..0000000000 --- a/packages/ti_recordedfuture/1.0.0/data_stream/threat/manifest.yml +++ /dev/null @@ -1,125 +0,0 @@ -type: logs -title: Recorded Future -streams: - - input: logfile - enabled: false - template_path: logfile.yml.hbs - title: Recorded Future CSV file - description: Reads indicators from a Recorded Future CSV file. - vars: - - name: paths - type: text - title: Paths - multi: true - required: true - show_user: true - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - recordedfuture - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - - input: httpjson - template_path: httpjson.yml.hbs - title: Recorded Future risklist - description: Receives indicators from Recorded Future risklist endpoints. - vars: - - name: entity - type: text - title: Entity - description: The type of entity to fetch. One of domain, hash, ip or url. - multi: false - required: true - show_user: true - default: domain - - name: list - type: text - title: List - description: List to fetch for the given entity. - default: default - multi: false - required: true - show_user: true - - name: interval - type: text - title: Interval between risklist downloads. - description: Use Go Duration syntax (eg. 1h) - default: "1h" - multi: false - required: true - show_user: true - - name: api_token - type: text - title: API Token - description: Recorded Future API Token (RF_TOKEN). - multi: false - required: true - show_user: true - - name: custom_url - type: url - title: Custom URL - description: URL to download a custom Fusion File. - multi: false - required: false - show_user: false - - name: endpoint - type: url - title: API Endpoint - description: Base API URL. - multi: false - required: true - show_user: false - default: https://api.recordedfuture.com/v2 - - name: proxy_url - type: url - title: Proxy URL - description: Optional proxy server to use. - multi: false - required: false - show_user: false - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - recordedfuture - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/ti_recordedfuture/1.0.0/data_stream/threat/sample_event.json b/packages/ti_recordedfuture/1.0.0/data_stream/threat/sample_event.json deleted file mode 100755 index b26841f9b8..0000000000 --- a/packages/ti_recordedfuture/1.0.0/data_stream/threat/sample_event.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "@timestamp": "2022-04-11T09:21:48.260Z", - "agent": { - "ephemeral_id": "b69c55be-abc6-4a16-900f-986a2cc693a0", - "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_recordedfuture.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0" - }, - "elastic_agent": { - "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "dataset": "ti_recordedfuture.threat", - "ingested": "2022-04-11T09:21:49Z", - "kind": "enrichment", - "risk_score": 87, - "timezone": "+00:00", - "type": "indicator" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/rf_url_default.csv" - }, - "offset": 45 - }, - "recordedfuture": { - "evidence_details": [ - { - "Criticality": 1, - "CriticalityLabel": "Unusual", - "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "Ctq", - "idn:fook.news", - "idn:urdupresss.com", - "POs2u-", - "idn:apple.news", - "idn:cryptoinfoos.com.ng", - "g9rk5F", - "idn:thewindowsupdate.com", - "idn:nationalcybersecuritynews.today", - "gBDK5G", - "idn:microsoft.com", - "idn:techsecuritenews.com", - "idn:mblogs.info", - "J6UzbO", - "idn:viralamo.com", - "idn:sellorbuyhomefast.com", - "idn:crazyboy.tech", - "idn:times24h.com", - "idn:buzzfeeg.com", - "idn:dsmenders.com", - "WroSbs", - "idn:vzonetvgh.com" - ], - "Timestamp": "2021-07-20T00:00:00.000Z" - }, - { - "Criticality": 3, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-07-10T00:00:00.000Z" - } - ], - "risk_string": "2/24" - }, - "tags": [ - "forwarded", - "recordedfuture" - ], - "threat": { - "feed": { - "name": "Recorded Future" - }, - "indicator": { - "type": "url", - "url": { - "domain": "144.34.179.162", - "original": "http://144.34.179.162/a", - "path": "/a", - "scheme": "http" - } - } - } -} \ No newline at end of file diff --git a/packages/ti_recordedfuture/1.0.0/docs/README.md b/packages/ti_recordedfuture/1.0.0/docs/README.md deleted file mode 100755 index b6d3fb5301..0000000000 --- a/packages/ti_recordedfuture/1.0.0/docs/README.md +++ /dev/null @@ -1,215 +0,0 @@ -# Recorded Future Integration - -The Recorded Future integration fetches _risklists_ from the Recorded Future API. -It supports `domain`, `hash`, `ip` and `url` entities. - -In order to use it you need to define the `entity` and `list` to fetch. Check with -Recorded Future for the available lists for each entity. To fetch indicators -from multiple entities, it's necessary to define one integration for each. - -Alternatively, it's also possible to use the integration to fetch custom Fusion files -by supplying the URL to the CSV file as the _Custom_ _URL_ configuration option. - -An example event for `threat` looks as following: - -```json -{ - "@timestamp": "2022-04-11T09:21:48.260Z", - "agent": { - "ephemeral_id": "b69c55be-abc6-4a16-900f-986a2cc693a0", - "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.0.0" - }, - "data_stream": { - "dataset": "ti_recordedfuture.threat", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.0" - }, - "elastic_agent": { - "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a", - "snapshot": false, - "version": "8.0.0" - }, - "event": { - "agent_id_status": "verified", - "category": "threat", - "dataset": "ti_recordedfuture.threat", - "ingested": "2022-04-11T09:21:49Z", - "kind": "enrichment", - "risk_score": 87, - "timezone": "+00:00", - "type": "indicator" - }, - "input": { - "type": "log" - }, - "log": { - "file": { - "path": "/tmp/service_logs/rf_url_default.csv" - }, - "offset": 45 - }, - "recordedfuture": { - "evidence_details": [ - { - "Criticality": 1, - "CriticalityLabel": "Unusual", - "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/", - "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", - "Sources": [ - "Ctq", - "idn:fook.news", - "idn:urdupresss.com", - "POs2u-", - "idn:apple.news", - "idn:cryptoinfoos.com.ng", - "g9rk5F", - "idn:thewindowsupdate.com", - "idn:nationalcybersecuritynews.today", - "gBDK5G", - "idn:microsoft.com", - "idn:techsecuritenews.com", - "idn:mblogs.info", - "J6UzbO", - "idn:viralamo.com", - "idn:sellorbuyhomefast.com", - "idn:crazyboy.tech", - "idn:times24h.com", - "idn:buzzfeeg.com", - "idn:dsmenders.com", - "WroSbs", - "idn:vzonetvgh.com" - ], - "Timestamp": "2021-07-20T00:00:00.000Z" - }, - { - "Criticality": 3, - "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd", - "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", - "Sources": [ - "VKz42X" - ], - "Timestamp": "2021-07-10T00:00:00.000Z" - } - ], - "risk_string": "2/24" - }, - "tags": [ - "forwarded", - "recordedfuture" - ], - "threat": { - "feed": { - "name": "Recorded Future" - }, - "indicator": { - "type": "url", - "url": { - "domain": "144.34.179.162", - "original": "http://144.34.179.162/a", - "path": "/a", - "scheme": "http" - } - } - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset name. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error.message | Error message. | match_only_text | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Path to the log file. | keyword | -| log.flags | Flags for the log file. | keyword | -| log.offset | Offset of the entry in the log file. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| recordedfuture.evidence_details | List of sightings used as evidence for this indicator. | flattened | -| recordedfuture.name | Indicator value. | keyword | -| recordedfuture.risk_string | Details of risk rules observed. | keyword | -| tags | List of keywords used to tag each event. | keyword | -| threat.feed.name | Display friendly feed name | constant_keyword | -| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| threat.indicator.as.organization.name | Organization name. | keyword | -| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | -| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword | -| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | -| threat.indicator.file.hash.md5 | MD5 hash. | keyword | -| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | -| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | -| threat.indicator.geo.country_iso_code | Country ISO code. | keyword | -| threat.indicator.geo.location.lat | Longitude and latitude. | geo_point | -| threat.indicator.geo.location.lon | Longitude and latitude. | geo_point | -| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword | -| threat.indicator.provider | The name of the indicator's provider. | keyword | -| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | -| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | -| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | -| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | -| threat.indicator.url.port | Port of the request, such as 443. | long | -| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | - diff --git a/packages/ti_recordedfuture/1.0.0/img/logo.svg b/packages/ti_recordedfuture/1.0.0/img/logo.svg deleted file mode 100755 index 9bb0517562..0000000000 --- a/packages/ti_recordedfuture/1.0.0/img/logo.svg +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - - - - - - - diff --git a/packages/ti_recordedfuture/1.0.0/manifest.yml b/packages/ti_recordedfuture/1.0.0/manifest.yml deleted file mode 100755 index b0d1506d0f..0000000000 --- a/packages/ti_recordedfuture/1.0.0/manifest.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: ti_recordedfuture -title: Recorded Future -version: 1.0.0 -release: ga -description: Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent. -type: integration -format_version: 1.0.0 -license: basic -categories: [security] -conditions: - kibana.version: ^8.0.0 -icons: - - src: /img/logo.svg - title: Recorded Future - size: 216x216 - type: image/svg+xml -policy_templates: - - name: ti_recordedfuture - title: Recorded Future - description: Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent. - inputs: - - type: httpjson - title: "Collect threat intelligence from Recorded Future risklists API." - description: "Use RecordedFuture API to fetch a risklist" - - type: logfile - title: "Collect threat intelligence from CSV file." - description: "Load indicators from a CSV file" -owner: - github: elastic/security-external-integrations diff --git a/packages/zscaler_zia/2.1.0/changelog.yml b/packages/zscaler_zia/2.1.0/changelog.yml deleted file mode 100755 index 0b7ad86fdc..0000000000 --- a/packages/zscaler_zia/2.1.0/changelog.yml +++ /dev/null @@ -1,36 +0,0 @@ -# newer versions go on top -- version: "2.1.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "2.0.0" - changes: - - description: Added input for Cloud NSS using HTTP Endpoint input type. - type: enhancement - link: https://github.com/elastic/integrations/pull/3111 -- version: "0.2.0" - changes: - - description: Update ECS to 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "0.1.3" - changes: - - description: Updated the image file reference in README file. - type: enhancement - link: https://github.com/elastic/integrations/pull/3038 -- version: "0.1.2" - changes: - - description: Add documentation for multi-fields. - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.1" - changes: - - description: Updated the README to describe the Zscaler ZIA setup process in detail. - type: enhancement - link: https://github.com/elastic/integrations/pull/2773 -- version: "0.1.0" - changes: - - description: Initial draft of the package. - type: enhancement - link: https://github.com/elastic/integrations/pull/2459 diff --git a/packages/zscaler_zia/2.1.0/data_stream/alerts/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/2.1.0/data_stream/alerts/agent/stream/tcp.yml.hbs deleted file mode 100755 index 6910573304..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/alerts/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,22 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -processors: -- drop_event: - when: - equals: - message: "" -{{#if processors}} -{{processors}} -{{/if}} diff --git a/packages/zscaler_zia/2.1.0/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/2.1.0/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f29273dfca..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -description: Pipeline for Zscaler alert logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - grok: - field: event.original - patterns: - - <%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} \[%{IPORHOST:destination.address}\] %{GREEDYDATA:message} - - grok: - field: message - patterns: - - 'ZscalerNSS: Zscaler cloud configuration connection to %{IPORHOST:destination.address}:%{NUMBER:destination.port:long} lost and unavailable for the past %{NUMBER:zscaler_zia.alerts.connection_lost_minutes:double} minutes' - - 'ZscalerNSS: SIEM Feed connection "%{GREEDYDATA:zscaler_zia.alerts.log_feed_name}" to %{IPORHOST:destination.address}:%{NUMBER:destination.port:long} lost and unavailable for the past %{NUMBER:zscaler_zia.alerts.connection_lost_minutes:double} minutes' - ignore_failure: true - - convert: - field: destination.address - target_field: destination.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: "{{{destination.ip}}}" - if: ctx?.destination?.ip != null - ignore_failure: true - - date: - field: _tmp.timestamp - target_field: '@timestamp' - ignore_failure: true - formats: - - MMM d HH:mm:ss - - MMM dd HH:mm:ss - - MMM d HH:mm:ss - - ISO8601 - - remove: - field: - - _tmp - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/agent.yml b/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/base-fields.yml b/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/base-fields.yml deleted file mode 100755 index bddad62cfe..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: zscaler_zia -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zscaler_zia.alerts diff --git a/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/ecs.yml b/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/ecs.yml deleted file mode 100755 index 94ad86350f..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/ecs.yml +++ /dev/null @@ -1,33 +0,0 @@ -- description: |- - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: destination.address - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Syslog numeric priority of the event, if available. - According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - name: log.syslog.priority - type: long -- description: |- - For log events the message field contains the log message, optimized for viewing in a log viewer. - For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. - If multiple messages exist, they can be combined into one message. - name: message - type: match_only_text -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/fields.yml b/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/fields.yml deleted file mode 100755 index 38608a7891..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/alerts/fields/fields.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: zscaler_zia.alerts - type: group - fields: - - name: connection_lost_minutes - type: double - description: | - Amount of time after loosing connection to a server in Minutes. - - name: log_feed_name - type: keyword - description: | - Name of the NSS log feed. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zia/2.1.0/data_stream/alerts/manifest.yml b/packages/zscaler_zia/2.1.0/data_stream/alerts/manifest.yml deleted file mode 100755 index 6dec78145d..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/alerts/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Alerts -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Zscaler Internet Access Alerts - description: Collect Zscaler Internet Access Alerts using TCP Input. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9010 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zia-alerts - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zia/2.1.0/data_stream/alerts/sample_event.json b/packages/zscaler_zia/2.1.0/data_stream/alerts/sample_event.json deleted file mode 100755 index 22f6aca889..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/alerts/sample_event.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "@timestamp": "2022-12-10T13:40:32.000Z", - "agent": { - "ephemeral_id": "b7f77db9-92fe-4935-8387-b2cb545bcfc6", - "id": "638019f9-173e-4c24-9e28-64b128c92162", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "zscaler_zia.alerts", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "port": 9012 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "638019f9-173e-4c24-9e28-64b128c92162", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "agent_id_status": "verified", - "dataset": "zscaler_zia.alerts", - "ingested": "2022-04-13T17:21:34Z" - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "1.128.3.4:32902" - }, - "syslog": { - "priority": 114 - } - }, - "message": "ZscalerNSS: SIEM Feed connection \"DNS Logs Feed\" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes", - "related": { - "ip": [ - "81.2.69.193" - ] - }, - "tags": [ - "forwarded", - "zscaler_zia-alerts" - ], - "zscaler_zia": { - "alerts": { - "connection_lost_minutes": 2440, - "log_feed_name": "DNS Logs Feed" - } - } -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/data_stream/dns/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/2.1.0/data_stream/dns/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 443fe325f7..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/dns/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -content_type: "" -preserve_original_event: true -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zia/2.1.0/data_stream/dns/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/2.1.0/data_stream/dns/agent/stream/tcp.yml.hbs deleted file mode 100755 index bc587e50a3..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/dns/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zia/2.1.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/2.1.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index db3c13014f..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,251 +0,0 @@ ---- -description: Pipeline for Zscaler dns logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: resp - ignore_failure: true - - remove: - field: json - if: ctx?.input?.type == 'http_endpoint' - ignore_missing: true - - rename: - field: resp.event - target_field: json - ignore_missing: true - - remove: - field: resp - ignore_missing: true - - date: - field: json.datetime - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - yyyy-mm-dd HH:mm:ss - - date: - field: json.time - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - yyyy-MM-dd HH:mm:ss - - remove: - field: - - json.time - - json.datetime - ignore_missing: true - - set: - field: network.protocol - value: dns - - append: - field: event.category - value: network - - set: - field: event.kind - value: event - - append: - field: event.type - value: info - - rename: - field: json.clt_sip - target_field: source.ip - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.dns_resp - target_field: dns.answers.name - ignore_missing: true - - rename: - field: json.dns_req - target_field: dns.question.name - ignore_missing: true - - rename: - field: json.dns_reqtype - target_field: dns.question.type - ignore_missing: true - - rename: - field: json.srv_dip - target_field: destination.ip - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.ip - value: "{{{destination.ip}}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.srv_dport - target_field: destination.port - type: long - ignore_failure: true - - remove: - field: json.srv_dport - ignore_missing: true - - urldecode: - field: json.user - target_field: user.email - ignore_missing: true - - remove: - field: json.user - ignore_missing: true - - rename: - field: json.deviceowner - target_field: user.name - ignore_missing: true - - urldecode: - field: json.department - target_field: zscaler_zia.dns.department - ignore_missing: true - - remove: - field: json.department - ignore_missing: true - - urldecode: - field: json.location - target_field: zscaler_zia.dns.location - ignore_missing: true - - remove: - field: json.location - ignore_missing: true - - rename: - field: json.reqaction - target_field: zscaler_zia.dns.request.action - ignore_missing: true - - rename: - field: json.resaction - target_field: zscaler_zia.dns.response.action - ignore_missing: true - - urldecode: - field: json.reqrulelabel - target_field: zscaler_zia.dns.request.rule.label - ignore_missing: true - - remove: - field: json.reqrulelabel - ignore_missing: true - - urldecode: - field: json.resrulelabel - target_field: zscaler_zia.dns.response.rule.label - ignore_missing: true - - remove: - field: json.resrulelabel - ignore_missing: true - - convert: - field: json.durationms - target_field: zscaler_zia.dns.duration.milliseconds - type: long - ignore_failure: true - - remove: - field: json.durationms - ignore_missing: true - - rename: - field: json.category - target_field: zscaler_zia.dns.dom.category - ignore_missing: true - - rename: - field: json.devicehostname - target_field: zscaler_zia.dns.hostname - ignore_missing: true - - append: - field: related.hosts - value: "{{{zscaler_zia.dns.hostname}}}" - if: ctx?.zscaler_zia?.dns?.hostname != null - allow_duplicates: false - ignore_failure: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Adds all the remaining fields in fields under zscaler_zia.dns - lang: painless - if: ctx.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.zscaler_zia.dns[m.getKey()] = m.getValue(); - } - - script: - lang: painless - if: ctx?.zscaler_zia?.dns?.duration?.milliseconds != null - source: | - ctx.event.duration = ctx?.zscaler_zia?.dns?.duration?.milliseconds * 1000000; - - remove: - field: json - ignore_failure: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zia/2.1.0/data_stream/dns/fields/agent.yml b/packages/zscaler_zia/2.1.0/data_stream/dns/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/dns/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/zscaler_zia/2.1.0/data_stream/dns/fields/base-fields.yml b/packages/zscaler_zia/2.1.0/data_stream/dns/fields/base-fields.yml deleted file mode 100755 index cc2e29669e..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/dns/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: zscaler_zia -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zscaler_zia.dns diff --git a/packages/zscaler_zia/2.1.0/data_stream/dns/fields/ecs.yml b/packages/zscaler_zia/2.1.0/data_stream/dns/fields/ecs.yml deleted file mode 100755 index d6d221b82a..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/dns/fields/ecs.yml +++ /dev/null @@ -1,124 +0,0 @@ -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: destination.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: destination.as.organization.name - type: keyword -- description: City name. - name: destination.geo.city_name - type: keyword -- description: Name of the continent. - name: destination.geo.continent_name - type: keyword -- description: Country ISO code. - name: destination.geo.country_iso_code - type: keyword -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: Longitude and latitude. - name: destination.geo.location - type: geo_point -- description: Region ISO code. - name: destination.geo.region_iso_code - type: keyword -- description: Region name. - name: destination.geo.region_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The domain name to which this resource record pertains. - If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. - name: dns.answers.name - type: keyword -- description: |- - The name being queried. - If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. - name: dns.question.name - type: keyword -- description: The type of record being queried. - name: dns.question.type - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - name: source.as.number - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: source.as.organization.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: City name. - name: source.geo.city_name - type: keyword -- description: Name of the continent. - name: source.geo.continent_name - type: keyword -- description: Country ISO code. - name: source.geo.country_iso_code - type: keyword -- description: Country name. - name: source.geo.country_name - type: keyword -- description: Longitude and latitude. - name: source.geo.location - type: geo_point -- description: Region ISO code. - name: source.geo.region_iso_code - type: keyword -- description: Region name. - name: source.geo.region_name - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zscaler_zia/2.1.0/data_stream/dns/fields/fields.yml b/packages/zscaler_zia/2.1.0/data_stream/dns/fields/fields.yml deleted file mode 100755 index ae183b145c..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/dns/fields/fields.yml +++ /dev/null @@ -1,48 +0,0 @@ -- name: zscaler_zia.dns - type: group - fields: - - name: department - type: keyword - description: | - Department of the user. - - name: dom.category - type: keyword - description: | - URL Category of the FQDN in the DNS request. - - name: duration.milliseconds - type: long - description: | - Duration of the DNS request in milliseconds. - - name: hostname - type: keyword - description: | - N/A - - name: location - type: keyword - description: | - Gateway location or sub-location of the source. - - name: request - type: group - fields: - - name: action - type: keyword - description: | - Name of the action that was applied to the DNS request. - - name: rule.label - type: keyword - description: | - Name of the rule that was applied to the DNS request. - - name: response - type: group - fields: - - name: action - type: keyword - description: | - Name of the action that was applied to the DNS response. - - name: rule.label - type: keyword - description: |- - Name of the rule that was applied to the DNS response. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zia/2.1.0/data_stream/dns/manifest.yml b/packages/zscaler_zia/2.1.0/data_stream/dns/manifest.yml deleted file mode 100755 index f50fa29323..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/dns/manifest.yml +++ /dev/null @@ -1,79 +0,0 @@ -title: DNS logs -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Zscaler Internet Access DNS Logs - description: Collect Zscaler Internet Access DNS logs using TCP Input. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9011 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zia-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Zscaler Internet Access DNS Logs - description: Collect Zscaler Internet Access DNS logs via HTTP Endpoint Input. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number to listen on. - multi: false - required: true - show_user: true - default: 9556 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zia-dns - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zia/2.1.0/data_stream/dns/sample_event.json b/packages/zscaler_zia/2.1.0/data_stream/dns/sample_event.json deleted file mode 100755 index ae3effed41..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/dns/sample_event.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "@timestamp": "2021-12-17T07:27:54.000Z", - "agent": { - "ephemeral_id": "88d27df6-beee-4299-bf35-56742db35e98", - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "zscaler_zia.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 8080 - }, - "dns": { - "answers": { - "name": "Some response string" - }, - "question": { - "name": "example.com", - "type": "Some type" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "zscaler_zia.dns", - "duration": 123456000000, - "ingested": "2022-04-20T06:45:24Z", - "kind": "event", - "type": [ - "info" - ] - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "1.128.3.4:32902" - } - }, - "network": { - "protocol": "dns" - }, - "related": { - "hosts": [ - "Machine9000" - ], - "ip": [ - "89.160.20.112", - "89.160.20.156" - ] - }, - "source": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.112" - }, - "tags": [ - "forwarded", - "zscaler_zia-dns" - ], - "user": { - "email": "some_user@example.com", - "name": "Owner77" - }, - "zscaler_zia": { - "dns": { - "department": "Unknown", - "dom": { - "category": "Professional Services" - }, - "duration": { - "milliseconds": 123456 - }, - "hostname": "Machine9000", - "location": "TestLoc DB", - "request": { - "action": "REQ_ALLOW", - "rule": { - "label": "Access Blocked" - } - }, - "response": { - "action": "Some Response Action", - "rule": { - "label": "None" - } - } - } - } -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/data_stream/firewall/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/2.1.0/data_stream/firewall/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 443fe325f7..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/firewall/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -content_type: "" -preserve_original_event: true -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zia/2.1.0/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/2.1.0/data_stream/firewall/agent/stream/tcp.yml.hbs deleted file mode 100755 index bc587e50a3..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/firewall/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zia/2.1.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/2.1.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 1648f4b32f..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,344 +0,0 @@ ---- -description: Pipeline for Zscaler firewall logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: resp - ignore_failure: true - - remove: - field: json - if: ctx?.input?.type == 'http_endpoint' - ignore_missing: true - - rename: - field: resp.event - target_field: json - ignore_missing: true - - remove: - field: resp - ignore_missing: true - - append: - field: event.category - value: network - - set: - field: event.kind - value: event - - append: - field: event.type - value: info - - date: - field: json.datetime - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - yyyy-mm-dd HH:mm:ss - - date: - field: json.time - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - yyyy-MM-dd HH:mm:ss - - remove: - field: - - json.time - - json.datetime - ignore_missing: true - - convert: - field: json.outbytes - target_field: source.bytes - type: long - ignore_failure: true - - remove: - field: json.outbytes - ignore_missing: true - - rename: - field: json.devicehostname - target_field: host.hostname - ignore_missing: true - - rename: - field: json.nwapp - target_field: network.application - ignore_missing: true - - rename: - field: json.nwsvc - target_field: network.protocol - ignore_missing: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: json.proto - target_field: network.transport - ignore_missing: true - - lowercase: - field: network.transport - ignore_missing: true - - append: - field: rule.name - value: "{{{json.rulelabel}}}" - if: ctx?.json?.rulelabel != null - allow_duplicates: false - - append: - field: rule.name - value: "{{{json.ipsrulelabel}}}" - if: ctx?.json?.ipsrulelabel != null - allow_duplicates: false - - urldecode: - field: rule.name - ignore_failure: true - - remove: - field: json.rulelabel - ignore_missing: true - - remove: - field: json.ipsrulelabel - ignore_missing: true - - convert: - field: json.inbytes - target_field: destination.bytes - type: long - ignore_failure: true - - remove: - field: json.inbytes - ignore_missing: true - - rename: - field: json.destcountry - target_field: destination.geo.country_name - ignore_missing: true - - urldecode: - field: json.user - target_field: user.email - ignore_missing: true - - remove: - field: json.user - ignore_missing: true - - rename: - field: json.deviceowner - target_field: user.name - ignore_missing: true - - urldecode: - field: json.department - target_field: zscaler_zia.firewall.department - ignore_missing: true - - remove: - field: json.department - ignore_missing: true - - urldecode: - field: json.locationname - target_field: zscaler_zia.firewall.location.name - ignore_missing: true - - remove: - field: json.locationname - ignore_missing: true - - convert: - field: json.cdport - target_field: zscaler_zia.firewall.client.destination.port - type: long - ignore_failure: true - - remove: - field: json.cdport - ignore_missing: true - - convert: - field: json.csport - target_field: source.port - type: long - ignore_failure: true - - remove: - field: json.csport - ignore_missing: true - - convert: - field: json.sdport - target_field: destination.port - type: long - ignore_failure: true - - remove: - field: json.sdport - ignore_missing: true - - convert: - field: json.ssport - target_field: zscaler_zia.firewall.server.source.port - type: long - ignore_failure: true - - remove: - field: json.ssport - ignore_missing: true - - append: - field: related.ip - value: "{{{json.csip}}}" - if: ctx?.json?.csip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.csip - target_field: source.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{json.cdip}}}" - if: ctx?.json?.cdip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.cdip - target_field: zscaler_zia.firewall.client.destination.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{json.ssip}}}" - if: ctx?.json?.ssip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.ssip - target_field: zscaler_zia.firewall.server.source.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{json.sdip}}}" - if: ctx?.json?.sdip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sdip - target_field: destination.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{json.tsip}}}" - if: ctx?.json?.tsip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.tsip - target_field: zscaler_zia.firewall.tunnel.ip - ignore_missing: true - - convert: - field: json.tunsport - target_field: zscaler_zia.firewall.tunnel.port - type: long - ignore_failure: true - - remove: - field: json.tunsport - ignore_missing: true - - rename: - field: json.tuntype - target_field: zscaler_zia.firewall.tunnel.type - ignore_missing: true - - rename: - field: json.action - target_field: event.action - ignore_missing: true - - lowercase: - field: event.action - ignore_missing: true - - rename: - field: json.dnat - target_field: zscaler_zia.firewall.nat - ignore_missing: true - - rename: - field: json.stateful - target_field: zscaler_zia.firewall.stateful - ignore_missing: true - - rename: - field: json.aggregate - target_field: zscaler_zia.firewall.aggregate - ignore_missing: true - - rename: - field: json.ipcat - target_field: zscaler_zia.firewall.ip_category - ignore_missing: true - - convert: - field: json.avgduration - type: long - target_field: zscaler_zia.firewall.duration.avg - ignore_failure: true - - remove: - field: - - json.avgduration - - json.duration - ignore_missing: true - - convert: - field: json.durationms - target_field: zscaler_zia.firewall.duration.milliseconds - type: long - ignore_failure: true - - remove: - field: json.durationms - ignore_missing: true - - convert: - field: json.numsessions - target_field: zscaler_zia.firewall.session.count - type: double - ignore_failure: true - - remove: - field: json.numsessions - ignore_missing: true - - rename: - field: json.threatcat - target_field: zscaler_zia.firewall.threat.category - ignore_missing: true - - rename: - field: json.threatname - target_field: zscaler_zia.firewall.threat.name - ignore_missing: true - - community_id: - source_ip: source.ip - source_port: source.port - destination_ip: destination.ip - destination_port: destination.port - transport: network.transport - target_field: network.community_id - ignore_failure: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Adds all the remaining fields in fields under zscaler_zia.firewall - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.zscaler_zia.firewall[m.getKey()] = m.getValue(); - } - - script: - lang: painless - if: ctx?.zscaler_zia?.firewall?.duration?.milliseconds != null - source: | - ctx.event.duration = ctx?.zscaler_zia?.firewall?.duration?.milliseconds * 1000000; - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{_ingest.on_failure_message}}}" diff --git a/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/agent.yml b/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/base-fields.yml b/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/base-fields.yml deleted file mode 100755 index b5aac8833c..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: zscaler_zia -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zscaler_zia.firewall diff --git a/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/ecs.yml b/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/ecs.yml deleted file mode 100755 index 48d26e1854..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/ecs.yml +++ /dev/null @@ -1,80 +0,0 @@ -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: Country name. - name: destination.geo.country_name - type: keyword -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Port of the destination. - name: destination.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - Duration of the event in nanoseconds. - If event.start and event.end are known this value should be the difference between the end and start time. - name: event.duration - type: long -- description: |- - Hostname of the host. - It normally contains what the `hostname` command returns on the host machine. - name: host.hostname - type: keyword -- description: |- - When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. - For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. - The field value must be normalized to lowercase for querying. - name: network.application - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: User email address. - name: user.email - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/fields.yml b/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/fields.yml deleted file mode 100755 index 49a98954aa..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/firewall/fields/fields.yml +++ /dev/null @@ -1,105 +0,0 @@ -- name: zscaler_zia.firewall - type: group - fields: - - name: department - type: keyword - description: | - Department of the user. - - name: location - type: group - fields: - - name: name - type: keyword - description: | - Name of the location from which the session was initiated. - - name: client - type: group - fields: - - name: destination - type: group - fields: - - name: port - type: long - description: | - Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate. - - name: ip - type: keyword - description: | - Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate. - - name: server - type: group - fields: - - name: source - type: group - fields: - - name: port - type: long - description: | - Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate. - - name: ip - type: keyword - description: | - Server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate. - - name: tunnel - type: group - fields: - - name: ip - type: keyword - description: | - Tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate. - - name: port - type: long - description: | - Tunnel port on the client side. For aggregated sessions, this is the client's tunnel port corresponding to the last session in the aggregate. - - name: type - type: keyword - description: | - Traffic forwarding method used to send the traffic to the firewall. - - name: nat - type: keyword - description: | - Indicates if the destination NAT policy was applied. - - name: stateful - type: keyword - - name: aggregate - type: keyword - - name: ip_category - type: keyword - description: | - URL category that corresponds to the server IP address. - - name: duration - type: group - fields: - - name: avg - type: long - description: | - Average session duration, in milliseconds, if the sessions were aggregated. - - name: seconds - type: long - description: | - Average session duration, in milliseconds, if the sessions were aggregated. - - name: milliseconds - type: long - description: | - Session or request duration in milliseconds. - - name: session - type: group - fields: - - name: count - type: double - description: | - Number of sessions that were aggregated. - - name: threat - type: group - fields: - - name: category - type: keyword - description: | - Category of the threat in the Firewall session by the IPS engine. - - name: name - type: keyword - description: | - Name of the threat detected in the Firewall session by the IPS engine. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zia/2.1.0/data_stream/firewall/manifest.yml b/packages/zscaler_zia/2.1.0/data_stream/firewall/manifest.yml deleted file mode 100755 index eee2e7be93..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/firewall/manifest.yml +++ /dev/null @@ -1,79 +0,0 @@ -title: Firewall Logs -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Zscaler Internet Access Firewall Logs - description: Collect Zscaler Internet Access Firewall Logs using TCP Input. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9012 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zia-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Zscaler Internet Access Firewall Logs - description: Collect Zscaler Internet Access Firewall logs via HTTP Endpoint Input. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number to listen on. - multi: false - required: true - show_user: true - default: 9557 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zia-firewall - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zia/2.1.0/data_stream/firewall/sample_event.json b/packages/zscaler_zia/2.1.0/data_stream/firewall/sample_event.json deleted file mode 100755 index 1d138bf525..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/firewall/sample_event.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "@timestamp": "2021-12-31T07:08:09.000Z", - "agent": { - "ephemeral_id": "2c292e52-b6ea-4ca0-bfc7-692dadde1a7d", - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "zscaler_zia.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 19052, - "geo": { - "country_name": "Ireland" - }, - "ip": "0.0.0.0", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "action": "drop", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "zscaler_zia.firewall", - "duration": 486000000, - "ingested": "2021-12-31T05:06:07Z", - "kind": "event", - "type": [ - "info" - ] - }, - "host": { - "hostname": "Machine9000" - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "1.128.3.4:43634" - } - }, - "network": { - "application": "http", - "community_id": "1:hQwW1HWTOUYlk7y4+T2D+UPDU1c=", - "protocol": "https", - "transport": "tcp" - }, - "related": { - "ip": [ - "0.0.0.0" - ] - }, - "rule": { - "name": [ - "Access Blocked", - "None" - ] - }, - "source": { - "bytes": 1734, - "ip": "0.0.0.0", - "port": 55018 - }, - "tags": [ - "forwarded", - "zscaler_zia-firewall" - ], - "user": { - "email": "some_user@example.com", - "name": "admin77" - }, - "zscaler_zia": { - "firewall": { - "aggregate": "No", - "client": { - "destination": { - "ip": "0.0.0.0", - "port": 443 - } - }, - "department": "Unknown", - "duration": { - "avg": 486, - "milliseconds": 486 - }, - "ip_category": "Test Name", - "location": { - "name": "TestLoc DB" - }, - "nat": "No", - "server": { - "source": { - "ip": "0.0.0.0", - "port": 0 - } - }, - "session": { - "count": 1 - }, - "stateful": "Yes", - "threat": { - "category": "None", - "name": "None" - }, - "tunnel": { - "ip": "0.0.0.0", - "port": 0, - "type": "ZscalerClientConnector" - } - } - } -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/2.1.0/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 443fe325f7..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/tunnel/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -content_type: "" -preserve_original_event: true -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zia/2.1.0/data_stream/tunnel/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/2.1.0/data_stream/tunnel/agent/stream/tcp.yml.hbs deleted file mode 100755 index bc587e50a3..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/tunnel/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zia/2.1.0/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/2.1.0/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 3391e5bf91..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/tunnel/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,332 +0,0 @@ ---- -description: Pipeline for Zscaler tunnel logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: resp - ignore_failure: true - - remove: - field: json - if: ctx?.input?.type == 'http_endpoint' - ignore_missing: true - - rename: - field: resp.event - target_field: json - ignore_missing: true - - remove: - field: resp - ignore_missing: true - - date: - field: json.datetime - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - yyyy-mm-dd HH:mm:ss - - date: - field: json.time - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - yyyy-MM-dd HH:mm:ss - - remove: - field: - - json.time - - json.datetime - ignore_missing: true - - append: - field: event.category - value: network - - set: - field: event.kind - value: event - - append: - field: event.type - value: info - - rename: - field: json.recordid - target_field: event.id - ignore_missing: true - - rename: - field: json.event - target_field: event.action - ignore_missing: true - - rename: - field: json.eventreason - target_field: event.reason - ignore_missing: true - - rename: - field: json.destinationip - target_field: destination.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{destination.ip}}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.destinationport - target_field: destination.port - type: long - ignore_missing: true - - remove: - field: json.destinationport - ignore_missing: true - - rename: - field: json.sourceip - target_field: source.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.sourceport - target_field: source.port - type: long - ignore_missing: true - - remove: - field: json.sourceport - ignore_missing: true - - urldecode: - field: json.user - target_field: user.name - ignore_missing: true - - remove: - field: json.user - ignore_missing: true - - append: - field: related.user - value: "{{{user.name}}}" - if: ctx?.user?.name != null - allow_duplicates: false - ignore_failure: true - - convert: - field: json.rxbytes - target_field: destination.bytes - type: long - ignore_missing: true - - remove: - field: json.rxbytes - ignore_missing: true - - rename: - field: json.rxpackets - target_field: destination.packets - ignore_missing: true - - convert: - field: json.txbytes - target_field: source.bytes - type: long - ignore_missing: true - - remove: - field: json.txbytes - ignore_missing: true - - rename: - field: json.txpackets - target_field: source.packets - ignore_missing: true - - rename: - field: json.Recordtype - target_field: zscaler_zia.tunnel.action.type - ignore_missing: true - - urldecode: - field: json.location - target_field: zscaler_zia.tunnel.location.name - ignore_missing: true - - remove: - field: json.location - ignore_missing: true - - convert: - field: json.lifetime - target_field: zscaler_zia.tunnel.life.time - type: long - ignore_missing: true - - remove: - field: json.lifetime - ignore_missing: true - - convert: - field: json.ikeversion - target_field: zscaler_zia.tunnel.ike.version - type: integer - ignore_missing: true - - remove: - field: json.ikeversion - ignore_missing: true - - rename: - field: json.spi_in - target_field: zscaler_zia.tunnel.spi_in - ignore_missing: true - - rename: - field: json.spi_out - target_field: zscaler_zia.tunnel.spi_out - ignore_missing: true - - rename: - field: json.algo - target_field: zscaler_zia.tunnel.encryption.algorithm - ignore_missing: true - - rename: - field: json.authentication - target_field: zscaler_zia.tunnel.authentication.algorithm - ignore_missing: true - - rename: - field: json.authtype - target_field: zscaler_zia.tunnel.authentication.type - ignore_missing: true - - rename: - field: json.tunneltype - target_field: zscaler_zia.tunnel.type - ignore_missing: true - - set: - field: network.transport - copy_from: zscaler_zia.tunnel.type - ignore_failure: true - - lowercase: - field: network.transport - ignore_missing: true - - set: - field: network.iana_number - value: "47" - if: ctx?.network?.transport == "gre" - ignore_failure: true - - rename: - field: json.vendorname - target_field: zscaler_zia.tunnel.vendor.name - ignore_missing: true - - convert: - field: json.sourceportstart - target_field: zscaler_zia.tunnel.source.start.port - type: long - ignore_missing: true - - remove: - field: json.sourceportstart - ignore_missing: true - - convert: - field: json.destinationportstart - target_field: zscaler_zia.tunnel.destination.start.port - type: long - ignore_missing: true - - remove: - field: json.destinationportstart - ignore_missing: true - - rename: - field: json.srcipstart - target_field: zscaler_zia.tunnel.source.start.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{zscaler_zia.tunnel.source.start.ip}}}" - if: ctx?.zscaler_zia?.tunnel?.source?.start?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.srcipend - target_field: zscaler_zia.tunnel.source.end.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{zscaler_zia.tunnel.source.end.ip}}}" - if: ctx?.zscaler_zia?.tunnel?.source?.end?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.destinationipstart - target_field: zscaler_zia.tunnel.destination.start.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{zscaler_zia.tunnel.destination.start.ip}}}" - if: ctx?.zscaler_zia?.tunnel?.destination?.start?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.destinationipend - target_field: zscaler_zia.tunnel.destination.end.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{zscaler_zia.tunnel.destination.end.ip}}}" - if: ctx?.zscaler_zia?.tunnel?.destination?.end?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.spi - target_field: zscaler_zia.tunnel.spi - ignore_missing: true - - rename: - field: json.protocol - target_field: zscaler_zia.tunnel.policy.protocol - ignore_missing: true - - rename: - field: json.tunnelprotocol - target_field: zscaler_zia.tunnel.protocol - ignore_missing: true - - rename: - field: json.policydirection - target_field: zscaler_zia.tunnel.policy.direction - ignore_missing: true - - convert: - field: json.lifebytes - target_field: zscaler_zia.tunnel.life.bytes - type: long - ignore_missing: true - - remove: - field: json.lifebytes - ignore_missing: true - - rename: - field: json.dpdrec - target_field: zscaler_zia.tunnel.dpd_packets - ignore_missing: true - - community_id: - ignore_failure: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Adds all the remaining fields in fields under zscaler_zia.tunnel - lang: painless - if: ctx.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.zscaler_zia.tunnel[m.getKey()] = m.getValue(); - } - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/agent.yml b/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/base-fields.yml b/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/base-fields.yml deleted file mode 100755 index 14fc7f2ee9..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: zscaler_zia -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zscaler_zia.tunnel diff --git a/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/ecs.yml b/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/ecs.yml deleted file mode 100755 index 4bbb7da2dd..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/ecs.yml +++ /dev/null @@ -1,70 +0,0 @@ -- description: Bytes sent from the destination to the source. - name: destination.bytes - type: long -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: Packets sent from the destination to the source. - name: destination.packets - type: long -- description: Port of the destination. - name: destination.port - type: long -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Unique ID to describe the event. - name: event.id - type: keyword -- description: |- - Reason why this event happened, according to the source. - This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). - name: event.reason - type: keyword -- description: |- - A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. - Learn more at https://github.com/corelight/community-id-spec. - name: network.community_id - type: keyword -- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - name: network.iana_number - type: keyword -- description: |- - Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) - The field value must be normalized to lowercase for querying. - name: network.transport - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: All the user names or other user identifiers seen on the event. - name: related.user - type: keyword -- description: Bytes sent from the source to the destination. - name: source.bytes - type: long -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: Packets sent from the source to the destination. - name: source.packets - type: long -- description: Port of the source. - name: source.port - type: long -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/fields.yml b/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/fields.yml deleted file mode 100755 index a0a7e50774..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/tunnel/fields/fields.yml +++ /dev/null @@ -1,113 +0,0 @@ -- name: zscaler_zia.tunnel - type: group - fields: - - name: action.type - type: keyword - description: | - Type of the record. Possible values [ WL_TUNNEL_IPSECPHASE1, WL_TUNNEL_IPSECPHASE2, WL_TUNNEL_EVENT, WL_TUNNEL_SAMPLES ]. - - name: authentication - type: group - fields: - - name: algorithm - type: keyword - description: | - Authentication algorithm. - - name: type - type: keyword - description: | - Authentication type. - - name: destination.end.ip - type: keyword - description: | - Phase 2 policy proposal - Destination IP end. - - name: destination.start - type: group - fields: - - name: ip - type: keyword - description: | - Phase 2 policy proposal - Destination IP start. - - name: port - type: long - description: | - Phase 2 policy proposal - Destination port end. - - name: dpd_packets - type: keyword - description: | - Number of DPD packets received in 60-second sample window. - - name: encryption.algorithm - type: keyword - description: | - Encryption algorithm. - - name: ike.version - type: long - description: | - IKE version (1 or 2). - - name: life - type: group - fields: - - name: bytes - type: long - description: | - Life bytes (number of traffic to be transacted through tunnel before renegotiation). - - name: time - type: long - description: | - Lifetime of IKE Phase 1/2 in seconds. - - name: location.name - type: keyword - description: | - Location name. - - name: policy - type: group - fields: - - name: direction - type: keyword - description: | - N/A - - name: protocol - type: keyword - description: | - Phase 2 policy proposal - Protocol. - - name: protocol - type: keyword - description: | - IPSec tunnel protocol type (Zscaler only supports ESP). - - name: source.end.ip - type: keyword - description: | - Phase 2 policy proposal - Source IP end. - - name: source.start - type: group - fields: - - name: ip - type: keyword - description: | - Phase 2 policy proposal - Source IP start. - - name: port - type: long - description: | - Phase 2 policy proposal - Source port start. - - name: spi - type: keyword - description: | - Security Parameter Index. - - name: spi_in - type: keyword - description: | - Initiator cookie. - - name: spi_out - type: keyword - description: | - Responder cookie. - - name: type - type: keyword - description: | - Tunnel type. - - name: vendor.name - type: keyword - description: |- - Vendor name of the edge device. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zia/2.1.0/data_stream/tunnel/manifest.yml b/packages/zscaler_zia/2.1.0/data_stream/tunnel/manifest.yml deleted file mode 100755 index d987ddda47..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/tunnel/manifest.yml +++ /dev/null @@ -1,79 +0,0 @@ -title: Tunnel Logs -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Zscaler Internet Access Tunnel Logs - description: Collect Zscaler Internet Access Tunnel Logs using TCP Input. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9013 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zia-tunnel - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Zscaler Internet Access Tunnel Logs - description: Collect Zscaler Internet Access Tunnel logs via HTTP Endpoint Input. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number to listen on. - multi: false - required: true - show_user: true - default: 9558 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zia-tunnel - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zia/2.1.0/data_stream/tunnel/sample_event.json b/packages/zscaler_zia/2.1.0/data_stream/tunnel/sample_event.json deleted file mode 100755 index 83379d7618..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/tunnel/sample_event.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "@timestamp": "2021-12-31T11:12:13.000Z", - "agent": { - "ephemeral_id": "b187ac54-dab8-4e34-b72d-36772d818767", - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "zscaler_zia.tunnel", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "81.2.69.143" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "zscaler_zia.tunnel", - "id": "1111111111111111111", - "ingested": "2021-12-31T05:06:07Z", - "kind": "event", - "type": [ - "info" - ] - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "1.128.3.4:58370" - } - }, - "network": { - "transport": "ipsec ikev 1" - }, - "related": { - "ip": [ - "81.2.69.143", - "81.2.69.145" - ], - "user": [ - "81.2.69.145" - ] - }, - "source": { - "ip": "81.2.69.145", - "port": 0 - }, - "tags": [ - "forwarded", - "zscaler_zia-tunnel" - ], - "user": { - "name": "81.2.69.145" - }, - "zscaler_zia": { - "tunnel": { - "action": { - "type": "IPSec Phase2" - }, - "authentication": { - "algorithm": "HMAC-SHA-1", - "type": "None" - }, - "destination": { - "end": { - "ip": "81.2.69.143" - }, - "start": { - "ip": "81.2.69.143", - "port": 0 - } - }, - "encryption": { - "algorithm": "AES" - }, - "ike": { - "version": 1 - }, - "life": { - "bytes": 0, - "time": 3600 - }, - "location": { - "name": "some-location" - }, - "policy": { - "direction": "Inbound SA Policy", - "protocol": "Any" - }, - "protocol": "ESP", - "source": { - "end": { - "ip": "81.2.69.145" - }, - "start": { - "ip": "81.2.69.145", - "port": 0 - } - }, - "spi": "123456789", - "type": "IPSEC IKEV 1" - } - } -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/data_stream/web/agent/stream/http_endpoint.yml.hbs b/packages/zscaler_zia/2.1.0/data_stream/web/agent/stream/http_endpoint.yml.hbs deleted file mode 100755 index 443fe325f7..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/web/agent/stream/http_endpoint.yml.hbs +++ /dev/null @@ -1,21 +0,0 @@ -listen_address: {{listen_address}} -listen_port: {{listen_port}} -content_type: "" -preserve_original_event: true -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zia/2.1.0/data_stream/web/agent/stream/tcp.yml.hbs b/packages/zscaler_zia/2.1.0/data_stream/web/agent/stream/tcp.yml.hbs deleted file mode 100755 index bc587e50a3..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/web/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,18 +0,0 @@ -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zia/2.1.0/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/2.1.0/data_stream/web/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index aa47aedd59..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,330 +0,0 @@ ---- -description: Pipeline for Zscaler web logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: resp - ignore_failure: true - - remove: - field: json - if: ctx?.input?.type == 'http_endpoint' - ignore_missing: true - - rename: - field: resp.event - target_field: json - ignore_missing: true - - remove: - field: resp - ignore_missing: true - - date: - field: json.time - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - yyyy-MM-dd HH:mm:ss - - date: - field: json.datetime - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - yyyy-MM-dd HH:mm:ss - - remove: - field: - - json.time - - json.datetime - ignore_missing: true - - append: - field: event.category - value: web - - set: - field: event.kind - value: event - - append: - field: event.type - value: info - - rename: - field: json.cip - target_field: source.nat.ip - if: ctx?.json?.cip != ctx?.json?.cintip - ignore_missing: true - - append: - field: related.ip - value: "{{{source.nat.ip}}}" - if: ctx?.source?.nat?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.sip - target_field: destination.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{destination.ip}}}" - if: ctx?.destination?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.deviceowner - target_field: source.user.name - ignore_missing: true - - convert: - field: json.reqsize - target_field: http.request.bytes - type: long - ignore_failure: true - - remove: - field: json.reqsize - ignore_missing: true - - rename: - field: json.reqmethod - target_field: http.request.method - ignore_missing: true - - rename: - field: json.contenttype - target_field: http.request.mime_type - ignore_missing: true - - rename: - field: json.ereferer - target_field: http.request.referrer - ignore_missing: true - - convert: - field: json.respsize - target_field: http.response.bytes - type: long - ignore_failure: true - - remove: - field: json.respsize - ignore_missing: true - - convert: - field: json.respcode - target_field: http.response.status_code - type: long - ignore_failure: true - - remove: - field: json.respcode - ignore_missing: true - - rename: - field: json.proto - target_field: network.protocol - ignore_missing: true - - lowercase: - field: network.protocol - ignore_missing: true - - rename: - field: json.rulelabel - target_field: rule.name - ignore_missing: true - - rename: - field: json.ruletype - target_field: rule.ruleset - ignore_missing: true - - uri_parts: - field: json.eurl - remove_if_successful: true - on_failure: - - set: - field: url.original - value: "{{{json.eurl}}}" - if: ctx?.json?.eurl != null - ignore_failure: true - - remove: - field: json.eurl - ignore_missing: true - - urldecode: - field: url.original - ignore_missing: true - - user_agent: - field: json.ua - ignore_failure: true - - remove: - field: json.ua - ignore_missing: true - - rename: - field: json.login - target_field: user.email - ignore_missing: true - - rename: - field: json.action - target_field: event.action - ignore_missing: true - - lowercase: - field: event.action - ignore_missing: true - - rename: - field: json.appname - target_field: zscaler_zia.web.app.name - ignore_missing: true - - rename: - field: json.appclass - target_field: zscaler_zia.web.app.class - ignore_missing: true - - convert: - field: json.stime - target_field: zscaler_zia.web.stime - type: long - ignore_failure: true - - remove: - field: json.stime - ignore_missing: true - - convert: - field: json.ctime - target_field: zscaler_zia.web.ctime - type: long - ignore_failure: true - - remove: - field: json.ctime - ignore_missing: true - - rename: - field: json.urlclass - target_field: zscaler_zia.web.url.class - ignore_missing: true - - rename: - field: json.urlsupercat - target_field: zscaler_zia.web.url.category.super - ignore_missing: true - - rename: - field: json.urlcat - target_field: zscaler_zia.web.url.category.sub - ignore_missing: true - - rename: - field: json.malwarecat - target_field: zscaler_zia.web.malware.category - ignore_missing: true - - rename: - field: json.threatname - target_field: zscaler_zia.web.threat.name - ignore_missing: true - - convert: - field: json.riskscore - target_field: event.risk_score - type: long - ignore_failure: true - - remove: - field: json.riskscore - ignore_missing: true - - rename: - field: json.dlpeng - target_field: zscaler_zia.web.dpl.engine - ignore_missing: true - - rename: - field: json.dlpdict - target_field: zscaler_zia.web.dpl.dictionaries - ignore_missing: true - - rename: - field: json.location - target_field: zscaler_zia.web.location - ignore_missing: true - - rename: - field: json.dept - target_field: zscaler_zia.web.department - ignore_missing: true - - rename: - field: json.unscannabletype - target_field: zscaler_zia.web.unscannable.type - ignore_missing: true - - rename: - field: json.devicehostname - target_field: zscaler_zia.web.device.hostname - ignore_missing: true - - append: - field: related.hosts - value: "{{{zscaler_zia.web.device.hostname}}}" - if: ctx?.zscaler_zia?.web?.device?.hostname != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.bwthrottle - target_field: zscaler_zia.web.bandwidth_throttle - ignore_missing: true - - rename: - field: json.cintip - target_field: source.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{source.ip}}}" - if: ctx?.source?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.ehost - target_field: zscaler_zia.web.encoded_host - ignore_missing: true - - rename: - field: json.fileclass - target_field: zscaler_zia.web.file.class - ignore_missing: true - - rename: - field: json.filetype - target_field: zscaler_zia.web.file.type - ignore_missing: true - - rename: - field: json.malwareclass - target_field: zscaler_zia.web.malware.class - ignore_missing: true - - rename: - field: json.reason - target_field: event.reason - ignore_missing: true - - rename: - field: json.recordid - target_field: zscaler_zia.web.record.id - ignore_missing: true - - convert: - field: json.totalsize - target_field: zscaler_zia.web.total.size - type: long - ignore_failure: true - - remove: - field: json.totalsize - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Adds all the remaining fields in fields under zscaler_zia.web - lang: painless - if: ctx.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.zscaler_zia.web[m.getKey()] = m.getValue(); - } - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zia/2.1.0/data_stream/web/fields/agent.yml b/packages/zscaler_zia/2.1.0/data_stream/web/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/web/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/zscaler_zia/2.1.0/data_stream/web/fields/base-fields.yml b/packages/zscaler_zia/2.1.0/data_stream/web/fields/base-fields.yml deleted file mode 100755 index 9a074d3470..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/web/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: zscaler_zia -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zscaler_zia.web diff --git a/packages/zscaler_zia/2.1.0/data_stream/web/fields/ecs.yml b/packages/zscaler_zia/2.1.0/data_stream/web/fields/ecs.yml deleted file mode 100755 index 15b0e743eb..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/web/fields/ecs.yml +++ /dev/null @@ -1,154 +0,0 @@ -- description: IP address of the destination (IPv4 or IPv6). - name: destination.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - The action captured by the event. - This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - name: event.action - type: keyword -- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here. - name: event.risk_score - type: float -- description: Total size in bytes of the request (body and headers). - name: http.request.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: |- - Mime type of the body of the request. - This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. - name: http.request.mime_type - type: keyword -- description: Referrer for this HTTP request. - name: http.request.referrer - type: keyword -- description: Total size in bytes of the response (body and headers). - name: http.response.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: The name of the rule or signature generating the event. - name: rule.name - type: keyword -- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - name: rule.ruleset - type: keyword -- description: IP address of the source (IPv4 or IPv6). - name: source.ip - type: ip -- description: |- - Translated ip of source based NAT sessions (e.g. internal client to internet) - Typically connections traversing load balancers, firewalls, or routers. - name: source.nat.ip - type: ip -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: source.user.name - type: keyword -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Portion of the url after the `#`, such as "top". - The `#` is not part of the fragment. - name: url.fragment - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Password of the request. - name: url.password - type: keyword -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: Port of the request, such as 443. - name: url.port - type: long -- description: |- - The query field describes the query string of the request, such as "q=elasticsearch". - The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. - name: url.query - type: keyword -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Username of the request. - name: url.username - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword -- description: User email address. - name: user.email - type: keyword diff --git a/packages/zscaler_zia/2.1.0/data_stream/web/fields/fields.yml b/packages/zscaler_zia/2.1.0/data_stream/web/fields/fields.yml deleted file mode 100755 index d85e5a570e..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/web/fields/fields.yml +++ /dev/null @@ -1,112 +0,0 @@ -- name: zscaler_zia.web - type: group - fields: - - name: app - type: group - fields: - - name: class - type: keyword - description: | - The web application class of the application that was accessed. Equivalent to module. - - name: name - type: keyword - description: | - Cloud application name. - - name: bandwidth_throttle - type: keyword - description: | - Indicates whether the transaction was throttled due to a configured bandwidth policy. - - name: ctime - type: long - description: | - The time from when the first byte of the request hits the ZEN to the time in which the last byte of the response is sent from the ZEN back to the browser. - - name: department - type: keyword - description: | - Department of the user. - - name: device.hostname - type: keyword - description: | - The obfuscated version of the device owner. This field must be changed manually. - - name: dpl - type: group - fields: - - name: dictionaries - type: keyword - description: | - The DLP dictionaries that were matched, if any. - - name: engine - type: keyword - description: | - The DLP engine that was matched, if any. - - name: encoded_host - type: keyword - description: | - Encoded version of the destination host name. - - name: file - type: group - fields: - - name: class - type: keyword - description: | - Type of file associated with the transaction. - - name: type - type: keyword - description: | - Type of file associated with the transaction. - - name: location - type: keyword - description: | - Gateway location or sub-location of the source. - - name: malware - type: group - fields: - - name: category - type: keyword - description: | - The category of malware that was detected in the transaction, if any. Also indicates if a file was submitted to the Sandbox engine for analysis and the result of the analysis. - - name: class - type: keyword - description: | - The class of malware that was detected in the transaction, if any. - - name: record.id - type: keyword - description: | - N/A - - name: stime - type: long - description: | - The round trip time between the ZEN request and the server. - - name: threat.name - type: keyword - description: | - The name of the threat that was detected in the transaction, if any. - - name: total.size - type: long - description: | - Total size, in bytes, of the HTTP transaction; sum of the total request size and total response size. - - name: unscannable.type - type: keyword - description: | - Unscannable file type. - - name: url - type: group - fields: - - name: category - type: group - fields: - - name: sub - type: keyword - description: | - Category of the destination URL. - - name: super - type: keyword - description: | - Super category of the destination URL. - - name: class - type: keyword - description: |- - Class of the destination URL. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zia/2.1.0/data_stream/web/manifest.yml b/packages/zscaler_zia/2.1.0/data_stream/web/manifest.yml deleted file mode 100755 index c9137fface..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/web/manifest.yml +++ /dev/null @@ -1,79 +0,0 @@ -title: Web Logs -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Zscaler Internet Access Web Logs - description: Collect Zscaler Internet Access Web Logs using TCP input. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9014 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zia-web - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: http_endpoint - template_path: http_endpoint.yml.hbs - title: Zscaler Internet Access Web Logs - description: Collect Zscaler Internet Access Web logs via HTTP Endpoint Input. - vars: - - name: listen_port - type: integer - title: Listen Port - description: The port number to listen on. - multi: false - required: true - show_user: true - default: 9559 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zia-web - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original`. - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zia/2.1.0/data_stream/web/sample_event.json b/packages/zscaler_zia/2.1.0/data_stream/web/sample_event.json deleted file mode 100755 index 6c8fd65b27..0000000000 --- a/packages/zscaler_zia/2.1.0/data_stream/web/sample_event.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "@timestamp": "2021-12-17T07:04:57.000Z", - "agent": { - "ephemeral_id": "6f164483-9eb8-4219-bb09-cd2ff3532390", - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "zscaler_zia.web", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "81.2.69.145" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "action": "blocked", - "agent_id_status": "verified", - "category": [ - "web" - ], - "dataset": "zscaler_zia.web", - "ingested": "2021-12-31T05:06:07Z", - "kind": "event", - "risk_score": 0, - "type": [ - "info" - ] - }, - "http": { - "request": { - "bytes": 600, - "method": "CONNECT", - "mime_type": "Other", - "referrer": "None" - }, - "response": { - "bytes": 65, - "status_code": 200 - } - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "1.128.3.4:37608" - } - }, - "network": { - "protocol": "http_proxy" - }, - "related": { - "hosts": [ - "TestMachine35" - ], - "ip": [ - "81.2.69.193", - "81.2.69.145" - ] - }, - "rule": { - "name": "Zscaler Proxy Traffic", - "ruleset": "FwFilter" - }, - "source": { - "nat": { - "ip": "81.2.69.193" - }, - "user": { - "name": "administrator1" - } - }, - "tags": [ - "forwarded", - "zscaler_zia-web" - ], - "url": { - "extension": "com", - "original": "www.example.com", - "path": "www.example.com" - }, - "user": { - "email": "test@example.com" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Other", - "original": "Windows Microsoft Windows 10 Pro ZTunnel/1.0", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - } - }, - "zscaler_zia": { - "web": { - "app": { - "class": "General Browsing", - "name": "General Browsing" - }, - "ctime": 0, - "department": "Unknown", - "device": { - "hostname": "TestMachine35" - }, - "dpl": { - "dictionaries": "None", - "engine": "None" - }, - "location": "Test DB", - "malware": { - "category": "None" - }, - "stime": 0, - "threat": { - "name": "None" - }, - "unscannable": { - "type": "None" - }, - "url": { - "category": { - "sub": "Web Search", - "super": "Information Technology" - }, - "class": "Business Use" - } - } - } -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/docs/README.md b/packages/zscaler_zia/2.1.0/docs/README.md deleted file mode 100755 index acb933e22c..0000000000 --- a/packages/zscaler_zia/2.1.0/docs/README.md +++ /dev/null @@ -1,1211 +0,0 @@ -# Zscaler ZIA - -This integration is for Zscaler Internet Access logs. It can be used to receive logs sent by NSS feeds on TCP port or Cloud NSS on HTTP Endpoint input methods. - -The log message is expected to be in JSON format. The data is mapped to ECS fields where applicable and the remaining fields are written under `zscaler_zia..*`. - -## Steps for setting up NSS Feeds - -1. Enable the integration with the TCP input. -2. Configure the Zscaler NSS Server and NSS Feeds to send logs to the Elastic Agent that is running this integration. See [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) and [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds). Use the IP address hostname of the Elastic Agent as the 'NSS Feed SIEM IP Address/FQDN', and use the listening port of the Elastic Agent as the 'SIEM TCP Port' on the _Add NSS Feed_ configuration screen. To configure Zscaler NSS Server and NSS Feeds follow the following steps. - - In the ZIA Admin Portal, add an NSS Server. - - Log in to the ZIA Admin Portal using your admin account. - - Add an NSS server. Refer to Adding NSS Servers to set up an [_Add NSS Server_](https://help.zscaler.com/zia/adding-nss-servers) for Web and/or Firewall. - - Verify that the state of the NSS Server is healthy. - - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > NSS Servers. - - In the State column, confirm that the state of the NSS server is healthy. - ![NSS server setup image](../img/nss_server.png?raw=true) - - In the ZIA Admin Portal, add an NSS Feed. - - Refer to [_Add NSS Feeds_](https://help.zscaler.com/zia/adding-nss-feeds) and select the type of feed you want to configure. The following fields require specific inputs: - - **SIEM IP Address**: Enter the IP address of the [_Elastic agent_](https://www.elastic.co/guide/en/fleet/current/fleet-overview.html) you’ll be assigning the Zscaler integration to. - - **SIEM TCP Port**: Enter the port number, depending on the logs associated with the NSS Feed. You will need to create an NSS Feed for each log type. - - **Alerts**: 9010 - - **DNS**: 9011 - - **Firewall**: 9012 - - **Tunnel**: 9013 - - **Web**: 9014 - - **Feed Output Type**: Select Custom in Feed output type and paste the appropriate response format in Feed output format as follows: - ![NSS Feeds setup image](../img/nss_feeds.png?raw=true) - -## Steps for setting up Cloud NSS Feeds - -1. Enable the integration with the HTTP Endpoint input. -2. Configure the Zscaler Cloud NSS Feeds to send logs to the Elastic Agent that is running this integration. Provide API URL to send logs to the Elastic Agent. To configure Zscaler Cloud NSS Feeds follow the following steps. - - In the ZIA Admin Portal, add a Cloud NSS Feed. - - Log in to the ZIA Admin Portal using your admin account. - - Add a Cloud NSS Feed. Refer to [_Add Cloud NSS Feed_](https://help.zscaler.com/zia/adding-cloud-nss-feeds). - - In the ZIA Admin Portal, go to Administration > Nanolog Streaming Service > Cloud NSS Feeds. - - Give Feed Name, change status to Enabled. - - Select NSS Type. - - Change SIEM Type to other. - - Add an API URL. - - Default ports: - - **DNS**: 9556 - - **Firewall**: 9557 - - **Tunnel**: 9558 - - **Web**: 9559 - - Select JSON as feed output type. - - Add appropriate HTTP headers. - ![Cloud NSS Feeds setup image](../img/cloud_nss_feeds.png?raw=true) -3. Repeat step 2 for each log type. - -**Please make sure to use the given response formats for NSS and Cloud NSS Feeds.** - -## Compatibility - -This package has been tested against `Zscaler Internet Access version 6.1` - -## Documentation and configuration - -### Alerts - -- Default port (NSS Feed): _9010_ - -Vendor documentation: https://help.zscaler.com/zia/about-alerts - -Zscaler response format: -``` -<%d{syslogid}>%s{Monthname} %2d{Dayofmonth} %02d{Hour}:%02d{Minutes}:%02d{Seconds} [%s{Deviceip}] ZscalerNSS: %s{Eventinfo}\n -``` - -Sample Response: -``` -<114>Dec 10 14:04:28 [175.16.199.1] ZscalerNSS: Zscaler cloud configuration connection to 175.16.199.1:443 lost and unavailable for the past 2325.00 minutes -``` - -### DNS Log - -- Default port (NSS Feed): _9011_ -- Default port (Cloud NSS Feed): _9556_ - -Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-dns-logs - -Zscaler response format: -``` -\{ "sourcetype" : "zscalernss-dns", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","location":"%s{elocation}","reqaction":"%s{reqaction}","resaction":"%s{resaction}","reqrulelabel":"%s{reqrulelabel}","resrulelabel":"%s{resrulelabel}","dns_reqtype":"%s{reqtype}","dns_req":"%s{req}","dns_resp":"%s{res}","srv_dport":"%d{sport}","durationms":"%d{durationms}","clt_sip":"%s{cip}","srv_dip":"%s{sip}","category":"%s{domcat}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\} -``` - -Sample Response: -```json -{ "sourcetype" : "zscalernss-dns", "event" :{"datetime":"Fri Dec 17 07:27:54 2021","user":"some_user@example.com","department":"Unknown","location":"TestLoc%20DB","reqaction":"REQ_ALLOW","resaction":"Some Response Action","reqrulelabel":"Access%20Blocked","resrulelabel":"None","dns_reqtype":"Some type","dns_req":"example.com","dns_resp":"Some response string","srv_dport":"8080","durationms":"123456","clt_sip":"81.2.69.193","srv_dip":"81.2.69.144","category":"Professional Services","deviceowner":"Owner77","devicehostname":"Machine9000"}} -``` - -### Firewall Log - -- Default port (NSS Feed): _9012_ -- Default port (Cloud NSS Feed): _9557_ - -Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs - -Zscaler response format: -``` -\{ "sourcetype" : "zscalernss-fw", "event" :\{"datetime":"%s{time}","user":"%s{elogin}","department":"%s{edepartment}","locationname":"%s{elocation}","cdport":"%d{cdport}","csport":"%d{csport}","sdport":"%d{sdport}","ssport":"%d{ssport}","csip":"%s{csip}","cdip":"%s{cdip}","ssip":"%s{ssip}","sdip":"%s{sdip}","tsip":"%s{tsip}","tunsport":"%d{tsport}","tuntype":"%s{ttype}","action":"%s{action}","dnat":"%s{dnat}","stateful":"%s{stateful}","aggregate":"%s{aggregate}","nwsvc":"%s{nwsvc}","nwapp":"%s{nwapp}","proto":"%s{ipproto}","ipcat":"%s{ipcat}","destcountry":"%s{destcountry}","avgduration":"%d{avgduration}","rulelabel":"%s{erulelabel}","inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","duration":"%d{duration}","durationms":"%d{durationms}","numsessions":"%d{numsessions}","ipsrulelabel":"%s{ipsrulelabel}","threatcat":"%s{threatcat}","threatname":"%s{ethreatname}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\} -``` - -Sample Response: -```json -{ "sourcetype" : "zscalernss-fw", "event" :{"datetime":"Fri Dec 17 07:27:54 2021","user":"some_user@example.com","department":"Unknown","locationname":"TestLoc%20DB","cdport":443,"csport":55018,"sdport":443,"ssport":0,"csip":"0.0.0.0","cdip":"0.0.0.0","ssip":"0.0.0.0","sdip":"0.0.0.0","tsip":"0.0.0.0","tunsport":0,"tuntype":"ZscalerClientConnector","action":"Drop","dnat":"No","stateful":"Yes","aggregate":"No","nwsvc":"HTTPS","nwapp":"http","proto":"TCP","ipcat":"Test Name","destcountry":"Ireland","avgduration":486,"rulelabel":"Access%20Blocked","inbytes":19052,"outbytes":1734,"duration":0,"durationms":486,"numsessions":1,"ipsrulelabel":"None","threatcat":"None","threatname":"None","deviceowner":"admin77","devicehostname":"Machine9000"}} -``` - -### Tunnel Log - -- Default port (NSS Feed): _9013_ -- Default port (Cloud NSS Feed): _9558_ - -Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-tunnel-logs - -Zscaler response format: -- Tunnel Event: - ``` - \{ "sourcetype" : "zscalernss-tunnel", "event" : \{"datetime":"%s{datetime}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","user":"%s{vpncredentialname}","location":"%s{elocationname}","sourceip":"%s{sourceip}","destinationip":"%s{destvip}","sourceport":"%d{srcport}","event":"%s{event}","eventreason":"%s{eventreason}","recordid":"%d{recordid}"\}\} - ``` -- Sample Event: - ``` - \{ "sourcetype" : "zscalernss-tunnel", "event" : \{"datetime":"%s{datetime}","Recordtype":"%s{tunnelactionname}","tunneltype":"%s{tunneltype}","user":"%s{vpncredentialname}","location":"%s{elocationname}","sourceip":"%s{sourceip}","destinationip":"%s{destvip}","sourceport":"%d{srcport}","txbytes":"%lu{txbytes}","rxbytes":"%lu{rxbytes}","dpdrec":"%d{dpdrec}","recordid":"%d{recordid}"\}\} - ``` -- IKE Phase 1 - ``` - \{ "sourcetype" : "zscalernss-tunnel", "event" : \{"datetime":"%s{datetime}","Recordtype":"%s{tunnelactionname}","tunneltype":"IPSEC IKEV %d{ikeversion}","user":"%s{vpncredentialname}","location":"%s{elocationname}","sourceip":"%s{sourceip}","destinationip":"%s{destvip}","sourceport":"%d{srcport}","destinationport":"%d{dstport}","lifetime":"%d{lifetime}","ikeversion":"%d{ikeversion}","spi_in":"%lu{spi_in}","spi_out":"%lu{spi_out}","algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","recordid":"%d{recordid}"\}\} - ``` -- IKE Phase 2 - ``` - \{ "sourcetype" : "zscalernss-tunnel", "event" : \{"datetime":"%s{datetime}","Recordtype":"%s{tunnelactionname}","tunneltype":"IPSEC IKEV %d{ikeversion}","user":"%s{vpncredentialname}","location":"%s{elocationname}","sourceip":"%s{sourceip}","destinationip":"%s{destvip}","sourceport":"%d{srcport}","sourceportstart":"%d{srcportstart}","destinationportstart":"%d{destportstart}","srcipstart":"%s{srcipstart}","srcipend":"%s{srcipend}","destinationipstart":"%s{destipstart}","destinationipend":"%s{destipend}","lifetime":"%d{lifetime}","ikeversion":"%d{ikeversion}","lifebytes":"%d{lifebytes}","spi":"%d{spi}","algo":"%s{algo}","authentication":"%s{authentication}","authtype":"%s{authtype}","protocol":"%s{protocol}","tunnelprotocol":"%s{tunnelprotocol}","policydirection":"%s{policydirection}","recordid":"%d{recordid}"\}\} - ``` - -Sample Response: -```json -{ "sourcetype" : "zscalernss-tunnel", "event" : {"datetime":"Thu Dec 30 11:40:27 2021","Recordtype":"IPSec Phase1","tunneltype":"IPSEC IKEV 2","user":"81.2.69.145","location":"some-location","sourceip":"81.2.69.145","destinationip":"81.2.69.143","sourceport":"500","destinationport":"500","lifetime":"0","ikeversion":"2","spi_in":"00000000000000000000","spi_out":"11111111111111111111","algo":"AES-CBS","authentication":"HMAC-SHA1-96","authtype":"PSK","recordid":"1111111111111111111"}} -``` - -### Web Log - -- Default port (NSS Feed): _9014_ -- Default port (Cloud NSS Feed): _9559_ -- Add characters **"** and **\\** in **feed escape character** while configuring Web Log. - -![Escape feed setup image](../img/escape_feed.png?raw=true) -Vendor documentation: https://help.zscaler.com/zia/nss-feed-output-format-web-logs - -Zscaler response format: -``` -\{ "sourcetype" : "zscalernss-web", "event" :\{"time":"%s{time}","login":"%s{login}","proto":"%s{proto}","eurl":"%s{eurl}","action":"%s{action}","appname":"%s{appname}","appclass":"%s{appclass}","reqsize":"%d{reqsize}","respsize":"%d{respsize}","stime":"%d{stime}","ctime":"%d{ctime}","urlclass":"%s{urlclass}","urlsupercat":"%s{urlsupercat}","urlcat":"%s{urlcat}","malwarecat":"%s{malwarecat}","threatname":"%s{threatname}","riskscore":"%d{riskscore}","dlpeng":"%s{dlpeng}","dlpdict":"%s{dlpdict}","location":"%s{location}","dept":"%s{dept}","cip":"%s{cip}","sip":"%s{sip}","reqmethod":"%s{reqmethod}","respcode":"%s{respcode}","ua":"%s{ua}","ereferer":"%s{ereferer}","ruletype":"%s{ruletype}","rulelabel":"%s{rulelabel}","contenttype":"%s{contenttype}","unscannabletype":"%s{unscannabletype}","deviceowner":"%s{deviceowner}","devicehostname":"%s{devicehostname}"\}\} -``` - -Sample Response: -```json -{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 17 07:04:57 2021","login":"test@example.com","proto":"HTTP_PROXY","eurl":"browser.events.data.msn.com:443","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"600","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.145","reqmethod":"CONNECT","respcode":"200","ua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Zscaler Proxy Traffic","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} -``` - -## Fields and Sample event - -### Alerts - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| zscaler_zia.alerts.connection_lost_minutes | Amount of time after loosing connection to a server in Minutes. | double | -| zscaler_zia.alerts.log_feed_name | Name of the NSS log feed. | keyword | - - -An example event for `alerts` looks as following: - -```json -{ - "@timestamp": "2022-12-10T13:40:32.000Z", - "agent": { - "ephemeral_id": "b7f77db9-92fe-4935-8387-b2cb545bcfc6", - "id": "638019f9-173e-4c24-9e28-64b128c92162", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "zscaler_zia.alerts", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "address": "81.2.69.193", - "ip": "81.2.69.193", - "port": 9012 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "638019f9-173e-4c24-9e28-64b128c92162", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "agent_id_status": "verified", - "dataset": "zscaler_zia.alerts", - "ingested": "2022-04-13T17:21:34Z" - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "1.128.3.4:32902" - }, - "syslog": { - "priority": 114 - } - }, - "message": "ZscalerNSS: SIEM Feed connection \"DNS Logs Feed\" to 81.2.69.193:9012 lost and unavailable for the past 2440.00 minutes", - "related": { - "ip": [ - "81.2.69.193" - ] - }, - "tags": [ - "forwarded", - "zscaler_zia-alerts" - ], - "zscaler_zia": { - "alerts": { - "connection_lost_minutes": 2440, - "log_feed_name": "DNS Logs Feed" - } - } -} -``` - -## DNS Logs - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | -| dns.question.type | The type of record being queried. | keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zscaler_zia.dns.department | Department of the user. | keyword | -| zscaler_zia.dns.dom.category | URL Category of the FQDN in the DNS request. | keyword | -| zscaler_zia.dns.duration.milliseconds | Duration of the DNS request in milliseconds. | long | -| zscaler_zia.dns.hostname | N/A | keyword | -| zscaler_zia.dns.location | Gateway location or sub-location of the source. | keyword | -| zscaler_zia.dns.request.action | Name of the action that was applied to the DNS request. | keyword | -| zscaler_zia.dns.request.rule.label | Name of the rule that was applied to the DNS request. | keyword | -| zscaler_zia.dns.response.action | Name of the action that was applied to the DNS response. | keyword | -| zscaler_zia.dns.response.rule.label | Name of the rule that was applied to the DNS response. | keyword | - - -An example event for `dns` looks as following: - -```json -{ - "@timestamp": "2021-12-17T07:27:54.000Z", - "agent": { - "ephemeral_id": "88d27df6-beee-4299-bf35-56742db35e98", - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "zscaler_zia.dns", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.156", - "port": 8080 - }, - "dns": { - "answers": { - "name": "Some response string" - }, - "question": { - "name": "example.com", - "type": "Some type" - } - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "zscaler_zia.dns", - "duration": 123456000000, - "ingested": "2022-04-20T06:45:24Z", - "kind": "event", - "type": [ - "info" - ] - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "1.128.3.4:32902" - } - }, - "network": { - "protocol": "dns" - }, - "related": { - "hosts": [ - "Machine9000" - ], - "ip": [ - "89.160.20.112", - "89.160.20.156" - ] - }, - "source": { - "as": { - "number": 29518, - "organization": { - "name": "Bredband2 AB" - } - }, - "geo": { - "city_name": "Linköping", - "continent_name": "Europe", - "country_iso_code": "SE", - "country_name": "Sweden", - "location": { - "lat": 58.4167, - "lon": 15.6167 - }, - "region_iso_code": "SE-E", - "region_name": "Östergötland County" - }, - "ip": "89.160.20.112" - }, - "tags": [ - "forwarded", - "zscaler_zia-dns" - ], - "user": { - "email": "some_user@example.com", - "name": "Owner77" - }, - "zscaler_zia": { - "dns": { - "department": "Unknown", - "dom": { - "category": "Professional Services" - }, - "duration": { - "milliseconds": 123456 - }, - "hostname": "Machine9000", - "location": "TestLoc DB", - "request": { - "action": "REQ_ALLOW", - "rule": { - "label": "Access Blocked" - } - }, - "response": { - "action": "Some Response Action", - "rule": { - "label": "None" - } - } - } - } -} -``` - -## Firewall Logs - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.geo.country_name | Country name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.name | The name of the rule or signature generating the event. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zscaler_zia.firewall.aggregate | | keyword | -| zscaler_zia.firewall.client.destination.ip | Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate. | keyword | -| zscaler_zia.firewall.client.destination.port | Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate. | long | -| zscaler_zia.firewall.department | Department of the user. | keyword | -| zscaler_zia.firewall.duration.avg | Average session duration, in milliseconds, if the sessions were aggregated. | long | -| zscaler_zia.firewall.duration.milliseconds | Session or request duration in milliseconds. | long | -| zscaler_zia.firewall.duration.seconds | Average session duration, in milliseconds, if the sessions were aggregated. | long | -| zscaler_zia.firewall.ip_category | URL category that corresponds to the server IP address. | keyword | -| zscaler_zia.firewall.location.name | Name of the location from which the session was initiated. | keyword | -| zscaler_zia.firewall.nat | Indicates if the destination NAT policy was applied. | keyword | -| zscaler_zia.firewall.server.source.ip | Server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate. | keyword | -| zscaler_zia.firewall.server.source.port | Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate. | long | -| zscaler_zia.firewall.session.count | Number of sessions that were aggregated. | double | -| zscaler_zia.firewall.stateful | | keyword | -| zscaler_zia.firewall.threat.category | Category of the threat in the Firewall session by the IPS engine. | keyword | -| zscaler_zia.firewall.threat.name | Name of the threat detected in the Firewall session by the IPS engine. | keyword | -| zscaler_zia.firewall.tunnel.ip | Tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate. | keyword | -| zscaler_zia.firewall.tunnel.port | Tunnel port on the client side. For aggregated sessions, this is the client's tunnel port corresponding to the last session in the aggregate. | long | -| zscaler_zia.firewall.tunnel.type | Traffic forwarding method used to send the traffic to the firewall. | keyword | - - -An example event for `firewall` looks as following: - -```json -{ - "@timestamp": "2021-12-31T07:08:09.000Z", - "agent": { - "ephemeral_id": "2c292e52-b6ea-4ca0-bfc7-692dadde1a7d", - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "zscaler_zia.firewall", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "bytes": 19052, - "geo": { - "country_name": "Ireland" - }, - "ip": "0.0.0.0", - "port": 443 - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "action": "drop", - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "zscaler_zia.firewall", - "duration": 486000000, - "ingested": "2021-12-31T05:06:07Z", - "kind": "event", - "type": [ - "info" - ] - }, - "host": { - "hostname": "Machine9000" - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "1.128.3.4:43634" - } - }, - "network": { - "application": "http", - "community_id": "1:hQwW1HWTOUYlk7y4+T2D+UPDU1c=", - "protocol": "https", - "transport": "tcp" - }, - "related": { - "ip": [ - "0.0.0.0" - ] - }, - "rule": { - "name": [ - "Access Blocked", - "None" - ] - }, - "source": { - "bytes": 1734, - "ip": "0.0.0.0", - "port": 55018 - }, - "tags": [ - "forwarded", - "zscaler_zia-firewall" - ], - "user": { - "email": "some_user@example.com", - "name": "admin77" - }, - "zscaler_zia": { - "firewall": { - "aggregate": "No", - "client": { - "destination": { - "ip": "0.0.0.0", - "port": 443 - } - }, - "department": "Unknown", - "duration": { - "avg": 486, - "milliseconds": 486 - }, - "ip_category": "Test Name", - "location": { - "name": "TestLoc DB" - }, - "nat": "No", - "server": { - "source": { - "ip": "0.0.0.0", - "port": 0 - } - }, - "session": { - "count": 1 - }, - "stateful": "Yes", - "threat": { - "category": "None", - "name": "None" - }, - "tunnel": { - "ip": "0.0.0.0", - "port": 0, - "type": "ZscalerClientConnector" - } - } - } -} -``` - -## Tunnel Logs - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.packets | Packets sent from the destination to the source. | long | -| destination.port | Port of the destination. | long | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.id | Unique ID to describe the event. | keyword | -| event.module | Event module | constant_keyword | -| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.packets | Packets sent from the source to the destination. | long | -| source.port | Port of the source. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zscaler_zia.tunnel.action.type | Type of the record. Possible values [ WL_TUNNEL_IPSECPHASE1, WL_TUNNEL_IPSECPHASE2, WL_TUNNEL_EVENT, WL_TUNNEL_SAMPLES ]. | keyword | -| zscaler_zia.tunnel.authentication.algorithm | Authentication algorithm. | keyword | -| zscaler_zia.tunnel.authentication.type | Authentication type. | keyword | -| zscaler_zia.tunnel.destination.end.ip | Phase 2 policy proposal - Destination IP end. | keyword | -| zscaler_zia.tunnel.destination.start.ip | Phase 2 policy proposal - Destination IP start. | keyword | -| zscaler_zia.tunnel.destination.start.port | Phase 2 policy proposal - Destination port end. | long | -| zscaler_zia.tunnel.dpd_packets | Number of DPD packets received in 60-second sample window. | keyword | -| zscaler_zia.tunnel.encryption.algorithm | Encryption algorithm. | keyword | -| zscaler_zia.tunnel.ike.version | IKE version (1 or 2). | long | -| zscaler_zia.tunnel.life.bytes | Life bytes (number of traffic to be transacted through tunnel before renegotiation). | long | -| zscaler_zia.tunnel.life.time | Lifetime of IKE Phase 1/2 in seconds. | long | -| zscaler_zia.tunnel.location.name | Location name. | keyword | -| zscaler_zia.tunnel.policy.direction | N/A | keyword | -| zscaler_zia.tunnel.policy.protocol | Phase 2 policy proposal - Protocol. | keyword | -| zscaler_zia.tunnel.protocol | IPSec tunnel protocol type (Zscaler only supports ESP). | keyword | -| zscaler_zia.tunnel.source.end.ip | Phase 2 policy proposal - Source IP end. | keyword | -| zscaler_zia.tunnel.source.start.ip | Phase 2 policy proposal - Source IP start. | keyword | -| zscaler_zia.tunnel.source.start.port | Phase 2 policy proposal - Source port start. | long | -| zscaler_zia.tunnel.spi | Security Parameter Index. | keyword | -| zscaler_zia.tunnel.spi_in | Initiator cookie. | keyword | -| zscaler_zia.tunnel.spi_out | Responder cookie. | keyword | -| zscaler_zia.tunnel.type | Tunnel type. | keyword | -| zscaler_zia.tunnel.vendor.name | Vendor name of the edge device. | keyword | - - -An example event for `tunnel` looks as following: - -```json -{ - "@timestamp": "2021-12-31T11:12:13.000Z", - "agent": { - "ephemeral_id": "b187ac54-dab8-4e34-b72d-36772d818767", - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "zscaler_zia.tunnel", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "81.2.69.143" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network" - ], - "dataset": "zscaler_zia.tunnel", - "id": "1111111111111111111", - "ingested": "2021-12-31T05:06:07Z", - "kind": "event", - "type": [ - "info" - ] - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "1.128.3.4:58370" - } - }, - "network": { - "transport": "ipsec ikev 1" - }, - "related": { - "ip": [ - "81.2.69.143", - "81.2.69.145" - ], - "user": [ - "81.2.69.145" - ] - }, - "source": { - "ip": "81.2.69.145", - "port": 0 - }, - "tags": [ - "forwarded", - "zscaler_zia-tunnel" - ], - "user": { - "name": "81.2.69.145" - }, - "zscaler_zia": { - "tunnel": { - "action": { - "type": "IPSec Phase2" - }, - "authentication": { - "algorithm": "HMAC-SHA-1", - "type": "None" - }, - "destination": { - "end": { - "ip": "81.2.69.143" - }, - "start": { - "ip": "81.2.69.143", - "port": 0 - } - }, - "encryption": { - "algorithm": "AES" - }, - "ike": { - "version": 1 - }, - "life": { - "bytes": 0, - "time": 3600 - }, - "location": { - "name": "some-location" - }, - "policy": { - "direction": "Inbound SA Policy", - "protocol": "Any" - }, - "protocol": "ESP", - "source": { - "end": { - "ip": "81.2.69.145" - }, - "start": { - "ip": "81.2.69.145", - "port": 0 - } - }, - "spi": "123456789", - "type": "IPSEC IKEV 1" - } - } -} -``` - -## Web Logs - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| http.response.bytes | Total size in bytes of the response (body and headers). | long | -| http.response.status_code | HTTP response status code. | long | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| rule.name | The name of the rule or signature generating the event. | keyword | -| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.password | Password of the request. | keyword | -| url.path | Path of the request, such as "/search". | wildcard | -| url.port | Port of the request, such as 443. | long | -| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| url.username | Username of the request. | keyword | -| user.email | User email address. | keyword | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | -| zscaler_zia.web.app.class | The web application class of the application that was accessed. Equivalent to module. | keyword | -| zscaler_zia.web.app.name | Cloud application name. | keyword | -| zscaler_zia.web.bandwidth_throttle | Indicates whether the transaction was throttled due to a configured bandwidth policy. | keyword | -| zscaler_zia.web.ctime | The time from when the first byte of the request hits the ZEN to the time in which the last byte of the response is sent from the ZEN back to the browser. | long | -| zscaler_zia.web.department | Department of the user. | keyword | -| zscaler_zia.web.device.hostname | The obfuscated version of the device owner. This field must be changed manually. | keyword | -| zscaler_zia.web.dpl.dictionaries | The DLP dictionaries that were matched, if any. | keyword | -| zscaler_zia.web.dpl.engine | The DLP engine that was matched, if any. | keyword | -| zscaler_zia.web.encoded_host | Encoded version of the destination host name. | keyword | -| zscaler_zia.web.file.class | Type of file associated with the transaction. | keyword | -| zscaler_zia.web.file.type | Type of file associated with the transaction. | keyword | -| zscaler_zia.web.location | Gateway location or sub-location of the source. | keyword | -| zscaler_zia.web.malware.category | The category of malware that was detected in the transaction, if any. Also indicates if a file was submitted to the Sandbox engine for analysis and the result of the analysis. | keyword | -| zscaler_zia.web.malware.class | The class of malware that was detected in the transaction, if any. | keyword | -| zscaler_zia.web.record.id | N/A | keyword | -| zscaler_zia.web.stime | The round trip time between the ZEN request and the server. | long | -| zscaler_zia.web.threat.name | The name of the threat that was detected in the transaction, if any. | keyword | -| zscaler_zia.web.total.size | Total size, in bytes, of the HTTP transaction; sum of the total request size and total response size. | long | -| zscaler_zia.web.unscannable.type | Unscannable file type. | keyword | -| zscaler_zia.web.url.category.sub | Category of the destination URL. | keyword | -| zscaler_zia.web.url.category.super | Super category of the destination URL. | keyword | -| zscaler_zia.web.url.class | Class of the destination URL. | keyword | - - -An example event for `web` looks as following: - -```json -{ - "@timestamp": "2021-12-17T07:04:57.000Z", - "agent": { - "ephemeral_id": "6f164483-9eb8-4219-bb09-cd2ff3532390", - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "8.1.2" - }, - "data_stream": { - "dataset": "zscaler_zia.web", - "namespace": "ep", - "type": "logs" - }, - "destination": { - "ip": "81.2.69.145" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "f6f3ddbc-7ab7-4a74-aeeb-152405dea56f", - "snapshot": false, - "version": "8.1.2" - }, - "event": { - "action": "blocked", - "agent_id_status": "verified", - "category": [ - "web" - ], - "dataset": "zscaler_zia.web", - "ingested": "2021-12-31T05:06:07Z", - "kind": "event", - "risk_score": 0, - "type": [ - "info" - ] - }, - "http": { - "request": { - "bytes": 600, - "method": "CONNECT", - "mime_type": "Other", - "referrer": "None" - }, - "response": { - "bytes": 65, - "status_code": 200 - } - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "1.128.3.4:37608" - } - }, - "network": { - "protocol": "http_proxy" - }, - "related": { - "hosts": [ - "TestMachine35" - ], - "ip": [ - "81.2.69.193", - "81.2.69.145" - ] - }, - "rule": { - "name": "Zscaler Proxy Traffic", - "ruleset": "FwFilter" - }, - "source": { - "nat": { - "ip": "81.2.69.193" - }, - "user": { - "name": "administrator1" - } - }, - "tags": [ - "forwarded", - "zscaler_zia-web" - ], - "url": { - "extension": "com", - "original": "www.example.com", - "path": "www.example.com" - }, - "user": { - "email": "test@example.com" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Other", - "original": "Windows Microsoft Windows 10 Pro ZTunnel/1.0", - "os": { - "full": "Windows 10", - "name": "Windows", - "version": "10" - } - }, - "zscaler_zia": { - "web": { - "app": { - "class": "General Browsing", - "name": "General Browsing" - }, - "ctime": 0, - "department": "Unknown", - "device": { - "hostname": "TestMachine35" - }, - "dpl": { - "dictionaries": "None", - "engine": "None" - }, - "location": "Test DB", - "malware": { - "category": "None" - }, - "stime": 0, - "threat": { - "name": "None" - }, - "unscannable": { - "type": "None" - }, - "url": { - "category": { - "sub": "Web Search", - "super": "Information Technology" - }, - "class": "Business Use" - } - } - } -} -``` diff --git a/packages/zscaler_zia/2.1.0/img/cloud_nss_feeds.png b/packages/zscaler_zia/2.1.0/img/cloud_nss_feeds.png deleted file mode 100755 index 14a098f2c9..0000000000 Binary files a/packages/zscaler_zia/2.1.0/img/cloud_nss_feeds.png and /dev/null differ diff --git a/packages/zscaler_zia/2.1.0/img/escape_feed.png b/packages/zscaler_zia/2.1.0/img/escape_feed.png deleted file mode 100755 index 40a8b59ec5..0000000000 Binary files a/packages/zscaler_zia/2.1.0/img/escape_feed.png and /dev/null differ diff --git a/packages/zscaler_zia/2.1.0/img/nss_feeds.png b/packages/zscaler_zia/2.1.0/img/nss_feeds.png deleted file mode 100755 index 26c1c48c50..0000000000 Binary files a/packages/zscaler_zia/2.1.0/img/nss_feeds.png and /dev/null differ diff --git a/packages/zscaler_zia/2.1.0/img/nss_server.png b/packages/zscaler_zia/2.1.0/img/nss_server.png deleted file mode 100755 index d394408905..0000000000 Binary files a/packages/zscaler_zia/2.1.0/img/nss_server.png and /dev/null differ diff --git a/packages/zscaler_zia/2.1.0/img/zscaler-logo.svg b/packages/zscaler_zia/2.1.0/img/zscaler-logo.svg deleted file mode 100755 index b8a21a2fa6..0000000000 --- a/packages/zscaler_zia/2.1.0/img/zscaler-logo.svg +++ /dev/null @@ -1 +0,0 @@ -Zscaler-Logo-TM-Blue-RGB-May2019 \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/img/zscaler-zia-screenshot.png b/packages/zscaler_zia/2.1.0/img/zscaler-zia-screenshot.png deleted file mode 100755 index 6e10c51d84..0000000000 Binary files a/packages/zscaler_zia/2.1.0/img/zscaler-zia-screenshot.png and /dev/null differ diff --git a/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 332b403094..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"06eebe5f-c6d6-4bc3-910c-dfb31b4eed15\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"06eebe5f-c6d6-4bc3-910c-dfb31b4eed15\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bd3fd0c0-bb65-48d3-abe6-00fa3513cfeb\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bd3fd0c0-bb65-48d3-abe6-00fa3513cfeb\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3263f825-0d4b-4579-865a-29901566da89\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3263f825-0d4b-4579-865a-29901566da89\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fd1d5738-f049-4d39-8a9c-c99f00026abc\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"fd1d5738-f049-4d39-8a9c-c99f00026abc\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"14e74949-6df9-4178-bd6c-fb3f2af4e44f\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"14e74949-6df9-4178-bd6c-fb3f2af4e44f\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"f54d9f84-ff3e-4246-9d53-af54076bacf4\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"f54d9f84-ff3e-4246-9d53-af54076bacf4\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"a2629365-4540-4700-abd5-299070e39233\",\"w\":16,\"x\":32,\"y\":48},\"panelIndex\":\"a2629365-4540-4700-abd5-299070e39233\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"90e1564e-ec66-4a1f-9416-53a3fef9b577\",\"w\":16,\"x\":0,\"y\":48},\"panelIndex\":\"90e1564e-ec66-4a1f-9416-53a3fef9b577\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":21,\"i\":\"ff526e93-a3f7-4155-b493-bb0427f87001\",\"w\":16,\"x\":16,\"y\":48},\"panelIndex\":\"ff526e93-a3f7-4155-b493-bb0427f87001\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":7,\"width\":123.44444444444446},{\"colIndex\":4,\"width\":230.56944444444446},{\"colIndex\":1,\"width\":150.56944444444443},{\"colIndex\":0,\"width\":164.40277777777774},{\"colIndex\":6,\"width\":109.0027777777778},{\"colIndex\":5,\"width\":110.75277777777777},{\"colIndex\":8,\"width\":90.08611111111111},{\"colIndex\":3,\"width\":176.5861111111111},{\"colIndex\":2,\"width\":222.58611111111122}]}}},\"gridData\":{\"h\":15,\"i\":\"89b6c2a3-3ae8-4bfc-9af0-0711f588ce30\",\"w\":48,\"x\":0,\"y\":69},\"panelIndex\":\"89b6c2a3-3ae8-4bfc-9af0-0711f588ce30\",\"panelRefName\":\"panel_9\",\"title\":\"[Zscaler] [ZIA] Distribution of Firewall Events by Threat Category, IP Category, Traffic Forwarding Method, Application, Destination NAT policy applied, Action, Department, Location, Used Protocol\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]", - "timeRestore": false, - "title": "[Zscaler] [ZIA] Firewall Logs", - "version": 1 - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-66597790-4ded-11ec-ad09-d9f49962d407", - "migrationVersion": { - "dashboard": "8.1.0" - }, - "references": [ - { - "id": "zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 03b0664038..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"677982f9-75a5-4420-a0e4-65778e28370f\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"677982f9-75a5-4420-a0e4-65778e28370f\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"329767e7-da25-44aa-ab86-b18b9f6e3a24\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"329767e7-da25-44aa-ab86-b18b9f6e3a24\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"dbf7121d-902c-4979-a56a-aeecb89dc781\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"dbf7121d-902c-4979-a56a-aeecb89dc781\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4421e7b7-c2b0-4463-8646-03616ddfe9cb\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"4421e7b7-c2b0-4463-8646-03616ddfe9cb\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ade94ac6-4269-4d88-9e63-5295cee65475\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"ade94ac6-4269-4d88-9e63-5295cee65475\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"95e9a752-3269-4679-b1a8-3826fc6fd463\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"95e9a752-3269-4679-b1a8-3826fc6fd463\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1c2c054a-b244-4f93-84b2-68e4228a2956\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"1c2c054a-b244-4f93-84b2-68e4228a2956\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"35acb8fb-304a-4651-88fa-6f080c7b258b\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"35acb8fb-304a-4651-88fa-6f080c7b258b\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":22,\"i\":\"1f29cb86-55d1-4caa-b012-3d8e674fb401\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"1f29cb86-55d1-4caa-b012-3d8e674fb401\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f2101d90-704b-46e5-b73a-567fb731bcda\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f2101d90-704b-46e5-b73a-567fb731bcda\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Zscaler] [ZIA] Web Logs", - "version": 1 - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-85380a00-4de3-11ec-ad09-d9f49962d407", - "migrationVersion": { - "dashboard": "8.1.0" - }, - "references": [ - { - "id": "zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index 46d778b62d..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fa228027-f96f-4c6c-8ff2-ba35c24ab5f3\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"fa228027-f96f-4c6c-8ff2-ba35c24ab5f3\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"486db5cd-c4a8-4a4f-b794-3811989c9f2a\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"486db5cd-c4a8-4a4f-b794-3811989c9f2a\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"dedfb661-d4dc-4748-a286-8af6d668bd05\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"dedfb661-d4dc-4748-a286-8af6d668bd05\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6ab75387-2a14-4d5f-adef-2ab49ed51674\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"6ab75387-2a14-4d5f-adef-2ab49ed51674\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b757507b-409b-4695-b558-daff6d0382db\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"b757507b-409b-4695-b558-daff6d0382db\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"75e785d6-2c8f-4608-b204-4688a66ad14e\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"75e785d6-2c8f-4608-b204-4688a66ad14e\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"b92519fe-1070-4e1f-a38d-8796c26af893\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"b92519fe-1070-4e1f-a38d-8796c26af893\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Zscaler] [ZIA] Tunnel Logs", - "version": 1 - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-9447f5b0-4eaf-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "dashboard": "8.1.0" - }, - "references": [ - { - "id": "zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53", - "name": "panel_6", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407.json deleted file mode 100755 index c1d1a759d9..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/dashboard/zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":180,\"minLat\":-66.51326,\"minLon\":-180},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":1.06},\"openTOCDetails\":[]},\"gridData\":{\"h\":17,\"i\":\"8b4eb1df-17aa-4d80-8b26-1920b5150cad\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"8b4eb1df-17aa-4d80-8b26-1920b5150cad\",\"panelRefName\":\"panel_0\",\"type\":\"map\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"db8f6083-5ad4-4a49-84a3-f89318befd32\",\"w\":24,\"x\":0,\"y\":17},\"panelIndex\":\"db8f6083-5ad4-4a49-84a3-f89318befd32\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"13fd9028-3dd5-4262-b7bb-3cba5d6c98cd\",\"w\":24,\"x\":24,\"y\":17},\"panelIndex\":\"13fd9028-3dd5-4262-b7bb-3cba5d6c98cd\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"47b652f2-0e00-4b5d-9e94-b5ade2b0c6e6\",\"w\":48,\"x\":0,\"y\":34},\"panelIndex\":\"47b652f2-0e00-4b5d-9e94-b5ade2b0c6e6\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Zscaler] [ZIA] DNS Logs", - "version": 1 - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-d4977590-4de8-11ec-ad09-d9f49962d407", - "migrationVersion": { - "dashboard": "8.1.0" - }, - "references": [ - { - "id": "zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407", - "name": "panel_0", - "type": "map" - }, - { - "id": "zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/map/zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/map/zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 8a0e1ee82a..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/map/zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"9d6d7cae-7cff-491c-abc8-40d6d4f575b0\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"lightModeDefault\":\"road_map\",\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"EMS_VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"03c492fe-96d8-48ab-a5b4-3eec4ae2a230\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.dns\\\"\"},\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"636e2366-af59-41da-a0af-83b10b7a1b47\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.dns\\\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-5y\",\"to\":\"now\"},\"zoom\":1.06}", - "title": "[Zscaler] [ZIA] DNS Events by Region", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-48a188a0-4de8-11ec-ad09-d9f49962d407", - "migrationVersion": { - "map": "8.1.0" - }, - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 13dfb5c987..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"rule.ruleset\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"rule.ruleset\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Rule type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Rule Type\",\"field\":\"rule.ruleset\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 Rule type\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-0334d8c0-4de4-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index 277bd10b47..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Destination IPs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Destination IPs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-05cc16a0-4eae-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 56ce15d3c7..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Users", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 Users\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-2958ae90-4de5-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index ca372b0105..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Distribution of Tunnel Events by Tunnel Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel Type\",\"field\":\"zscaler_zia.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler] [ZIA] Distribution of Tunnel Events by Tunnel Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-2c8eb9f0-4eae-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 7dff280703..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Distribution of Web Events by Action, Malware Category, App Class, Response Code, Department, Username, URL", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Username\",\"field\":\"source.user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Malware Category\",\"field\":\"zscaler_zia.web.malware.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Application Class\",\"field\":\"zscaler_zia.web.app.class\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Response Code\",\"field\":\"http.response.status_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Department\",\"field\":\"zscaler_zia.web.department\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":true,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Distribution of Web Events by Action, Malware Category, App Class, Response Code, Department, Username, URL\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-35612ae0-4de6-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407.json deleted file mode 100755 index b5d9d164c0..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Distribution of Firewall Events by Threat Category, IP Category, Traffic Forwarding Method, network application that accessed web, Destination NAT policy applied, Action, Department, Location, Used Protocol", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Category\",\"field\":\"zscaler_zia.firewall.threat.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"IP Category\",\"field\":\"zscaler_zia.firewall.ip_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Traffic Forwarding Method\",\"field\":\"zscaler_zia.firewall.tunnel.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Application Name\",\"field\":\"network.application\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination NAT policy applied\",\"field\":\"zscaler_zia.firewall.nat\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Action\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"10\",\"params\":{\"customLabel\":\"Location\",\"field\":\"zscaler_zia.firewall.location.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Department\",\"field\":\"zscaler_zia.firewall.department\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"9\",\"params\":{\"customLabel\":\"Protocol Used\",\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Distribution of Firewall Events by Threat Category, IP Category, Traffic Forwarding Method, network application that accessed web, Destination NAT policy applied, Action, Department, Location, Used Protocol\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-3faec910-4ded-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index e5dd1e13c9..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Distribution of Tunnel Events by Location", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Location\",\"field\":\"zscaler_zia.tunnel.location.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler] [ZIA] Distribution of Tunnel Events by Location\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-4d4b4fa0-4eae-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 6b73cb5fcc..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Tunnel IPs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel IPs\",\"field\":\"zscaler_zia.firewall.tunnel.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Tunnel IPs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-4e583660-4deb-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index 2324547e12..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Distribution of Tunnel Events by Encryption Algorithm, Authentication Algorithm, Authentication Type, Tunnel Action name, Protocol, Source IP, Destination IP", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Encryption Algorithm\",\"field\":\"zscaler_zia.tunnel.encryption.algorithm\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Authentication Algorithm\",\"field\":\"zscaler_zia.tunnel.authentication.algorithm\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Authentication Type\",\"field\":\"zscaler_zia.tunnel.authentication.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Tunnel Action Name\",\"field\":\"zscaler_zia.tunnel.action.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"zscaler_zia.tunnel.policy.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Distribution of Tunnel Events by Encryption algorithm, Authentication algorithm, Authentication Type, Action name, Protocol, Source IP, Destination IP\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-5b68c940-4eaf-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 65b13ea6b9..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Protocol of Web Events Over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Protocol\",\"field\":\"network.protocol\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Protocol of Web Events Over time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-5ebff250-4de5-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 9f37196311..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 rule", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Rules\",\"exclude\":\"None\",\"field\":\"rule.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":9},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 rule\",\"type\":\"histogram\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-63155460-4e82-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index 262203f4ba..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\" and not http.response.status_code: \\\"200\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 failed URLs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 failed URLs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-652829d0-4eb9-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 23bacc2635..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"rule.name\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"rule.name\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Rule Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Rule Name\",\"field\":\"rule.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 Rule Name\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-68d16b80-4de4-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 910997e21e..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.dns\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Distribution of DNS Events by Department", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Department\",\"field\":\"zscaler_zia.dns.department\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler] [ZIA] Distribution of DNS Events by Department\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-6d29cc50-4de8-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407.json deleted file mode 100755 index c14b13b108..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Server Source IP", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Source IP\",\"field\":\"zscaler_zia.firewall.server.source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Server Source IP\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-72169a60-4deb-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 2df1b4b34e..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"zscaler_zia.web.threat.name\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"zscaler_zia.web.threat.name\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Total Threats", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Threats\",\"field\":\"zscaler_zia.web.threat.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Zscaler] [ZIA] Total Threats\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-7a0a40d0-4de3-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index 7043ed4603..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Distribution of Tunnel Events by Vendor Name of Edge Device", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Vendor Name of Edge Device\",\"field\":\"zscaler_zia.tunnel.vendor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler] [ZIA] Distribution of Tunnel Events by Vendor Name of Edge Device\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-8058c4e0-4eae-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 94a35cf2c3..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.dns\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Distribution of DNS Events by Request Action", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Request Action\",\"field\":\"zscaler_zia.dns.request.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler] [ZIA] Distribution of DNS Events by Request Action\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-91813c00-4de8-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407.json deleted file mode 100755 index ef1fff70f7..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Server Destination IP", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Server Destination IP\",\"field\":\"destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Server Destination IP\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-9e6d2890-4deb-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 28379d5ae9..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"zscaler_zia.firewall.threat.name\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"zscaler_zia.firewall.threat.name\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Threats detected by Firewall", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Name\",\"field\":\"zscaler_zia.firewall.threat.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 Threats detected by Firewall\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-a536b890-4e80-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407.json deleted file mode 100755 index a194018c98..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"zscaler_zia.web.threat.name\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"zscaler_zia.web.threat.name\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Threats by name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Name\",\"field\":\"zscaler_zia.web.threat.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Threats by name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-a9ac0260-4de3-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index 4c18d147be..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Tunnel Action Name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Tunnel Action Name\",\"field\":\"zscaler_zia.tunnel.action.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Tunnel Action Name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-bcddbd40-4ead-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 349104b7d2..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.dns\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 DNS Rules", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Rules\",\"field\":\"zscaler_zia.dns.request.rule.label\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 DNS Rules\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-bd00f230-4de8-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407.json deleted file mode 100755 index d409762d24..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 App Name accessing Web", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"App Name\",\"field\":\"zscaler_zia.web.app.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 App Name accessing Web\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-c8b23580-4de3-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 0b78693f21..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Client Source IP", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Client Source IP\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-da1734d0-4deb-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407.json deleted file mode 100755 index cc3a303366..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Destination Country", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Country\",\"field\":\"destination.geo.country_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"horizontal_bar\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 Destination Country\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-db1241f0-4e80-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407.json deleted file mode 100755 index fc058e213d..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"zscaler_zia.firewall.threat.name\",\"negate\":true,\"params\":{\"query\":\"None\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"zscaler_zia.firewall.threat.name\":\"None\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Total Threats detected by Firewall", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Threats\",\"field\":\"zscaler_zia.firewall.threat.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Zscaler] [ZIA] Total Threats detected by Firewall\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-dff0d0b0-4dea-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index 1894bec95b..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.tunnel\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Source IPs", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Source IPs\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-e4f2aa20-4ead-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 536e89fde8..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.web\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 URL Categories", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"zscaler_zia.web.url.category.sub\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler] [ZIA] Top 10 URL Categories\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-e54e9f20-4de4-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407.json b/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407.json deleted file mode 100755 index cc992148c9..0000000000 --- a/packages/zscaler_zia/2.1.0/kibana/visualization/zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: \\\"zscaler_zia.firewall\\\"\"}}" - }, - "title": "[Zscaler] [ZIA] Top 10 Client Destination IP", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Destination IP\",\"field\":\"zscaler_zia.firewall.client.destination.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler] [ZIA] Top 10 Client Destination IP\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "8.1.2", - "id": "zscaler_zia-f5a2e730-4deb-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization" -} \ No newline at end of file diff --git a/packages/zscaler_zia/2.1.0/manifest.yml b/packages/zscaler_zia/2.1.0/manifest.yml deleted file mode 100755 index a75aff2377..0000000000 --- a/packages/zscaler_zia/2.1.0/manifest.yml +++ /dev/null @@ -1,111 +0,0 @@ -format_version: 1.0.0 -name: zscaler_zia -title: Zscaler Internet Access -version: 2.1.0 -license: basic -description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent. -type: integration -categories: - - security -release: ga -conditions: - kibana.version: ^8.3.0 -screenshots: - - src: /img/zscaler-zia-screenshot.png - title: Zscaler ZIA web log dashboard screenshot - size: 600x600 - type: image/png -icons: - - src: /img/zscaler-logo.svg - title: Zscaler logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: zscaler_zia - title: Zscaler Internet Access logs - description: Collect Zscaler Internet Access logs - inputs: - - type: tcp - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - title: Collect Zscaler Internet Access logs via TCP input - description: Collecting Zscaler Internet Access logs via TCP input - - type: http_endpoint - title: Collect Zscaler Internet Access logs via HTTP Endpoint - description: Collecting Zscaler Internet Access logs via HTTP Endpoint - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for http endpoint connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- -owner: - github: elastic/security-external-integrations diff --git a/packages/zscaler_zpa/1.0.0/changelog.yml b/packages/zscaler_zpa/1.0.0/changelog.yml deleted file mode 100755 index b9d3f3f006..0000000000 --- a/packages/zscaler_zpa/1.0.0/changelog.yml +++ /dev/null @@ -1,26 +0,0 @@ -# newer versions go on top -- version: "1.0.0" - changes: - - description: Make GA - type: enhancement - link: https://github.com/elastic/integrations/pull/3428 -- version: "0.2.0" - changes: - - description: Update ECS to 8.2 - type: enhancement - link: https://github.com/elastic/integrations/pull/2781 -- version: "0.1.2" - changes: - - description: Add documentation for multi-fields - type: enhancement - link: https://github.com/elastic/integrations/pull/2916 -- version: "0.1.1" - changes: - - description: Updated the README to describe the Zscaler ZPA setup process. - type: enhancement - link: https://github.com/elastic/integrations/pull/2769 -- version: "0.1.0" - changes: - - description: Initial draft of the package - type: enhancement - link: https://github.com/elastic/integrations/pull/2458 diff --git a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/agent/stream/tcp.yml.hbs b/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/agent/stream/tcp.yml.hbs deleted file mode 100755 index 030459f258..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -tcp: -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index ea84f5ecb9..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,287 +0,0 @@ ---- -description: Pipeline for Zscaler app connector status logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - ignore_failure: true - - set: - field: event.category - value: package - - set: - field: event.kind - value: event - - set: - field: event.type - value: info - - date: - field: json.LogTimestamp - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - remove: - field: json.LogTimestamp - ignore_failure: true - - rename: - field: json.DefRouteGW - target_field: client.nat.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{client.nat.ip}}}" - if: ctx?.client?.nat?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.CPUUtilization - target_field: host.cpu.usage - ignore_missing: true - - rename: - field: json.TotalBytesTx - target_field: host.network.egress.bytes - ignore_missing: true - - rename: - field: json.TotalBytesRx - target_field: host.network.ingress.bytes - ignore_missing: true - - rename: - field: json.CountryCode - target_field: observer.geo.country_iso_code - ignore_missing: true - - rename: - field: json.Latitude - target_field: observer.geo.location.lat - ignore_missing: true - - rename: - field: json.Longitude - target_field: observer.geo.location.lon - ignore_missing: true - - rename: - field: json.InterfaceDefRoute - target_field: zscaler_zpa.app_connector_status.interface.name - ignore_missing: true - - append: - field: observer.ip - value: "{{{json.PublicIP}}}" - if: ctx?.json?.PublicIP != null - ignore_failure: true - - append: - field: related.ip - value: "{{{json.PublicIP}}}" - if: ctx?.json?.PublicIP != null - allow_duplicates: false - ignore_failure: true - - remove: - field: json.PublicIP - ignore_missing: true - - rename: - field: json.Platform - target_field: observer.os.platform - ignore_missing: true - - rename: - field: json.Version - target_field: observer.version - ignore_missing: true - - set: - field: observer.type - value: forwarder - - rename: - field: json.Customer - target_field: organization.name - ignore_missing: true - - rename: - field: json.Customer - target_field: organization.name - ignore_missing: true - - rename: - field: json.SessionID - target_field: zscaler_zpa.app_connector_status.session.id - ignore_missing: true - - rename: - field: json.SessionType - target_field: zscaler_zpa.app_connector_status.session.type - ignore_missing: true - - rename: - field: json.SessionStatus - target_field: zscaler_zpa.app_connector_status.session.status - ignore_missing: true - - rename: - field: json.ZEN - target_field: zscaler_zpa.app_connector_status.zen - ignore_missing: true - - rename: - field: json.Connector - target_field: zscaler_zpa.app_connector_status.connector.name - ignore_missing: true - - rename: - field: json.ConnectorGroup - target_field: zscaler_zpa.app_connector_status.connector.group - ignore_missing: true - - convert: - field: json.PrivateIP - type: ip - target_field: zscaler_zpa.app_connector_status.private_ip - ignore_failure: true - - remove: - field: json.PrivateIP - ignore_missing: true - - append: - field: related.ip - value: "{{{zscaler_zpa.app_connector_status.private_ip}}}" - if: ctx?.zscaler_zpa?.app_connector_status?.private_ip != null - allow_duplicates: false - ignore_failure: true - - date: - field: json.TimestampAuthentication - target_field: zscaler_zpa.app_connector_status.timestamp.authentication - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampAuthentication - ignore_missing: true - - date: - field: json.TimestampUnAuthentication - target_field: zscaler_zpa.app_connector_status.timestamp.unauthentication - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampUnAuthentication - ignore_missing: true - - rename: - field: json.MemUtilization - target_field: zscaler_zpa.app_connector_status.memory.utilization - ignore_missing: true - - rename: - field: json.ServiceCount - target_field: zscaler_zpa.app_connector_status.service.count - ignore_missing: true - - rename: - field: json.PrimaryDNSResolver - target_field: zscaler_zpa.app_connector_status.primary_dns_resolver - ignore_missing: true - - append: - field: related.ip - value: "{{{zscaler_zpa.app_connector_status.primary_dns_resolver}}}" - if: ctx?.zscaler_zpa?.app_connector_status?.primary_dns_resolver != null - allow_duplicates: false - ignore_failure: true - - date: - field: json.HostStartTime - target_field: zscaler_zpa.app_connector_status.host_start_time - if: ctx?.json?.HostStartTime != "0" - ignore_failure: true - formats: - - UNIX - - remove: - field: json.HostStartTime - ignore_missing: true - - date: - field: json.HostUpTime - target_field: zscaler_zpa.app_connector_status.host_up_time - if: ctx?.json?.HostUpTime != "0" - ignore_failure: true - formats: - - UNIX - - remove: - field: json.HostUpTime - ignore_missing: true - - date: - field: json.ConnectorStartTime - target_field: zscaler_zpa.app_connector_status.connector_start_time - if: ctx?.json?.ConnectorStartTime != "0" - ignore_failure: true - formats: - - UNIX - - remove: - field: json.ConnectorStartTime - ignore_missing: true - - date: - field: json.ConnectorUpTime - target_field: zscaler_zpa.app_connector_status.connector_up_time - if: ctx?.json?.ConnectorUpTime != "0" - ignore_failure: true - formats: - - UNIX - - remove: - field: json.ConnectorUpTime - ignore_missing: true - - rename: - field: json.NumOfInterfaces - target_field: zscaler_zpa.app_connector_status.num_of_interfaces - ignore_missing: true - - rename: - field: json.BytesRxInterface - target_field: zscaler_zpa.app_connector_status.interface.received.bytes - ignore_missing: true - - rename: - field: json.PacketsRxInterface - target_field: zscaler_zpa.app_connector_status.interface.received.packets - ignore_missing: true - - rename: - field: json.ErrorsRxInterface - target_field: zscaler_zpa.app_connector_status.interface.received.errors - ignore_missing: true - - rename: - field: json.DiscardsRxInterface - target_field: zscaler_zpa.app_connector_status.interface.received.discards - ignore_missing: true - - rename: - field: json.BytesTxInterface - target_field: zscaler_zpa.app_connector_status.interface.transmitted.bytes - ignore_missing: true - - rename: - field: json.PacketsTxInterface - target_field: zscaler_zpa.app_connector_status.interface.transmitted.packets - ignore_missing: true - - rename: - field: json.ErrorsTxInterface - target_field: zscaler_zpa.app_connector_status.interface.transmitted.errors - ignore_missing: true - - rename: - field: json.DiscardsTxInterface - target_field: zscaler_zpa.app_connector_status.interface.transmitted.discards - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Adds all the remaining fields in fields under zscaler_zpa.app_connector_status - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.zscaler_zpa.app_connector_status[m.getKey()] = m.getValue(); - } - - remove: - field: json - ignore_missing: true -on_failure: - - set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/agent.yml b/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/base-fields.yml b/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/base-fields.yml deleted file mode 100755 index 35ed3b7e09..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: zscaler_zpa -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zscaler_zpa.app_connector_status diff --git a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/ecs.yml b/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/ecs.yml deleted file mode 100755 index 385496fa03..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/ecs.yml +++ /dev/null @@ -1,72 +0,0 @@ -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - Translated IP of source based NAT sessions (e.g. internal client to internet). - Typically connections traversing load balancers, firewalls, or routers. - name: client.nat.ip - type: ip -- description: |- - This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. - `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. - This field is an array. This will allow proper categorization of some events that fall in multiple categories. - name: event.category - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. - `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. - The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. - name: event.kind - type: keyword -- description: |- - This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. - `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. - This field is an array. This will allow proper categorization of some events that fall in multiple event types. - name: event.type - type: keyword -- description: |- - Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. - Scaling factor: 1000. - For example: For a two core host, this value should be the average of the two cores, between 0 and 1. - name: host.cpu.usage - type: scaled_float -- description: Country ISO code. - name: observer.geo.country_iso_code - type: keyword -- description: Longitude and latitude - name: observer.geo.location - type: geo_point -- description: Interface name as reported by the system. - name: observer.egress.interface.name - type: keyword -- description: Interface name as reported by the system. - name: observer.ingress.interface.name - type: keyword -- description: IP addresses of the observer. - name: observer.ip - type: ip -- description: Operating system platform (such centos, ubuntu, windows). - name: observer.os.platform - type: keyword -- description: Observer version. - name: observer.version - type: keyword -- description: |- - The type of the observer the data is coming from. - There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - name: observer.type - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword diff --git a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/fields.yml b/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/fields.yml deleted file mode 100755 index fbb36ef10e..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/fields/fields.yml +++ /dev/null @@ -1,125 +0,0 @@ -- name: zscaler_zpa.app_connector_status - type: group - fields: - - name: session - type: group - fields: - - name: id - type: keyword - description: | - The TLS session ID. - - name: type - type: keyword - description: | - The type of session. - - name: status - type: keyword - description: | - The status of the session. - - name: zen - type: keyword - description: | - The TLS session ID. - - name: connector - type: group - fields: - - name: name - type: keyword - description: | - The App Connector name. - - name: group - type: keyword - description: | - The App Connector group name. - - name: private_ip - type: ip - description: | - The private IP address of the App Connector. - - name: timestamp - type: group - fields: - - name: authentication - type: date - description: | - Timestamp in microseconds when the App Connector was authenticated. - - name: unauthentication - type: date - description: | - Timestamp in microseconds when the App Connector was unauthenticated. - - name: memory - type: group - fields: - - name: utilization - type: double - description: | - The memory utilization in %. - - name: service - type: group - fields: - - name: count - type: double - description: | - The number of services (combinations of domains/IP addresses and TCP/UDP ports) being monitored by the App Connector. - - name: primary_dns_resolver - type: ip - description: | - The IP address of the primary DNS resolver. - - name: host_start_time - type: date - description: | - Time in seconds at which host was started. - - name: host_up_time - type: date - description: | - Time in seconds at which host was started. - - name: connector_start_time - type: date - description: | - Time in seconds at which App Connector was started. - - name: connector_up_time - type: date - description: | - Time in seconds at which App Connector was started. - - name: num_of_interfaces - type: double - description: | - The number of interfaces on the App Connector host. - - name: interface - type: group - fields: - - name: name - type: keyword - description: The name of the interface to default route. - - name: received - type: group - fields: - - name: bytes - type: double - description: The bytes received on the interface. - - name: packets - type: double - description: The packets received on the interface. - - name: errors - type: double - description: The errors received on the interface. - - name: discards - type: double - description: The discards received on the interface. - - name: transmitted - type: group - fields: - - name: bytes - type: double - description: The bytes transmitted on the interface. - - name: packets - type: double - description: The packets transmitted on the interface. - - name: errors - type: double - description: The errors transmitted on the interface. - - name: discards - type: double - description: The discards transmitted on the interface. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/manifest.yml b/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/manifest.yml deleted file mode 100755 index befec42cb9..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: App Connector Status Logs -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Zscaler Private Access App Connector Status Logs - description: Collect Zscaler Private Access App Connector Status Logs using tcp input - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9015 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zpa-app_connectors_status - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/sample_event.json b/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/sample_event.json deleted file mode 100755 index d54089c074..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/app_connector_status/sample_event.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "@timestamp": "2019-07-03T05:17:22.000Z", - "agent": { - "ephemeral_id": "5879b806-6298-48ab-89a6-19ddcf612162", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "client": { - "nat": { - "ip": "10.0.0.1" - } - }, - "data_stream": { - "dataset": "zscaler_zpa.app_connector_status", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "agent_id_status": "verified", - "category": "package", - "dataset": "zscaler_zpa.app_connector_status", - "ingested": "2022-02-03T13:30:46Z", - "kind": "event", - "original": "{\"LogTimestamp\":\"Wed Jul 3 05:17:22 2019\",\"Customer\":\"Customer Name\",\"SessionID\":\"8A64Qwj9zCkfYDGJVoUZ\",\"SessionType\":\"ZPN_ASSISTANT_BROKER_CONTROL\",\"SessionStatus\":\"ZPN_STATUS_AUTHENTICATED\",\"Version\":\"19.20.3\",\"Platform\":\"el7\",\"ZEN\":\"US-NY-8179\",\"Connector\":\"Some App Connector\",\"ConnectorGroup\":\"Some App Connector Group\",\"PrivateIP\":\"10.0.0.4\",\"PublicIP\":\"0.0.0.0\",\"Latitude\":47,\"Longitude\":-122,\"CountryCode\":\"\",\"TimestampAuthentication\":\"2019-06-27T05:05:23.348Z\",\"TimestampUnAuthentication\":\"\",\"CPUUtilization\":1,\"MemUtilization\":20,\"ServiceCount\":2,\"InterfaceDefRoute\":\"eth0\",\"DefRouteGW\":\"10.0.0.1\",\"PrimaryDNSResolver\":\"168.63.129.16\",\"HostStartTime\":\"1513229995\",\"HostUpTime\":\"1513229995\",\"ConnectorUpTime\":\"1555920005\",\"ConnectorStartTime\":\"1555920005\",\"NumOfInterfaces\":2,\"BytesRxInterface\":319831966346,\"PacketsRxInterface\":1617569938,\"ErrorsRxInterface\":0,\"DiscardsRxInterface\":0,\"BytesTxInterface\":192958782635,\"PacketsTxInterface\":1797471190,\"ErrorsTxInterface\":0,\"DiscardsTxInterface\":0,\"TotalBytesRx\":10902554,\"TotalBytesTx\":48931771}", - "type": "info" - }, - "host": { - "cpu": { - "usage": 1 - }, - "network": { - "egress": { - "bytes": 48931771 - }, - "ingress": { - "bytes": 10902554 - } - } - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.21.0.7:33226" - } - }, - "observer": { - "geo": { - "location": { - "lat": 47, - "lon": -122 - } - }, - "ip": [ - "0.0.0.0" - ], - "os": { - "platform": "el7" - }, - "type": "forwarder", - "version": "19.20.3" - }, - "organization": { - "name": "Customer Name" - }, - "related": { - "ip": [ - "10.0.0.1", - "0.0.0.0", - "10.0.0.4", - "168.63.129.16" - ] - }, - "tags": [ - "forwarded", - "zscaler_zpa-app_connectors_status" - ], - "zscaler_zpa": { - "app_connector_status": { - "connector": { - "group": "Some App Connector Group", - "name": "Some App Connector" - }, - "connector_start_time": "2019-04-22T08:00:05.000Z", - "connector_up_time": "2019-04-22T08:00:05.000Z", - "host_start_time": "2017-12-14T05:39:55.000Z", - "host_up_time": "2017-12-14T05:39:55.000Z", - "interface": { - "name": "eth0", - "received": { - "bytes": 319831966346, - "discards": 0, - "errors": 0, - "packets": 1617569938 - }, - "transmitted": { - "bytes": 192958782635, - "discards": 0, - "errors": 0, - "packets": 1797471190 - } - }, - "memory": { - "utilization": 20 - }, - "num_of_interfaces": 2, - "primary_dns_resolver": "168.63.129.16", - "private_ip": "10.0.0.4", - "service": { - "count": 2 - }, - "session": { - "id": "8A64Qwj9zCkfYDGJVoUZ", - "status": "ZPN_STATUS_AUTHENTICATED", - "type": "ZPN_ASSISTANT_BROKER_CONTROL" - }, - "timestamp": { - "authentication": "2019-06-27T05:05:23.348Z" - }, - "zen": "US-NY-8179" - } - } -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/data_stream/audit/agent/stream/tcp.yml.hbs b/packages/zscaler_zpa/1.0.0/data_stream/audit/agent/stream/tcp.yml.hbs deleted file mode 100755 index 030459f258..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/audit/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -tcp: -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zpa/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zpa/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index f013b24c63..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,276 +0,0 @@ ---- -description: Pipeline for Zscaler audit logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - date: - field: json.ModifiedTime - target_field: "@timestamp" - ignore_failure: true - formats: - - ISO8601 - - date: - field: json.CreationTime - target_field: "@timestamp" - if: ctx.json.ModifiedTime == "" - ignore_failure: true - formats: - - ISO8601 - - append: - field: event.category - value: iam - - set: - field: event.kind - value: event - - script: - if: ctx.json.AuditOperationType != null && ctx.json.AuditOperationType != "" - lang: painless - source: | - def eventType = ctx.json.AuditOperationType?.toLowerCase(); - ctx.event.type = new ArrayList(); - Map referenceTable = [ - "create": ["creation"], - "delete": ["deletion"], - "update": ["change"], - "sign in": ["access", "allowed"], - "sign in failure": ["access", "error"], - "download": ["info"], - "sign out": ["access"], - "client session revoked": ["end"] - ]; - - ctx.event.type = referenceTable[eventType]; - - rename: - field: json.RequestID - target_field: event.id - ignore_missing: true - - date: - field: json.CreationTime - target_field: event.created - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.CreationTime - ignore_missing: true - - rename: - field: json.CustomerID - target_field: organization.id - ignore_missing: true - - convert: - field: organization.id - type: string - ignore_missing: true - - rename: - field: json.ModifiedBy - target_field: user.id - ignore_missing: true - - convert: - field: user.id - type: string - ignore_missing: true - - rename: - field: json.User - target_field: user.name - ignore_missing: true - - rename: - field: json.SessionID - target_field: zscaler_zpa.audit.session.id - ignore_missing: true - - json: - field: json.AuditOldValue - target_field: json.AuditOldValue - ignore_failure: true - - json: - field: json.AuditNewValue - target_field: json.AuditNewValue - ignore_failure: true - - set: - field: zscaler_zpa.audit.value.old - copy_from: json.AuditOldValue - ignore_failure: true - - set: - field: zscaler_zpa.audit.value.new - copy_from: json.AuditNewValue - ignore_failure: true - - set: - field: zscaler_zpa.audit.object.type - copy_from: json.ObjectType - ignore_failure: true - - set: - field: zscaler_zpa.audit.object.name - copy_from: json.ObjectName - ignore_failure: true - - rename: - field: json.ClientAuditUpdate - target_field: zscaler_zpa.audit.client_audit_update - ignore_failure: true - - convert: - field: json.ObjectID - target_field: zscaler_zpa.audit.object.id - type: string - ignore_missing: true - - remove: - field: json.ObjectID - ignore_missing: true - - script: - lang: painless - description: Map the fields inside AuditNewValues and AuditOldValues to it's corresponding ECS Field-set. - if: ctx.json.ObjectType != null - source: | - def objectType = ctx.json.ObjectType?.toLowerCase(); - def operationType = ctx.json.AuditOperationType?.toLowerCase(); - def valuesMap; - - if (operationType == "delete" || operationType == "sign out") { - valuesMap = ctx.json.AuditOldValue; - } else if (operationType == "create" || operationType == "sign in" || operationType == "update") { - valuesMap = ctx.json.AuditNewValue; - } - - if (objectType == "administrator") { - ctx.user.target = new HashMap(); - ctx.user.target.roles = new ArrayList(); - def roles = (valuesMap?.roles == null) ? [] : new ArrayList(valuesMap?.roles); - ctx.user.target.email = valuesMap?.email; - for (int i = 0; i < roles.length; i++) { - ctx.user.target.roles.add(roles[i].name); - } - } else if (objectType == "app connector group") { - ctx.group = new HashMap(); - ctx.group.id = valuesMap?.id; - ctx.group.name = valuesMap?.name; - ctx.observer = new HashMap(); - ctx.observer.geo = new HashMap(); - ctx.observer.geo.location = new HashMap(); - ctx.observer.geo.location.lat = valuesMap?.latitude; - ctx.observer.geo.location.lon = valuesMap?.longitude; - ctx.observer.geo.city_name = valuesMap?.cityCountry; - ctx.observer.geo.country_name = valuesMap?.location; - } else if (objectType == "browser access") { - ctx.network = new HashMap(); - ctx.network.protocol = valuesMap?.applicationProtocol?.toLowerCase(); - } else if (objectType == "authentication") { - ctx.client = new HashMap(); - ctx.client.ip = valuesMap?.remoteIP; - } else if (objectType == "certificate") { - ctx.x509 = new HashMap(); - ctx.x509.issuer = new HashMap(); - ctx.x509.alternative_names = valuesMap?.subjectAlternateNames; - ctx.x509.issuer.common_name = valuesMap?.commonName; - ctx.x509.issuer.distinguished_name = valuesMap?.issuedTo; - } else if (objectType == "executive insights user") { - ctx.user = new HashMap(); - ctx.user.target = new HashMap(); - ctx.user.target.id = valuesMap?.id; - ctx.user.target.email = valuesMap?.email; - ctx.user.target.name = valuesMap?.name; - } else if (objectType == "idp certificate") { - ctx.x509 = new HashMap(); - ctx.x509.issuer = new HashMap(); - if (valuesMap?.creationTimeInSeconds != null) { - ctx.x509.not_before = Long.parseLong(valuesMap?.creationTimeInSeconds); - } - if (valuesMap?.expirationTimeInSeconds != null) { - ctx.x509.not_after = Long.parseLong(valuesMap?.expirationTimeInSeconds); - } - ctx.x509.issuer.common_name = valuesMap?.commonName; - } else if (objectType == "server") { - ctx.server = new HashMap(); - ctx.server.address = valuesMap?.domainOrIpAddress; - } - - append: - field: related.ip - value: "{{{client.ip}}}" - if: ctx?.client?.ip != null - allow_duplicates: false - ignore_failure: true - - convert: - field: server.address - target_field: server.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: "{{{server.ip}}}" - if: ctx?.server?.ip != null - allow_duplicates: false - ignore_failure: true - - date: - if: ctx?.x509?.not_after != null - field: x509.not_after - target_field: x509.not_after - ignore_failure: true - formats: - - UNIX - - date: - if: ctx?.x509?.not_before != null - field: x509.not_before - target_field: x509.not_before - ignore_failure: true - formats: - - UNIX - - rename: - field: json.AuditOperationType - target_field: zscaler_zpa.audit.operation_type - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - remove: - field: json.ObjectName - ignore_failure: true - - remove: - field: json.AuditNewValue - ignore_failure: true - - remove: - field: json.AuditOldValue - ignore_failure: true - - remove: - field: json.ModifiedTime - ignore_failure: true - - remove: - field: json.ObjectType - ignore_failure: true - - script: - description: Adds all the remaining fields in fields under zscaler_zpa.audit - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.zscaler_zpa?.audit[m.getKey()] = m.getValue(); - } - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/agent.yml b/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/base-fields.yml b/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/base-fields.yml deleted file mode 100755 index 05a4a1d0cc..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: zscaler_zpa -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zscaler_zpa.audit diff --git a/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/ecs.yml b/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/ecs.yml deleted file mode 100755 index fa15a0792c..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/ecs.yml +++ /dev/null @@ -1,85 +0,0 @@ -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Unique identifier for the group on the system/platform. - name: group.id - type: keyword -- description: Name of the group. - name: group.name - type: keyword -- description: |- - In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. - The field value must be normalized to lowercase for querying. - name: network.protocol - type: keyword -- description: City name. - name: observer.geo.city_name - type: keyword -- description: Country name. - name: observer.geo.country_name - type: keyword -- description: Longitude and latitude. - level: core - name: observer.geo.location - type: geo_point -- description: Unique identifier for the organization. - name: organization.id - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Unique identifier of the user. - name: user.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: User email address. - name: user.target.email - type: keyword -- description: Unique identifier of the user. - name: user.target.id - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.target.name - type: keyword -- description: Array of user roles at the time of the event. - name: user.target.roles - type: keyword -- description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - name: x509.alternative_names - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: x509.issuer.common_name - type: keyword -- description: Distinguished name (DN) of issuing certificate authority. - name: x509.issuer.distinguished_name - type: keyword -- description: Time at which the certificate is no longer considered valid. - name: x509.not_after - type: date -- description: Time at which the certificate is first considered valid. - name: x509.not_before - type: date diff --git a/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/fields.yml b/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/fields.yml deleted file mode 100755 index 635cbfb9e0..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/audit/fields/fields.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: zscaler_zpa.audit - type: group - fields: - - name: client_audit_update - type: long - description: | - The flag to represent if the event is a client Audit log. - - name: object - type: group - fields: - - name: id - type: keyword - description: | - The ID associated with the object name. - - name: name - type: keyword - description: | - The name of the object. This corresponds to the Resource Name in the Audit Log page. - - name: type - type: keyword - description: | - The location within the ZPA Admin Portal where the Action was performed. - - name: operation_type - type: keyword - description: | - The type of action performed. - - name: session.id - type: keyword - description: | - The ID for the administrator's session in the ZPA Admin Portal. This corresponds to a successful sign in action occurring. - - name: value - type: group - fields: - - name: new - type: flattened - description: | - The new value that was changed if the action type is create, sign in, or update. - - name: old - type: flattened - description: The previous value that was changed if the action type is delete, sign out, or update. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zpa/1.0.0/data_stream/audit/manifest.yml b/packages/zscaler_zpa/1.0.0/data_stream/audit/manifest.yml deleted file mode 100755 index 2d52b38a98..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/audit/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Audit Logs -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Zscaler Private Access Audit Logs - description: Collect Zscaler Private Access audit logs using tcp input - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9016 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zpa-audit - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zpa/1.0.0/data_stream/audit/sample_event.json b/packages/zscaler_zpa/1.0.0/data_stream/audit/sample_event.json deleted file mode 100755 index d12e0465a8..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/audit/sample_event.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "@timestamp": "2021-11-17T04:29:38.000Z", - "agent": { - "ephemeral_id": "75bcfb32-c04c-4455-88ed-41a659043c80", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "data_stream": { - "dataset": "zscaler_zpa.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2021-11-17T04:29:38.000Z", - "dataset": "zscaler_zpa.audit", - "id": "11111111-1111-1111-1111-111111111111", - "ingested": "2022-02-03T13:32:04Z", - "kind": "event", - "type": [ - "creation" - ] - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.21.0.7:54030" - } - }, - "organization": { - "id": "98765432109876543" - }, - "related": { - "ip": [ - "1.0.0.1" - ] - }, - "server": { - "address": "1.0.0.1", - "ip": "1.0.0.1" - }, - "tags": [ - "forwarded", - "zscaler_zpa-audit" - ], - "user": { - "id": "12345678901234567", - "name": "zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com" - }, - "zscaler_zpa": { - "audit": { - "client_audit_update": 0, - "object": { - "id": "12345678901234567", - "name": "Some-Name", - "type": "Server" - }, - "operation_type": "Create", - "session": { - "id": "1idn23nlfm2q1txa5h3r4mep6" - }, - "value": { - "new": { - "description": "This is a description field", - "domainOrIpAddress": "1.0.0.1", - "enabled": "true", - "id": "72058340288495701", - "name": "Some-Name" - } - } - } - } -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/agent/stream/tcp.yml.hbs b/packages/zscaler_zpa/1.0.0/data_stream/browser_access/agent/stream/tcp.yml.hbs deleted file mode 100755 index 030459f258..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -tcp: -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zpa/1.0.0/data_stream/browser_access/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 2cedb9ec2f..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,306 +0,0 @@ ---- -description: Pipeline for Zscaler browser access logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - date: - field: json.LogTimestamp - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - remove: - field: json.LogTimestamp - ignore_failure: true - - append: - field: event.category - value: network - - append: - field: event.category - value: session - - set: - field: event.kind - value: event - - set: - field: event.type - value: connection - - rename: - field: json.ConnectionReason - target_field: event.reason - ignore_missing: true - - rename: - field: json.ClientPublicIp - target_field: client.ip - ignore_missing: true - - geoip: - field: client.ip - target_field: client.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: client.ip - target_field: client.as - properties: - - asn - - organization_name - ignore_missing: true - - append: - field: related.ip - value: "{{{client.ip}}}" - if: ctx?.client?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.ClientPublicPort - target_field: client.port - ignore_missing: true - - rename: - field: json.RequestSize - target_field: http.request.body.bytes - ignore_missing: true - - rename: - field: json.Method - target_field: http.request.method - ignore_missing: true - - rename: - field: json.ResponseSize - target_field: http.response.body.bytes - ignore_missing: true - - rename: - field: json.StatusCode - target_field: http.response.status_code - ignore_missing: true - - rename: - field: json.Customer - target_field: organization.name - ignore_missing: true - - rename: - field: json.ApplicationPort - target_field: server.port - ignore_missing: true - - set: - field: server.address - copy_from: json.Host - ignore_failure: true - - script: - lang: painless - source: | - ctx.url = new HashMap(); - def protocol = ctx.json?.Protocol?.toLowerCase(); - def domain = ctx.json?.Host?.toLowerCase(); - def endpoint = ctx.json?.URL?.toLowerCase(); - if (protocol != null && domain != null && endpoint != null) { - ctx.url.full = protocol + "://" + domain + endpoint; - } - - uri_parts: - field: url.full - ignore_failure: true - - remove: - field: json.Host - ignore_missing: true - - remove: - field: json.URL - ignore_missing: true - - remove: - field: json.Protocol - ignore_missing: true - - user_agent: - field: json.UserAgent - ignore_missing: true - - remove: - field: json.UserAgent - ignore_missing: true - - rename: - field: json.NameID - target_field: user.name - ignore_missing: true - - rename: - field: json.ConnectionStatus - target_field: zscaler_zpa.browser_access.connection.status - ignore_missing: true - - rename: - field: json.ConnectionID - target_field: zscaler_zpa.browser_access.connection.id - ignore_missing: true - - rename: - field: json.Exporter - target_field: zscaler_zpa.browser_access.exporter - ignore_missing: true - - date: - field: json.TimestampRequestReceiveStart - target_field: zscaler_zpa.browser_access.timestamp.request.receive.start - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampRequestReceiveStart - ignore_failure: true - - date: - field: json.TimestampRequestReceiveHeaderFinish - target_field: zscaler_zpa.browser_access.timestamp.request.receive.header_finish - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampRequestReceiveHeaderFinish - ignore_failure: true - - date: - field: json.TimestampRequestReceiveFinish - target_field: zscaler_zpa.browser_access.timestamp.request.receive.finish - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampRequestReceiveFinish - ignore_failure: true - - date: - field: json.TimestampRequestTransmitStart - target_field: zscaler_zpa.browser_access.timestamp.request.transmit.start - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampRequestTransmitStart - ignore_failure: true - - date: - field: json.TimestampRequestTransmitFinish - target_field: zscaler_zpa.browser_access.timestamp.request.transmit.finish - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampRequestTransmitFinish - ignore_failure: true - - date: - field: json.TimestampResponseReceiveStart - target_field: zscaler_zpa.browser_access.timestamp.response.receive.start - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampResponseReceiveStart - ignore_failure: true - - date: - field: json.TimestampResponseReceiveFinish - target_field: zscaler_zpa.browser_access.timestamp.response.receive.finish - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampResponseReceiveFinish - ignore_failure: true - - date: - field: json.TimestampResponseTransmitStart - target_field: zscaler_zpa.browser_access.timestamp.response.transmit.start - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampResponseTransmitStart - ignore_failure: true - - date: - field: json.TimestampResponseTransmitFinish - target_field: zscaler_zpa.browser_access.timestamp.response.transmit.finish - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampResponseTransmitFinish - ignore_failure: true - - rename: - field: json.TotalTimeRequestReceive - target_field: zscaler_zpa.browser_access.total_time.request.receive - ignore_missing: true - - rename: - field: json.TotalTimeRequestTransmit - target_field: zscaler_zpa.browser_access.total_time.request.transmit - ignore_missing: true - - rename: - field: json.TotalTimeResponseReceive - target_field: zscaler_zpa.browser_access.total_time.response.receive - ignore_missing: true - - rename: - field: json.TotalTimeResponseTransmit - target_field: zscaler_zpa.browser_access.total_time.response.transmit - ignore_missing: true - - rename: - field: json.TotalTimeConnectionSetup - target_field: zscaler_zpa.browser_access.total_time.connection.setup - ignore_missing: true - - rename: - field: json.TotalTimeServerResponse - target_field: zscaler_zpa.browser_access.total_time.server.response - ignore_missing: true - - rename: - field: json.XFF - target_field: zscaler_zpa.browser_access.xff - ignore_missing: true - - convert: - field: json.ClientPrivateIp - target_field: zscaler_zpa.browser_access.client_private_ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: "{{{zscaler_zpa.browser_access.client_private_ip}}}" - if: ctx?.zscaler_zpa?.browser_access?.client_private_ip != null - allow_duplicates: false - ignore_failure: true - - remove: - field: json.ClientPrivateIp - ignore_missing: true - - rename: - field: json.CorsToken - target_field: zscaler_zpa.browser_access.cors_token - ignore_missing: true - - rename: - field: json.Origin - target_field: zscaler_zpa.browser_access.origin - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Adds all the remaining fields in fields under zscaler_zpa.user_activity - lang: painless - if: ctx.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.zscaler_zpa.browser_access[m.getKey()] = m.getValue(); - } - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/agent.yml b/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/base-fields.yml b/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/base-fields.yml deleted file mode 100755 index 26ea267ad3..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: zscaler_zpa -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zscaler_zpa.browser_access diff --git a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/ecs.yml b/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/ecs.yml deleted file mode 100755 index eca3b226a1..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/ecs.yml +++ /dev/null @@ -1,135 +0,0 @@ -- description: City name. - name: client.geo.city_name - type: keyword -- description: Country name. - name: client.geo.country_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Name of the continent. - name: client.geo.continent_name - type: keyword -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Region ISO code. - name: client.geo.region_iso_code - type: keyword -- description: Longitude and latitude - name: client.geo.location - type: geo_point -- description: Region name. - name: client.geo.region_name - type: keyword -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: Port of the client. - name: client.port - type: long -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Size in bytes of the request body. - name: http.request.body.bytes - type: long -- description: |- - HTTP request method. - The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. - name: http.request.method - type: keyword -- description: Size in bytes of the response body. - name: http.response.body.bytes - type: long -- description: HTTP response status code. - name: http.response.status_code - type: long -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: |- - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. - Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - name: server.address - type: keyword -- description: Port of the server. - name: server.port - type: long -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: |- - Domain of the url, such as "www.elastic.co". - In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. - name: url.domain - type: keyword -- description: |- - The field contains the file extension from the original request url, excluding the leading dot. - The file extension is only set if it exists, as not every url has a file extension. - The leading period must not be included. For example, the value must be "png", not ".png". - Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). - name: url.extension - type: keyword -- description: |- - Unmodified original url as seen in the event source. - Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. - This field is meant to represent the URL as it was observed, complete or not. - multi_fields: - - name: text - type: match_only_text - name: url.original - type: wildcard -- description: Path of the request, such as "/search". - name: url.path - type: wildcard -- description: |- - Scheme of the request, such as "https". - Note: The `:` is not part of the scheme. - name: url.scheme - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: Name of the device. - name: user_agent.device.name - type: keyword -- description: Name of the user agent. - name: user_agent.name - type: keyword -- description: Unparsed user_agent string. - multi_fields: - - name: text - type: match_only_text - name: user_agent.original - type: keyword -- description: Operating system name, including the version or code name. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.full - type: keyword -- description: Operating system name, without the version. - multi_fields: - - name: text - type: match_only_text - name: user_agent.os.name - type: keyword -- description: Operating system version as a raw string. - name: user_agent.os.version - type: keyword -- description: Version of the user agent. - name: user_agent.version - type: keyword diff --git a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/fields.yml b/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/fields.yml deleted file mode 100755 index d29515193f..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/fields/fields.yml +++ /dev/null @@ -1,127 +0,0 @@ -- name: zscaler_zpa.browser_access - type: group - fields: - - name: client_private_ip - type: ip - description: | - The private IP address of the user's device. - - name: connection - type: group - fields: - - name: id - type: keyword - description: | - The application connection ID. - - name: status - type: keyword - description: | - The status of the connection. - - name: cors_token - type: keyword - description: | - The token from the CORS request. - - name: exporter - type: keyword - description: | - The Browser Access Service instance to ZPA Public Service Edge or ZPA Private Service Edge instance. - - name: origin - type: keyword - description: | - The Browser Access domain that led to the origination of the CORS request. - - name: timestamp - type: group - fields: - - name: request - type: group - fields: - - name: receive - type: group - fields: - - name: finish - type: date - description: | - Timestamp in microseconds when Browser Access Service received the last byte of the HTTP request from web browser. - - name: header_finish - type: date - description: | - Timestamp in microseconds when Browser Access Service received the last byte of the HTTP header corresponding to the request from web browser. - - name: start - type: date - description: | - Timestamp in microseconds when Browser Access Service received the first byte of the HTTP request from web browser. - - name: transmit - type: group - fields: - - name: finish - type: date - description: | - Timestamp in microseconds when Browser Access Service sent the last byte of the HTTP request to the web server. - - name: start - type: date - description: | - Timestamp in microseconds when Browser Access Service sent the first byte of the HTTP request to the web server. - - name: response - type: group - fields: - - name: receive - type: group - fields: - - name: finish - type: date - description: | - Timestamp in microseconds when Browser Access Service received the last byte of the HTTP response from the web server. - - name: start - type: date - description: | - Timestamp in microseconds when Browser Access Service received the first byte of the HTTP response from the web server. - - name: transmit - type: group - fields: - - name: finish - type: date - description: | - Timestamp in microseconds when Browser Access Service sent the last byte of the HTTP response to the web browser. - - name: start - type: date - description: | - Timestamp in microseconds when Browser Access Service sent the first byte of the HTTP response to the web browser. - - name: total_time - type: group - fields: - - name: connection.setup - type: long - description: | - Time difference between reception of the first byte of the HTTP request from web browser and transmission of the first byte towards the web server, as seen by the Browser Access Service. - - name: request - type: group - fields: - - name: receive - type: long - description: | - Time difference between reception of the first and last byte of the HTTP request from the web browser as seen by the Browser Access Service. - - name: transmit - type: long - description: | - Time difference between transmission of the first and last byte of the HTTP request towards the web server as seen by the Browser Access Service. - - name: response - type: group - fields: - - name: receive - type: long - description: | - Time difference between reception of the first and last byte of the HTTP response from the web server as seen by the Browser Access Service. - - name: transmit - type: long - description: | - Time difference between transmission of the first and last byte of the HTTP request towards the web server as seen by the Browser Access Service. - - name: server.response - type: long - description: | - Time difference between transmission of the last byte of the HTTP request towards the web server and reception of the first byte of the HTTP response from web server, as seen by the Browser Access Service. - - name: xff - type: keyword - description: |- - The X-Forwarded-For (XFF) HTTP header. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/manifest.yml b/packages/zscaler_zpa/1.0.0/data_stream/browser_access/manifest.yml deleted file mode 100755 index 45508b1952..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: Browser Access Logs -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Zscaler Private Access Browser Access Logs - description: Collect Zscaler Private Access Browser Access Logs using tcp input - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9017 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zpa-browser_access - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/sample_event.json b/packages/zscaler_zpa/1.0.0/data_stream/browser_access/sample_event.json deleted file mode 100755 index b01dbb2515..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/browser_access/sample_event.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "@timestamp": "2019-07-03T05:12:25.000Z", - "agent": { - "ephemeral_id": "10484a2f-b664-42ef-a849-7386c8257491", - "hostname": "docker-fleet-agent", - "id": "acf7dca8-817d-4681-bad3-1cc9bfefc49c", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "client": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.144", - "port": 60006 - }, - "data_stream": { - "dataset": "zscaler_zpa.browser_access", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "acf7dca8-817d-4681-bad3-1cc9bfefc49c", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network", - "session" - ], - "dataset": "zscaler_zpa.browser_access", - "ingested": "2022-02-14T07:28:10Z", - "kind": "event", - "type": "connection" - }, - "http": { - "request": { - "body": { - "bytes": 615 - }, - "method": "GET" - }, - "response": { - "body": { - "bytes": 331 - }, - "status_code": 304 - } - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.26.0.7:47148" - } - }, - "organization": { - "name": "ANZ Team/zdemo in beta" - }, - "related": { - "ip": [ - "81.2.69.144", - "81.2.69.193" - ] - }, - "server": { - "address": "portal.beta.zdemo.net", - "port": 443 - }, - "tags": [ - "forwarded", - "zscaler_zpa-browser_access" - ], - "url": { - "domain": "portal.beta.zdemo.net", - "extension": "woff", - "original": "https://portal.beta.zdemo.net/media/regular.woff", - "path": "/media/regular.woff", - "scheme": "https" - }, - "user": { - "name": "admin@zdemo.net" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Safari", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15", - "os": { - "full": "Mac OS X 10.14.5", - "name": "Mac OS X", - "version": "10.14.5" - }, - "version": "12.1.1" - }, - "zscaler_zpa": { - "browser_access": { - "client_private_ip": "81.2.69.193", - "exporter": "unset", - "timestamp": { - "request": { - "receive": { - "finish": "2019-07-03T05:12:25.723Z", - "header_finish": "2019-07-03T05:12:25.723Z", - "start": "2019-07-03T05:12:25.723Z" - }, - "transmit": { - "finish": "2019-07-03T05:12:25.790Z", - "start": "2019-07-03T05:12:25.790Z" - } - }, - "response": { - "receive": { - "finish": "2019-07-03T05:12:25.791Z", - "start": "2019-07-03T05:12:25.791Z" - }, - "transmit": { - "finish": "2019-07-03T05:12:25.791Z", - "start": "2019-07-03T05:12:25.791Z" - } - } - }, - "total_time": { - "connection": { - "setup": 66995 - }, - "request": { - "receive": 127, - "transmit": 21 - }, - "response": { - "receive": 73, - "transmit": 13 - }, - "server": { - "response": 1349 - } - } - } - } -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/agent/stream/tcp.yml.hbs b/packages/zscaler_zpa/1.0.0/data_stream/user_activity/agent/stream/tcp.yml.hbs deleted file mode 100755 index 030459f258..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -tcp: -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_activity/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 689b5a60ac..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,444 +0,0 @@ ---- -description: Pipeline for Zscaler user activity logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - date: - field: json.LogTimestamp - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - remove: - field: json.LogTimestamp - ignore_failure: true - - set: - field: event.category - value: iam - - set: - field: event.kind - value: event - - append: - field: event.type - value: info - - append: - field: event.type - value: user - - rename: - field: json.Username - target_field: user.name - ignore_missing: true - - rename: - field: json.ClientCountryCode - target_field: client.geo.country_iso_code - ignore_missing: true - - rename: - field: json.ClientLatitude - target_field: client.geo.location.lat - ignore_missing: true - - rename: - field: json.ClientLongitude - target_field: client.geo.location.lon - ignore_missing: true - - convert: - field: json.ClientPublicIP - target_field: client.ip - type: ip - ignore_failure: true - - remove: - field: json.ClientPublicIP - ignore_missing: true - - append: - field: related.ip - value: "{{{client.ip}}}" - if: ctx?.client?.ip != null - allow_duplicates: false - ignore_failure: true - - set: - field: host.domain - copy_from: json.Host - ignore_failure: true - - convert: - field: host.domain - target_field: host.ip - type: ip - ignore_missing: true - ignore_failure: true - - append: - field: related.hosts - value: "{{{host.domain}}}" - if: ctx?.host?.ip == null - allow_duplicates: false - ignore_failure: true - - remove: - field: host.domain - if: ctx?.host?.ip != null - - remove: - field: json.Host - ignore_missing: true - - append: - field: related.ip - value: "{{{host.ip}}}" - if: ctx?.host?.ip != null - allow_duplicates: false - ignore_failure: true - - script: - lang: painless - if: ctx?.json?.IPProtocol != null && ctx?.json?.IPProtocol != '' - source: | - ctx.network = new HashMap(); - ctx.network.type = (ctx.json.IPProtocol == 4 ? 'ipv4' : 'ipv6'); - - remove: - field: json.IPProtocol - ignore_failure: true - - rename: - field: json.Customer - target_field: organization.name - ignore_missing: true - - rename: - field: json.ServerIP - target_field: server.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{server.ip}}}" - if: ctx?.server?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.ServerPort - target_field: server.port - ignore_missing: true - - rename: - field: json.ClientZEN - target_field: zscaler_zpa.user_activity.zen.client.domain - ignore_missing: true - - append: - field: related.hosts - value: "{{{zscaler_zpa.user_activity.zen.client.domain}}}" - if: ctx?.zscaler_zpa?.user_activity?.zen?.client?.domain != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.ConnectorZEN - target_field: zscaler_zpa.user_activity.zen.connector.domain - ignore_missing: true - - append: - field: related.hosts - value: "{{{zscaler_zpa.user_activity.zen.connector.domain}}}" - if: ctx?.zscaler_zpa?.user_activity?.zen?.connector?.domain != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.SessionID - target_field: zscaler_zpa.user_activity.session_id - ignore_missing: true - - rename: - field: json.ConnectionID - target_field: zscaler_zpa.user_activity.connection.id - ignore_missing: true - - rename: - field: json.InternalReason - target_field: zscaler_zpa.user_activity.internal_reason - ignore_missing: true - - rename: - field: json.ConnectionStatus - target_field: zscaler_zpa.user_activity.connection.status - ignore_missing: true - - rename: - field: json.DoubleEncryption - target_field: zscaler_zpa.user_activity.double_encryption - ignore_missing: true - - rename: - field: json.ServicePort - target_field: zscaler_zpa.user_activity.service_port - ignore_missing: true - - convert: - field: json.ClientPrivateIP - target_field: zscaler_zpa.user_activity.client_private_ip - type: ip - ignore_failure: true - - remove: - field: json.ClientPrivateIP - ignore_missing: true - - append: - field: related.ip - value: "{{{zscaler_zpa.user_activity.client_private_ip}}}" - if: ctx?.zscaler_zpa?.user_activity?.client_private_ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.Policy - target_field: zscaler_zpa.user_activity.policy.name - ignore_missing: true - - rename: - field: json.Connector - target_field: zscaler_zpa.user_activity.connector.name - ignore_missing: true - - convert: - field: json.ConnectorIP - target_field: zscaler_zpa.user_activity.connector.ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: "{{{zscaler_zpa.user_activity.connector.ip}}}" - if: ctx?.zscaler_zpa?.user_activity?.connector?.ip != null - allow_duplicates: false - ignore_failure: true - - remove: - field: json.ConnectorIP - ignore_failure: true - - rename: - field: json.ConnectorPort - target_field: zscaler_zpa.user_activity.connector.port - ignore_missing: true - - rename: - field: json.Application - target_field: zscaler_zpa.user_activity.application - ignore_missing: true - - rename: - field: json.AppGroup - target_field: zscaler_zpa.user_activity.app_group - ignore_missing: true - - rename: - field: json.Server - target_field: zscaler_zpa.user_activity.server - ignore_missing: true - - rename: - field: json.PolicyProcessingTime - target_field: zscaler_zpa.user_activity.policy.processing_time - ignore_missing: true - - rename: - field: json.CAProcessingTime - target_field: zscaler_zpa.user_activity.ca_processing_time - ignore_missing: true - - rename: - field: json.ConnectorZENSetupTime - target_field: zscaler_zpa.user_activity.connector_zen_setup_time - ignore_missing: true - - rename: - field: json.ConnectionSetupTime - target_field: zscaler_zpa.user_activity.connection.setup_time - ignore_missing: true - - rename: - field: json.ServerSetupTime - target_field: zscaler_zpa.user_activity.server_setup_time - ignore_missing: true - - rename: - field: json.AppLearnTime - target_field: zscaler_zpa.user_activity.app_learn_time - ignore_missing: true - - date: - field: json.TimestampConnectionStart - target_field: zscaler_zpa.user_activity.timestamp.connection.start - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampConnectionStart - ignore_failure: true - - date: - field: json.TimestampConnectionEnd - target_field: zscaler_zpa.user_activity.timestamp.connection.end - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampConnectionEnd - ignore_failure: true - - date: - field: json.TimestampCATx - target_field: zscaler_zpa.user_activity.timestamp.ca.tx - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampCATx - ignore_failure: true - - date: - field: json.TimestampCARx - target_field: zscaler_zpa.user_activity.timestamp.ca.rx - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampCARx - ignore_failure: true - - date: - field: json.TimestampAppLearnStart - target_field: zscaler_zpa.user_activity.timestamp.app_learn_start - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampAppLearnStart - ignore_failure: true - - date: - field: json.TimestampZENFirstRxClient - target_field: zscaler_zpa.user_activity.timestamp.zen.client.rx.first - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampZENFirstRxClient - ignore_failure: true - - date: - field: json.TimestampZENFirstTxClient - target_field: zscaler_zpa.user_activity.timestamp.zen.client.tx.first - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampZENFirstTxClient - ignore_failure: true - - date: - field: json.TimestampZENLastRxClient - target_field: zscaler_zpa.user_activity.timestamp.zen.client.rx.last - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampZENLastRxClient - ignore_failure: true - - date: - field: json.TimestampZENLastTxClient - target_field: zscaler_zpa.user_activity.timestamp.zen.client.tx.last - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampZENLastTxClient - ignore_failure: true - - date: - field: json.TimestampConnectorZENSetupComplete - target_field: zscaler_zpa.user_activity.timestamp.connector_zen.setup_complete - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampConnectorZENSetupComplete - ignore_failure: true - - date: - field: json.TimestampZENFirstRxConnector - target_field: zscaler_zpa.user_activity.timestamp.zen.connector.rx.first - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampZENFirstRxConnector - ignore_failure: true - - date: - field: json.TimestampZENFirstTxConnector - target_field: zscaler_zpa.user_activity.timestamp.zen.connector.tx.first - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampZENFirstTxConnector - ignore_failure: true - - date: - field: json.TimestampZENLastRxConnector - target_field: zscaler_zpa.user_activity.timestamp.zen.connector.rx.last - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampZENLastRxConnector - ignore_failure: true - - date: - field: json.TimestampZENLastTxConnector - target_field: zscaler_zpa.user_activity.timestamp.zen.connector.tx.last - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampZENLastTxConnector - ignore_failure: true - - rename: - field: json.ZENTotalBytesRxClient - target_field: zscaler_zpa.user_activity.zen.client.total.bytes_rx - ignore_missing: true - - rename: - field: json.ZENBytesRxClient - target_field: zscaler_zpa.user_activity.zen.client.bytes_rx - ignore_missing: true - - rename: - field: json.ZENTotalBytesTxClient - target_field: zscaler_zpa.user_activity.zen.client.total.bytes_tx - ignore_missing: true - - rename: - field: json.ZENBytesTxClient - target_field: zscaler_zpa.user_activity.zen.client.bytes_tx - ignore_missing: true - - rename: - field: json.ZENTotalBytesRxConnector - target_field: zscaler_zpa.user_activity.zen.connector.total.bytes_rx - ignore_missing: true - - rename: - field: json.ZENBytesRxConnector - target_field: zscaler_zpa.user_activity.zen.connector.bytes_rx - ignore_missing: true - - rename: - field: json.ZENTotalBytesTxConnector - target_field: zscaler_zpa.user_activity.zen.connector.total.bytes_tx - ignore_missing: true - - rename: - field: json.ZENBytesTxConnector - target_field: zscaler_zpa.user_activity.zen.connector.bytes_tx - ignore_missing: true - - rename: - field: json.ClientToClient - target_field: zscaler_zpa.user_activity.client_to_client - ignore_missing: true - - rename: - field: json.Idp - target_field: zscaler_zpa.user_activity.idp - ignore_missing: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Adds all the remaining fields in fields under zscaler_zpa.user_activity - lang: painless - if: ctx.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.zscaler_zpa.user_activity[m.getKey()] = m.getValue(); - } - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/agent.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/base-fields.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/base-fields.yml deleted file mode 100755 index 31eec69bf4..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: zscaler_zpa -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zscaler_zpa.user_activity diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/ecs.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/ecs.yml deleted file mode 100755 index bbfd5ea92b..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/ecs.yml +++ /dev/null @@ -1,47 +0,0 @@ -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - level: core - name: client.geo.location - type: geo_point -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: |- - In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc - The field value must be normalized to lowercase for querying. - name: network.type - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: IP address of the server (IPv4 or IPv6). - name: server.ip - type: ip -- description: Port of the server. - name: server.port - type: long -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/fields.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/fields.yml deleted file mode 100755 index 8e0f0d6da7..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/fields/fields.yml +++ /dev/null @@ -1,244 +0,0 @@ -- name: zscaler_zpa.user_activity - type: group - fields: - - name: app_group - type: keyword - description: | - The application group name. - - name: app_learn_time - type: long - description: | - Time in microseconds taken for App Connectors to learn about the requested application and report the learned information to the central authority. - - name: application - type: keyword - description: | - The application name. - - name: ca_processing_time - type: long - description: | - Time in microseconds taken for processing in the central authority. - - name: client_to_client - type: keyword - description: | - The status of the client-to-client connection. - - name: client_private_ip - type: ip - description: | - The private IP address of the Zscaler Client Connector. - - name: connection - type: group - fields: - - name: id - type: keyword - description: | - The application connection ID. - - name: setup_time - type: long - description: | - Time taken by the App Connector to process a notification from the App Connector selection microservice and set up the connection to the application server. - - name: status - type: keyword - description: | - The status of the connection. The expected values for this field are: [ Open, Close, Active ]. - - name: connector - type: group - fields: - - name: ip - type: ip - description: | - The source IP address of the App Connector. - - name: name - type: keyword - description: | - The App Connector name. - - name: port - type: integer - description: | - The source port of the App Connector. - - name: connector_zen_setup_time - type: long - description: | - Time in microseconds taken for setting up connection between App Connector and ZPA Public Service Edge or ZPA Private Service Edge. - - name: double_encryption - type: integer - description: | - The double encryption status. - - name: idp - type: keyword - description: | - The name of the identity provider (IdP) as configured in the ZPA Admin Portal. - - name: internal_reason - type: keyword - description: | - The internal reason for the status of the transaction. - - name: policy - type: group - fields: - - name: name - type: keyword - description: | - The access policy or timeout policy rule name. - - name: processing_time - type: long - description: | - Time in microseconds taken for processing the access policy associated with the application. - - name: server - type: keyword - description: | - The server ID name. The server ID must be set to zero if dynamic server discovery is enabled. - - name: server_setup_time - type: long - description: | - Time in microseconds taken for setting up connection at server. - - name: service_port - type: integer - description: | - The destination port of the server. - - name: session_id - type: keyword - description: | - The TLS session ID. - - name: timestamp - type: group - fields: - - name: app_learn_start - type: keyword - description: | - Time in microseconds taken for App Connectors to learn about the requested application and report the learned information to the central authority. - - name: ca - type: group - fields: - - name: rx - type: date - description: | - Timestamp in microseconds when the central authority received request from ZPA Public Service Edge or ZPA Private Service Edge. - - name: tx - type: date - description: | - Timestamp in microseconds when the central authority sent request to ZPA Public Service Edge or ZPA Private Service Edge. - - name: connection - type: group - fields: - - name: end - type: date - description: | - Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge terminated the connection. - - name: start - type: date - description: | - Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the initial request from Zscaler Client Connector to start the connection. - - name: connector_zen.setup_complete - type: date - description: | - Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received request from App Connector to set up data connection. The request from the App Connector is triggered by the initial request for a specific application from the Zscaler Client Connector. - - name: zen - type: group - fields: - - name: client - type: group - fields: - - name: rx - type: group - fields: - - name: first - type: date - description: | - Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the first byte from the Zscaler Client Connector. - - name: last - type: date - description: | - Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the last byte from the Zscaler Client Connector. - - name: tx - type: group - fields: - - name: first - type: date - description: | - Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the first byte to the Zscaler Client Connector. - - name: last - type: date - description: | - Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the last byte to the Zscaler Client Connector. - - name: connector - type: group - fields: - - name: rx - type: group - fields: - - name: first - type: date - description: | - Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the first byte from the App Connector. - - name: last - type: date - description: | - Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the last byte from the App Connector. - - name: tx - type: group - fields: - - name: first - type: date - description: | - Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the first byte to the App Connector. - - name: last - type: date - description: | - Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the last byte to the App Connector. - - name: zen - type: group - fields: - - name: client - type: group - fields: - - name: domain - type: keyword - description: | - The ZPA Public Service Edge (formerly Zscaler Enforcement Node or ZEN) or ZPA Private Service Edge that received the request from the Zscaler Client Connector. - - name: bytes_rx - type: long - description: | - The additional bytes received from the Zscaler Client Connector since the last transaction log. - - name: bytes_tx - type: long - description: | - The additional bytes transmitted to the Zscaler Client Connector since the last transaction log. - - name: total - type: group - fields: - - name: bytes_rx - type: long - description: | - The total bytes received from the Zscaler Client Connector by the ZPA Public Service Edge or ZPA Private Service Edge. - - name: bytes_tx - type: long - description: | - The total bytes transmitted to the Zscaler Client Connector from the ZPA Public Service Edge or ZPA Private Service Edge. - - name: connector - type: group - fields: - - name: domain - type: keyword - description: | - The ZPA Public Service Edge or ZPA Private Service Edge that sent the request from the App Connector. - - name: bytes_rx - type: long - description: | - The additional bytes received from the App Connector since the last transaction log. - - name: bytes_tx - type: long - description: | - The additional bytes transmitted by the App Connector since the last transaction log. - - name: total - type: group - fields: - - name: bytes_rx - type: long - description: | - The total bytes received from the App Connector by the ZPA Public Service Edge or ZPA Private Service Edge. - - name: bytes_tx - type: long - description: |- - The total bytes transmitted to the App Connector from the ZPA Public Service Edge or ZPA Private Service Edge. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/manifest.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_activity/manifest.yml deleted file mode 100755 index df6b66c514..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: User Activity Logs -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Zscaler Private Access User Activity Logs - description: Collect Zscaler Private Access User Activity Logs using tcp input - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9018 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zpa-user_activity - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/sample_event.json b/packages/zscaler_zpa/1.0.0/data_stream/user_activity/sample_event.json deleted file mode 100755 index bbe9478dc5..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_activity/sample_event.json +++ /dev/null @@ -1,159 +0,0 @@ -{ - "@timestamp": "2019-05-31T17:35:42.000Z", - "agent": { - "ephemeral_id": "2686f611-4bf3-4df9-8934-843cbd32d161", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "client": { - "geo": { - "country_iso_code": "US", - "location": { - "lat": 45, - "lon": -119 - } - }, - "ip": "81.2.69.193" - }, - "data_stream": { - "dataset": "zscaler_zpa.user_activity", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "agent_id_status": "verified", - "category": "iam", - "dataset": "zscaler_zpa.user_activity", - "ingested": "2022-02-03T13:34:37Z", - "kind": "event", - "type": [ - "info", - "user" - ] - }, - "host": { - "ip": "175.16.199.1" - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.21.0.7:59296" - } - }, - "network": { - "type": "ipv6" - }, - "organization": { - "name": "Customer XYZ" - }, - "related": { - "hosts": [ - "broker2b.pdx" - ], - "ip": [ - "81.2.69.193", - "175.16.199.1", - "67.43.156.12" - ] - }, - "server": { - "ip": "175.16.199.1", - "port": 10011 - }, - "tags": [ - "forwarded", - "zscaler_zpa-user_activity" - ], - "user": { - "name": "ZPA LSS Client" - }, - "zscaler_zpa": { - "user_activity": { - "app_group": "ABC Lab Apps", - "app_learn_time": 0, - "application": "ABC Lab Apps", - "ca_processing_time": 1330, - "client_to_client": "0", - "connection": { - "id": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm", - "setup_time": 192397, - "status": "active" - }, - "connector": { - "ip": "67.43.156.12", - "name": "ZDEMO ABC", - "port": 60266 - }, - "connector_zen_setup_time": 191017, - "double_encryption": 0, - "idp": "Example IDP Config", - "policy": { - "name": "ABC Lab Apps", - "processing_time": 28 - }, - "server": "0", - "server_setup_time": 465, - "service_port": 10011, - "session_id": "LHJdkjmNDf12nclBsvwA", - "timestamp": { - "ca": { - "rx": "2019-05-30T08:20:42.231Z", - "tx": "2019-05-30T08:20:42.230Z" - }, - "connection": { - "start": "2019-05-30T08:20:42.230Z" - }, - "connector_zen": { - "setup_complete": "2019-05-30T08:20:42.422Z" - }, - "zen": { - "client": { - "rx": { - "first": "2019-05-30T08:20:42.424Z", - "last": "2019-05-31T17:34:27.348Z" - } - }, - "connector": { - "tx": { - "first": "2019-05-30T08:20:42.424Z", - "last": "2019-05-31T17:34:27.348Z" - } - } - } - }, - "zen": { - "client": { - "bytes_rx": 7115, - "bytes_tx": 0, - "domain": "broker2b.pdx", - "total": { - "bytes_rx": 2406926, - "bytes_tx": 0 - } - }, - "connector": { - "bytes_rx": 0, - "bytes_tx": 7115, - "domain": "broker2b.pdx", - "total": { - "bytes_rx": 0, - "bytes_tx": 2406926 - } - } - } - } - } -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_status/agent/stream/tcp.yml.hbs b/packages/zscaler_zpa/1.0.0/data_stream/user_status/agent/stream/tcp.yml.hbs deleted file mode 100755 index 030459f258..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_status/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,19 +0,0 @@ -tcp: -host: "{{listen_address}}:{{listen_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -{{#if ssl}} -ssl: {{ssl}} -{{/if}} -{{#if processors}} -processors: -{{processors}} -{{/if}} diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_status/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_status/elasticsearch/ingest_pipeline/default.yml deleted file mode 100755 index 6412e4ae12..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_status/elasticsearch/ingest_pipeline/default.yml +++ /dev/null @@ -1,239 +0,0 @@ ---- -description: Pipeline for Zscaler user status logs -processors: - - set: - field: ecs.version - value: '8.2.0' - - rename: - field: message - target_field: event.original - ignore_missing: true - - json: - field: event.original - target_field: json - - date: - field: json.LogTimestamp - target_field: "@timestamp" - ignore_failure: true - formats: - - E MMM dd HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - E MMM d HH:mm:ss yyyy - - remove: - field: json.LogTimestamp - ignore_failure: true - - set: - field: event.category - value: iam - - set: - field: event.kind - value: state - - append: - field: event.type - value: info - - append: - field: event.type - value: user - - rename: - field: json.CountryCode - target_field: client.geo.country_iso_code - ignore_missing: true - - rename: - field: json.Latitude - target_field: client.geo.location.lat - ignore_missing: true - - rename: - field: json.Longitude - target_field: client.geo.location.lon - ignore_missing: true - - rename: - field: json.PublicIP - target_field: client.ip - ignore_missing: true - - append: - field: related.ip - value: "{{{client.ip}}}" - if: ctx?.client?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.Hostname - target_field: host.hostname - ignore_missing: true - - rename: - field: json.Platform - target_field: host.os.platform - ignore_missing: true - - rename: - field: json.Customer - target_field: organization.name - ignore_missing: true - - append: - field: related.hosts - value: "{{{server.domain}}}" - if: ctx?.server?.domain != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.ZENCountryCode - target_field: server.geo.country_iso_code - ignore_missing: true - - rename: - field: json.ZENLatitude - target_field: server.geo.location.lat - ignore_missing: true - - rename: - field: json.ZENLongitude - target_field: server.geo.location.lon - ignore_missing: true - - rename: - field: json.Username - target_field: user.name - ignore_missing: true - - rename: - field: json.CertificateCN - target_field: x509.issuer.common_name - ignore_missing: true - - rename: - field: json.SessionID - target_field: zscaler_zpa.user_status.session.id - ignore_missing: true - - rename: - field: json.SessionStatus - target_field: zscaler_zpa.user_status.session.status - ignore_missing: true - - rename: - field: json.Version - target_field: zscaler_zpa.user_status.version - ignore_missing: true - - rename: - field: json.ZEN - target_field: zscaler_zpa.user_status.zen.domain - ignore_missing: true - - convert: - field: json.PrivateIP - target_field: zscaler_zpa.user_status.private_ip - type: ip - ignore_failure: true - - append: - field: related.ip - value: "{{{zscaler_zpa.user_status.private_ip}}}" - if: ctx?.zscaler_zpa?.user_status?.private_ip != null - allow_duplicates: false - ignore_failure: true - - date: - field: json.TimestampAuthentication - target_field: zscaler_zpa.user_status.timestamp.authentication - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampAuthentication - ignore_missing: true - - date: - field: json.TimestampUnAuthentication - target_field: zscaler_zpa.user_status.timestamp.unauthentication - ignore_failure: true - formats: - - ISO8601 - - remove: - field: json.TimestampUnAuthentication - ignore_missing: true - - rename: - field: json.TotalBytesRx - target_field: zscaler_zpa.user_status.total.bytes_rx - ignore_missing: true - - rename: - field: json.TotalBytesTx - target_field: zscaler_zpa.user_status.total.bytes_tx - ignore_missing: true - - rename: - field: json.Idp - target_field: zscaler_zpa.user_status.idp - ignore_missing: true - - rename: - field: json.ClientType - target_field: zscaler_zpa.user_status.client.type - ignore_missing: true - - rename: - field: json.TrustedNetworks - target_field: zscaler_zpa.user_status.trusted_networks - ignore_missing: true - - rename: - field: json.TrustedNetworksNames - target_field: zscaler_zpa.user_status.trusted_networks_names - ignore_missing: true - - script: - source: | - ctx.zscaler_zpa.user_status.fqdn = new HashMap(); - ctx.zscaler_zpa.user_status.fqdn.registered = (ctx.json.FQDNRegistered != "0"); - if: ctx.json.FQDNRegistered != null - ignore_failure: true - - remove: - field: json.FQDNRegistered - ignore_missing: true - - rename: - field: json.FQDNRegisteredError - target_field: zscaler_zpa.user_status.fqdn.registered_error - ignore_missing: true - - split: - field: json.SAMLAttributes - target_field: zscaler_zpa.user_status.saml_attributes - separator: ',' - ignore_failure: true - - remove: - field: json.SAMLAttributes - ignore_failure: true - - split: - field: json.PosturesHit - target_field: zscaler_zpa.user_status.postures.hit - separator: ',' - ignore_failure: true - - remove: - field: json.PosturesHit - ignore_failure: true - - split: - field: json.PosturesMiss - target_field: zscaler_zpa.user_status.postures.miss - separator: ',' - ignore_failure: true - - remove: - field: json.PosturesMiss - ignore_failure: true - - script: - description: Drops null/empty values recursively - lang: painless - source: | - boolean dropEmptyFields(Object object) { - if (object == null || object == "") { - return true; - } else if (object instanceof Map) { - ((Map) object).values().removeIf(value -> dropEmptyFields(value)); - return (((Map) object).size() == 0); - } else if (object instanceof List) { - ((List) object).removeIf(value -> dropEmptyFields(value)); - return (((List) object).length == 0); - } - return false; - } - dropEmptyFields(ctx); - - script: - description: Adds all the remaining fields in fields under zscaler_zpa.user_status - lang: painless - if: ctx?.json != null - source: | - for (Map.Entry m : ctx.json.entrySet()) { - ctx.zscaler_zpa.user_status[m.getKey()] = m.getValue(); - } - - remove: - field: json - ignore_missing: true - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true -on_failure: -- set: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/agent.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/agent.yml deleted file mode 100755 index e313ec8287..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/agent.yml +++ /dev/null @@ -1,204 +0,0 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: input.type - type: keyword - description: Input type -- name: log.offset - type: long - description: Log offset diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/base-fields.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/base-fields.yml deleted file mode 100755 index 8e148e061f..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/base-fields.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: data_stream.type - type: constant_keyword - description: Data stream type. -- name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. -- name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: zscaler_zpa -- name: event.dataset - type: constant_keyword - description: Event dataset - value: zscaler_zpa.user_status diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/ecs.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/ecs.yml deleted file mode 100755 index e2d24b9a0d..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/ecs.yml +++ /dev/null @@ -1,46 +0,0 @@ -- description: Country ISO code. - name: client.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - level: core - name: client.geo.location - type: geo_point -- description: IP address of the client (IPv4 or IPv6). - name: client.ip - type: ip -- description: |- - ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. - When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - name: ecs.version - type: keyword -- description: Organization name. - multi_fields: - - name: text - type: match_only_text - name: organization.name - type: keyword -- description: Country ISO code. - name: server.geo.country_iso_code - type: keyword -- description: Longitude and latitude. - level: core - name: server.geo.location - type: geo_point -- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. - name: related.hosts - type: keyword -- description: All of the IPs seen on your event. - name: related.ip - type: ip -- description: List of keywords used to tag each event. - name: tags - type: keyword -- description: Short name or login of the user. - multi_fields: - - name: text - type: match_only_text - name: user.name - type: keyword -- description: List of common name (CN) of issuing certificate authority. - name: x509.issuer.common_name - type: keyword diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/fields.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/fields.yml deleted file mode 100755 index 5a0ba28658..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_status/fields/fields.yml +++ /dev/null @@ -1,93 +0,0 @@ -- name: zscaler_zpa.user_status - type: group - fields: - - name: client.type - type: keyword - description: | - The client type for the request (i.e., Zscaler Client Connector, ZPA LSS, or Web Browser). - - name: idp - type: keyword - description: | - The name of the identity provider (IdP) as configured in the ZPA Admin Portal. - - name: fqdn - type: group - fields: - - name: registered - type: boolean - description: | - The status of the hostname for the client-to-client connection. The expected values for this field are true or false. - - name: registered_error - type: keyword - description: | - The status of the registered hostname. - - name: postures - type: group - fields: - - name: hit - type: keyword - description: | - The posture profiles that the Zscaler Client Connector verified for this device. - - name: miss - type: keyword - description: | - The posture profiles that the Zscaler Client Connector failed to verified for this device. - - name: private_ip - type: ip - description: | - The private IP address of the Zscaler Client Connector. - - name: saml_attributes - type: keyword - description: | - The list of SAML attributes reported by the IdP. - - name: session - type: group - fields: - - name: id - type: keyword - description: | - The TLS session ID. - - name: status - type: keyword - description: | - The status of the session. - - name: timestamp - type: group - fields: - - name: authentication - type: date - description: | - Timestamp in microseconds when the Zscaler Client Connector was authenticated. - - name: unauthentication - type: date - description: | - Timestamp in microseconds when the Zscaler Client Connector was unauthenticated. - - name: total - type: group - fields: - - name: bytes_rx - type: long - description: | - The total bytes received. - - name: bytes_tx - type: long - description: | - The total bytes transmitted. - - name: trusted_networks - type: keyword - description: | - The unique IDs for the trusted networks that the Zscaler Client Connector has determined for this device. - - name: trusted_networks_names - type: keyword - description: | - The names for the trusted networks that the Zscaler Client Connector has determined for this device. - - name: version - type: keyword - description: | - The Zscaler Client Connector version. - - name: zen.domain - type: keyword - description: |- - The Public Service Edge (formerly Zscaler Enforcement Node or ZEN) or ZPA Private Service Edge that was selected for the connection -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_status/manifest.yml b/packages/zscaler_zpa/1.0.0/data_stream/user_status/manifest.yml deleted file mode 100755 index 68be6616e6..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_status/manifest.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: User Status Logs -type: logs -streams: - - input: tcp - template_path: tcp.yml.hbs - title: Zscaler Private Access User Status Logs - description: Collect Zscaler Private Access User Status Logs using tcp input - vars: - - name: listen_port - type: integer - title: Listen Port - description: The TCP port number to listen on. - multi: false - required: true - show_user: true - default: 9019 - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: false - default: - - forwarded - - zscaler_zpa-user_status - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/zscaler_zpa/1.0.0/data_stream/user_status/sample_event.json b/packages/zscaler_zpa/1.0.0/data_stream/user_status/sample_event.json deleted file mode 100755 index 10f701d32f..0000000000 --- a/packages/zscaler_zpa/1.0.0/data_stream/user_status/sample_event.json +++ /dev/null @@ -1,130 +0,0 @@ -{ - "@timestamp": "2019-05-31T17:34:48.000Z", - "agent": { - "ephemeral_id": "24dbe515-d3ac-4cb8-aa21-eeee2c2f9204", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "client": { - "geo": { - "country_iso_code": "US", - "location": { - "lat": 45, - "lon": -119 - } - }, - "ip": "81.2.69.144" - }, - "data_stream": { - "dataset": "zscaler_zpa.user_status", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "agent_id_status": "verified", - "category": "iam", - "dataset": "zscaler_zpa.user_status", - "ingested": "2022-02-03T13:36:02Z", - "kind": "state", - "type": [ - "info", - "user" - ] - }, - "host": { - "hostname": "DESKTOP-99HCSJ1", - "os": { - "platform": "windows" - } - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.21.0.7:57146" - } - }, - "organization": { - "name": "Customer XYZ" - }, - "related": { - "ip": [ - "81.2.69.144" - ] - }, - "server": { - "geo": { - "location": { - "lat": 47, - "lon": -122 - } - } - }, - "tags": [ - "forwarded", - "zscaler_zpa-user_status" - ], - "user": { - "name": "ZPA LSS Client" - }, - "x509": { - "issuer": { - "common_name": "loggerz2x.pde.zpabeta.net" - } - }, - "zscaler_zpa": { - "user_status": { - "client": { - "type": "zpn_client_type_zapp" - }, - "fqdn": { - "registered": false, - "registered_error": "CUSTOMER_NOT_ENABLED" - }, - "idp": "IDP Config", - "postures": { - "hit": [ - "sm-posture1", - "sm-posture2" - ], - "miss": [ - "sm-posture11", - "sm-posture12" - ] - }, - "saml_attributes": [ - "myname:user", - "myemail:user@zscaler.com" - ], - "session": { - "id": "vkczUERSLl88Y+ytH8v5", - "status": "ZPN_STATUS_AUTHENTICATED" - }, - "timestamp": { - "authentication": "2019-05-29T21:18:38.000Z" - }, - "total": { - "bytes_rx": 31274866, - "bytes_tx": 25424152 - }, - "trusted_networks": "TN1_stc1", - "trusted_networks_names": "145248739466696953", - "version": "19.12.0-36-g87dad18", - "zen": { - "domain": "broker2b.pdx" - } - } - } -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/docs/README.md b/packages/zscaler_zpa/1.0.0/docs/README.md deleted file mode 100755 index a608135e53..0000000000 --- a/packages/zscaler_zpa/1.0.0/docs/README.md +++ /dev/null @@ -1,1275 +0,0 @@ -# Zscaler ZPA - -This integration is for Zscaler Private Access logs. It can be used -to receive logs sent by LSS Log Receiver on respective TCP ports. - -The log message is expected to be in JSON format. The data is mapped to -ECS fields where applicable and the remaining fields are written under -`zscaler_zpa..*`. - -## Setup steps - -1. Enable the integration with the TCP input. -2. Configure the Zscaler LSS Log Receiver to send logs to the Elastic Agent -that is running this integration. See [_Setup Log Receiver_](https://help.zscaler.com/zpa/configuring-log-receiver). Use the IP address/hostname of the Elastic Agent as the 'Log Receiver Domain or IP Address', and use the listening port of the Elastic Agent as the 'TCP Port' on the _Add Log Receiver_ configuration screen. -3. *Please make sure to use the given response formats.* - -## ZPA Log Receiver Setup - -For detailed docs on setting up the ZPA log receiver, refer to the Zscaler documentation at -- [About the Log Streaming Service](https://help.zscaler.com/zpa/about-log-streaming-service) -- [Configuring a Log Receiver](https://help.zscaler.com/zpa/configuring-log-receiver) - -**Domain or IP**: Use the IP address/hostname of the Elastic Agent -**TCP port**: Use the listening port of the Elastic Agent - -## Compatibility - -This package has been tested against `Zscaler Private Access Client Connector version 3.7.1.44` - -## Documentation and configuration - -### App Connector Status Logs - -Default port: _9015_ - -Vendor documentation: https://help.zscaler.com/zpa/about-connector-status-log-fields - -Zscaler response format: -``` -{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"Platform": %j{Platform},"ZEN": %j{ZEN},"Connector": %j{Connector},"ConnectorGroup": %j{ConnectorGroup},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"ServiceCount": %d{ServiceCount},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostUpTime": %j{HostUpTime},"ConnectorUpTime": %j{ConnectorUpTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx}}\n -``` - -Sample Response: -```json -{"LogTimestamp":"Wed Jul 3 05:17:22 2019","Customer":"Safe March","SessionID":"8A64Qwj9zCkfYDGJVoUZ","SessionType":"ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.20.3","Platform":"el7","ZEN":"US-NY-8179","Connector":"Seattle App Connector 1","ConnectorGroup":"Azure App Connectors","PrivateIP":"10.0.0.4","PublicIP":"0.0.0.0","Latitude":47,"Longitude":-122,"CountryCode":"","TimestampAuthentication":"2019-06-27T05:05:23.348Z","TimestampUnAuthentication":"","CPUUtilization":1,"MemUtilization":20,"ServiceCount":2,"InterfaceDefRoute":"eth0","DefRouteGW":"10.0.0.1","PrimaryDNSResolver":"168.63.129.16","HostStartTime":"1513229995","ConnectorStartTime":"1555920005","NumOfInterfaces":2,"BytesRxInterface":319831966346,"PacketsRxInterface":1617569938,"ErrorsRxInterface":0,"DiscardsRxInterface":0,"BytesTxInterface":192958782635,"PacketsTxInterface":1797471190,"ErrorsTxInterface":0,"DiscardsTxInterface":0,"TotalBytesRx":10902554,"TotalBytesTx":48931771} -``` - -### Audit Logs - -Default port: _9016_ - -Vendor documentation: https://help.zscaler.com/zpa/about-audit-log-fields - -Zscaler response format: -``` -{"ModifiedTime":%j{modifiedTime:iso8601},"CreationTime":%j{creationTime:iso8601},"ModifiedBy":%d{modifiedBy},"RequestID":%j{requestId},"SessionID":%j{sessionId},"AuditOldValue":%j{auditOldValue},"AuditNewValue":%j{auditNewValue},"AuditOperationType":%j{auditOperationType},"ObjectType":%j{objectType},"ObjectName":%j{objectName},"ObjectID":%d{objectId},"CustomerID":%d{customerId},"User":%j{modifiedByUser},"ClientAuditUpdate":%d{isClientAudit}}\n -``` - -Sample Response: -```json -{"ModifiedTime":"2021-11-17T04:29:38.000Z","CreationTime":"2021-11-17T04:29:38.000Z","ModifiedBy":12345678901234567,"RequestID":"11111111-1111-1111-1111-111111111111","SessionID":"1idn23nlfm2q1txa5h3r4mep6","AuditOldValue":"","AuditNewValue":"{\"id\":\"72058340288495701\",\"name\":\"Some-Name\",\"domainOrIpAddress\":\"1.0.0.1\",\"description\":\"This is a description field\",\"enabled\":\"true\"}","AuditOperationType":"Create","ObjectType":"Server","ObjectName":"Some-Name","ObjectID":12345678901234567,"CustomerID":98765432109876543,"User":"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com","ClientAuditUpdate":0} -``` - -### Browser Access Logs - -Default port: _9017_ - -Vendor documentation: https://help.zscaler.com/zpa/about-browser-access-log-fields - -Zscaler response format: -``` -{"LogTimestamp":%j{LogTimestamp:time},"ConnectionID":%j{ConnectionID},"Exporter":%j{Exporter},"TimestampRequestReceiveStart":%j{TimestampRequestReceiveStart:iso8601},"TimestampRequestReceiveHeaderFinish":%j{TimestampRequestReceiveHeaderFinish:iso8601},"TimestampRequestReceiveFinish":%j{TimestampRequestReceiveFinish:iso8601},"TimestampRequestTransmitStart":%j{TimestampRequestTransmitStart:iso8601},"TimestampRequestTransmitFinish":%j{TimestampRequestTransmitFinish:iso8601},"TimestampResponseReceiveStart":%j{TimestampResponseReceiveStart:iso8601},"TimestampResponseReceiveFinish":%j{TimestampResponseReceiveFinish:iso8601},"TimestampResponseTransmitStart":%j{TimestampResponseTransmitStart:iso8601},"TimestampResponseTransmitFinish":%j{TimestampResponseTransmitFinish:iso8601},"TotalTimeRequestReceive":%d{TotalTimeRequestReceive},"TotalTimeRequestTransmit":%d{TotalTimeRequestTransmit},"TotalTimeResponseReceive":%d{TotalTimeResponseReceive},"TotalTimeResponseTransmit":%d{TotalTimeResponseTransmit},"TotalTimeConnectionSetup":%d{TotalTimeConnectionSetup},"TotalTimeServerResponse":%d{TotalTimeServerResponse},"Method":%j{Method},"Protocol":%j{Protocol},"Host":%j{Host},"URL":%j{URL},"UserAgent":%j{UserAgent},"XFF":%j{XFF},"NameID":%j{NameID},"StatusCode":%d{StatusCode},"RequestSize":%d{RequestSize},"ResponseSize":%d{ResponseSize},"ApplicationPort":%d{ApplicationPort},"ClientPublicIp":%j{ClientPublicIp},"ClientPublicPort":%d{ClientPublicPort},"ClientPrivateIp":%j{ClientPrivateIp},"Customer":%j{Customer},"ConnectionStatus":%j{ConnectionStatus},"ConnectionReason":%j{ConnectionReason},"Origin":%j{Origin},"CorsToken":%j{CorsToken}}\n -``` - -Sample Response: -```json -{"LogTimestamp":"Wed Jul 3 05:12:25 2019","ConnectionID":"","Exporter":"unset","TimestampRequestReceiveStart":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveHeaderFinish":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveFinish":"2019-07-03T05:12:25.723Z","TimestampRequestTransmitStart":"2019-07-03T05:12:25.790Z","TimestampRequestTransmitFinish":"2019-07-03T05:12:25.790Z","TimestampResponseReceiveStart":"2019-07-03T05:12:25.791Z","TimestampResponseReceiveFinish":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitStart":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitFinish":"2019-07-03T05:12:25.791Z","TotalTimeRequestReceive":127,"TotalTimeRequestTransmit":21,"TotalTimeResponseReceive":73,"TotalTimeResponseTransmit":13,"TotalTimeConnectionSetup":66995,"TotalTimeServerResponse":1349,"Method":"GET","Protocol":"HTTPS","Host":"portal.beta.zdemo.net","URL":"/media/Regular.woff","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15","XFF":"","NameID":"admin@zdemo.net","StatusCode":304,"RequestSize":615,"ResponseSize":331,"ApplicationPort":443,"ClientPublicIp":"175.16.199.1","ClientPublicPort":60006,"ClientPrivateIp":"","Customer":"ANZ Team/zdemo in beta","ConnectionStatus":"","ConnectionReason":""} -``` - -### User Activity Logs - -Default port: _9018_ - -Vendor documentation: https://help.zscaler.com/zpa/about-user-activity-log-fields - -Zscaler response format: -``` -{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"ConnectionID": %j{ConnectionID},"InternalReason": %j{InternalReason},"ConnectionStatus": %j{ConnectionStatus},"IPProtocol": %d{IPProtocol},"DoubleEncryption": %d{DoubleEncryption},"Username": %j{Username},"ServicePort": %d{ServicePort},"ClientPublicIP": %j{ClientPublicIP},"ClientPrivateIP": %j{ClientPrivateIP},"ClientLatitude": %f{ClientLatitude},"ClientLongitude": %f{ClientLongitude},"ClientCountryCode": %j{ClientCountryCode},"ClientZEN": %j{ClientZEN},"Policy": %j{Policy},"Connector": %j{Connector},"ConnectorZEN": %j{ConnectorZEN},"ConnectorIP": %j{ConnectorIP},"ConnectorPort": %d{ConnectorPort},"Host": %j{Host},"Application": %j{Application},"AppGroup": %j{AppGroup},"Server": %j{Server},"ServerIP": %j{ServerIP},"ServerPort": %d{ServerPort},"PolicyProcessingTime": %d{PolicyProcessingTime},"ServerSetupTime": %d{ServerSetupTime},"TimestampConnectionStart": %j{TimestampConnectionStart:iso8601},"TimestampConnectionEnd": %j{TimestampConnectionEnd:iso8601},"TimestampCATx": %j{TimestampCATx:iso8601},"TimestampCARx": %j{TimestampCARx:iso8601},"TimestampAppLearnStart": %j{TimestampAppLearnStart:iso8601},"TimestampZENFirstRxClient": %j{TimestampZENFirstRxClient:iso8601},"TimestampZENFirstTxClient": %j{TimestampZENFirstTxClient:iso8601},"TimestampZENLastRxClient": %j{TimestampZENLastRxClient:iso8601},"TimestampZENLastTxClient": %j{TimestampZENLastTxClient:iso8601},"TimestampConnectorZENSetupComplete": %j{TimestampConnectorZENSetupComplete:iso8601},"TimestampZENFirstRxConnector": %j{TimestampZENFirstRxConnector:iso8601},"TimestampZENFirstTxConnector": %j{TimestampZENFirstTxConnector:iso8601},"TimestampZENLastRxConnector": %j{TimestampZENLastRxConnector:iso8601},"TimestampZENLastTxConnector": %j{TimestampZENLastTxConnector:iso8601},"ZENTotalBytesRxClient": %d{ZENTotalBytesRxClient},"ZENBytesRxClient": %d{ZENBytesRxClient},"ZENTotalBytesTxClient": %d{ZENTotalBytesTxClient},"ZENBytesTxClient": %d{ZENBytesTxClient},"ZENTotalBytesRxConnector": %d{ZENTotalBytesRxConnector},"ZENBytesRxConnector": %d{ZENBytesRxConnector},"ZENTotalBytesTxConnector": %d{ZENTotalBytesTxConnector},"ZENBytesTxConnector": %d{ZENBytesTxConnector},"Idp": %j{Idp},"ClientToClient": %j{c2c},"ConnectorZENSetupTime":%d{ConnectorZENSetupTime},"ConnectionSetupTime":%d{ConnectionSetupTime}}\n -``` - -Sample Response: -```json -{"LogTimestamp": "Fri May 31 17:35:42 2019","Customer": "Customer XYZ","SessionID": "LHJdkjmNDf12nclBsvwA","ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "ZPA LSS Client","ServicePort": 10011,"ClientPublicIP": "81.2.69.193","ClientPrivateIP": "","ClientLatitude": 45.000000,"ClientLongitude": -119.000000,"ClientCountryCode": "US","ClientZEN": "broker2b.pdx","Policy": "ANZ Lab Apps","Connector": "ZDEMO ANZ","ConnectorZEN": "broker2b.pdx","ConnectorIP": "67.43.156.12","ConnectorPort": 60266,"Host": "175.16.199.1","Application": "ANZ Lab Apps","AppGroup": "ANZ Lab Apps","Server": "0","ServerIP": "175.16.199.1","ServerPort": 10011,"PolicyProcessingTime": 28,"CAProcessingTime": 1330,"ServerSetupTime": 465,"AppLearnTime": 0,"TimestampConnectionStart": "2019-05-30T08:20:42.230Z","TimestampConnectionEnd": "","TimestampCATx": "2019-05-30T08:20:42.230Z","TimestampCARx": "2019-05-30T08:20:42.231Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z","ZENTotalBytesRxClient": 2406926,"ZENBytesRxClient": 7115,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 2406926,"ZENBytesTxConnector": 7115,"Idp": "Example IDP Config","ConnectorZENSetupTime":1640674274,"ConnectionSetupTime":1640675274} -``` - -**Note: In order to populate _Slowest Applications_ (visualization); _"ConnectorZENSetupTime"_ and _"ConnectionSetupTime"_ fields are added into the default response format of Zscaler User Activity Log above.** - -### User Status Logs - -Default port: _9019_ - -Vendor documentation: https://help.zscaler.com/zpa/about-user-status-log-fields - -Zscaler response format: -``` -{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"Username": %j{Username},"SessionID": %j{SessionID},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"ZEN": %j{ZEN},"CertificateCN": %j{CertificateCN},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"Idp": %j{Idp},"Hostname": %j{Hostname},"Platform": %j{Platform},"ClientType": %j{ClientType},"TrustedNetworks": [%j(,){TrustedNetworks}],"TrustedNetworksNames": [%j(,){TrustedNetworksNames}],"SAMLAttributes": %j{SAMLAttributes},"PosturesHit": [%j(,){PosturesHit}],"PosturesMiss": [%j(,){PosturesMiss}],"ZENLatitude": %f{ZENLatitude},"ZENLongitude": %f{ZENLongitude},"ZENCountryCode": %j{ZENCountryCode},"FQDNRegistered": %j{fqdn_registered},"FQDNRegisteredError": %j{fqdn_register_error}}\n -``` - -Sample Response: -```json -{"LogTimestamp":"Fri May 31 17:34:48 2019","Customer":"Customer XYZ","Username":"ZPA LSS Client","SessionID":"vkczUERSLl88Y+ytH8v5","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.12.0-36-g87dad18","ZEN":"broker2b.pdx","CertificateCN":"loggerz2x.pde.zpabeta.net","PrivateIP":"","PublicIP":"81.2.69.144","Latitude":45,"Longitude":-119,"CountryCode":"US","TimestampAuthentication":"2019-05-29T21:18:38.000Z","TimestampUnAuthentication":"","TotalBytesRx":31274866,"TotalBytesTx":25424152,"Idp":"IDP Config","Hostname":"DESKTOP-99HCSJ1","Platform":"windows","ClientType":"zpn_client_type_zapp","TrustedNetworks":"TN1_stc1","TrustedNetworksNames":"145248739466696953","SAMLAttributes":"myname:user,myemail:user@zscaler.com","PosturesHit":"sm-posture1,sm-posture2","PosturesMiss":"sm-posture11,sm-posture12","ZENLatitude":47,"ZENLongitude":-122,"ZENCountryCode":""} -``` - -## Fields and Sample Event - -### App Connector Status Logs - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.nat.ip | Translated IP of source based NAT sessions (e.g. internal client to internet). Typically connections traversing load balancers, firewalls, or routers. | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.geo.country_iso_code | Country ISO code. | keyword | -| observer.geo.location | Longitude and latitude | geo_point | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.version | Observer version. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| tags | List of keywords used to tag each event. | keyword | -| zscaler_zpa.app_connector_status.connector.group | The App Connector group name. | keyword | -| zscaler_zpa.app_connector_status.connector.name | The App Connector name. | keyword | -| zscaler_zpa.app_connector_status.connector_start_time | Time in seconds at which App Connector was started. | date | -| zscaler_zpa.app_connector_status.connector_up_time | Time in seconds at which App Connector was started. | date | -| zscaler_zpa.app_connector_status.host_start_time | Time in seconds at which host was started. | date | -| zscaler_zpa.app_connector_status.host_up_time | Time in seconds at which host was started. | date | -| zscaler_zpa.app_connector_status.interface.name | The name of the interface to default route. | keyword | -| zscaler_zpa.app_connector_status.interface.received.bytes | The bytes received on the interface. | double | -| zscaler_zpa.app_connector_status.interface.received.discards | The discards received on the interface. | double | -| zscaler_zpa.app_connector_status.interface.received.errors | The errors received on the interface. | double | -| zscaler_zpa.app_connector_status.interface.received.packets | The packets received on the interface. | double | -| zscaler_zpa.app_connector_status.interface.transmitted.bytes | The bytes transmitted on the interface. | double | -| zscaler_zpa.app_connector_status.interface.transmitted.discards | The discards transmitted on the interface. | double | -| zscaler_zpa.app_connector_status.interface.transmitted.errors | The errors transmitted on the interface. | double | -| zscaler_zpa.app_connector_status.interface.transmitted.packets | The packets transmitted on the interface. | double | -| zscaler_zpa.app_connector_status.memory.utilization | The memory utilization in %. | double | -| zscaler_zpa.app_connector_status.num_of_interfaces | The number of interfaces on the App Connector host. | double | -| zscaler_zpa.app_connector_status.primary_dns_resolver | The IP address of the primary DNS resolver. | ip | -| zscaler_zpa.app_connector_status.private_ip | The private IP address of the App Connector. | ip | -| zscaler_zpa.app_connector_status.service.count | The number of services (combinations of domains/IP addresses and TCP/UDP ports) being monitored by the App Connector. | double | -| zscaler_zpa.app_connector_status.session.id | The TLS session ID. | keyword | -| zscaler_zpa.app_connector_status.session.status | The status of the session. | keyword | -| zscaler_zpa.app_connector_status.session.type | The type of session. | keyword | -| zscaler_zpa.app_connector_status.timestamp.authentication | Timestamp in microseconds when the App Connector was authenticated. | date | -| zscaler_zpa.app_connector_status.timestamp.unauthentication | Timestamp in microseconds when the App Connector was unauthenticated. | date | -| zscaler_zpa.app_connector_status.zen | The TLS session ID. | keyword | - - -An example event for `app_connector_status` looks as following: - -```json -{ - "@timestamp": "2019-07-03T05:17:22.000Z", - "agent": { - "ephemeral_id": "5879b806-6298-48ab-89a6-19ddcf612162", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "client": { - "nat": { - "ip": "10.0.0.1" - } - }, - "data_stream": { - "dataset": "zscaler_zpa.app_connector_status", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "agent_id_status": "verified", - "category": "package", - "dataset": "zscaler_zpa.app_connector_status", - "ingested": "2022-02-03T13:30:46Z", - "kind": "event", - "original": "{\"LogTimestamp\":\"Wed Jul 3 05:17:22 2019\",\"Customer\":\"Customer Name\",\"SessionID\":\"8A64Qwj9zCkfYDGJVoUZ\",\"SessionType\":\"ZPN_ASSISTANT_BROKER_CONTROL\",\"SessionStatus\":\"ZPN_STATUS_AUTHENTICATED\",\"Version\":\"19.20.3\",\"Platform\":\"el7\",\"ZEN\":\"US-NY-8179\",\"Connector\":\"Some App Connector\",\"ConnectorGroup\":\"Some App Connector Group\",\"PrivateIP\":\"10.0.0.4\",\"PublicIP\":\"0.0.0.0\",\"Latitude\":47,\"Longitude\":-122,\"CountryCode\":\"\",\"TimestampAuthentication\":\"2019-06-27T05:05:23.348Z\",\"TimestampUnAuthentication\":\"\",\"CPUUtilization\":1,\"MemUtilization\":20,\"ServiceCount\":2,\"InterfaceDefRoute\":\"eth0\",\"DefRouteGW\":\"10.0.0.1\",\"PrimaryDNSResolver\":\"168.63.129.16\",\"HostStartTime\":\"1513229995\",\"HostUpTime\":\"1513229995\",\"ConnectorUpTime\":\"1555920005\",\"ConnectorStartTime\":\"1555920005\",\"NumOfInterfaces\":2,\"BytesRxInterface\":319831966346,\"PacketsRxInterface\":1617569938,\"ErrorsRxInterface\":0,\"DiscardsRxInterface\":0,\"BytesTxInterface\":192958782635,\"PacketsTxInterface\":1797471190,\"ErrorsTxInterface\":0,\"DiscardsTxInterface\":0,\"TotalBytesRx\":10902554,\"TotalBytesTx\":48931771}", - "type": "info" - }, - "host": { - "cpu": { - "usage": 1 - }, - "network": { - "egress": { - "bytes": 48931771 - }, - "ingress": { - "bytes": 10902554 - } - } - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.21.0.7:33226" - } - }, - "observer": { - "geo": { - "location": { - "lat": 47, - "lon": -122 - } - }, - "ip": [ - "0.0.0.0" - ], - "os": { - "platform": "el7" - }, - "type": "forwarder", - "version": "19.20.3" - }, - "organization": { - "name": "Customer Name" - }, - "related": { - "ip": [ - "10.0.0.1", - "0.0.0.0", - "10.0.0.4", - "168.63.129.16" - ] - }, - "tags": [ - "forwarded", - "zscaler_zpa-app_connectors_status" - ], - "zscaler_zpa": { - "app_connector_status": { - "connector": { - "group": "Some App Connector Group", - "name": "Some App Connector" - }, - "connector_start_time": "2019-04-22T08:00:05.000Z", - "connector_up_time": "2019-04-22T08:00:05.000Z", - "host_start_time": "2017-12-14T05:39:55.000Z", - "host_up_time": "2017-12-14T05:39:55.000Z", - "interface": { - "name": "eth0", - "received": { - "bytes": 319831966346, - "discards": 0, - "errors": 0, - "packets": 1617569938 - }, - "transmitted": { - "bytes": 192958782635, - "discards": 0, - "errors": 0, - "packets": 1797471190 - } - }, - "memory": { - "utilization": 20 - }, - "num_of_interfaces": 2, - "primary_dns_resolver": "168.63.129.16", - "private_ip": "10.0.0.4", - "service": { - "count": 2 - }, - "session": { - "id": "8A64Qwj9zCkfYDGJVoUZ", - "status": "ZPN_STATUS_AUTHENTICATED", - "type": "ZPN_ASSISTANT_BROKER_CONTROL" - }, - "timestamp": { - "authentication": "2019-06-27T05:05:23.348Z" - }, - "zen": "US-NY-8179" - } - } -} -``` - -## Audit Logs - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| group.id | Unique identifier for the group on the system/platform. | keyword | -| group.name | Name of the group. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | -| observer.geo.city_name | City name. | keyword | -| observer.geo.country_name | Country name. | keyword | -| observer.geo.location | Longitude and latitude. | geo_point | -| organization.id | Unique identifier for the organization. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| tags | List of keywords used to tag each event. | keyword | -| user.id | Unique identifier of the user. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user.target.email | User email address. | keyword | -| user.target.id | Unique identifier of the user. | keyword | -| user.target.name | Short name or login of the user. | keyword | -| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | -| user.target.roles | Array of user roles at the time of the event. | keyword | -| x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | -| x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | -| x509.not_after | Time at which the certificate is no longer considered valid. | date | -| x509.not_before | Time at which the certificate is first considered valid. | date | -| zscaler_zpa.audit.client_audit_update | The flag to represent if the event is a client Audit log. | long | -| zscaler_zpa.audit.object.id | The ID associated with the object name. | keyword | -| zscaler_zpa.audit.object.name | The name of the object. This corresponds to the Resource Name in the Audit Log page. | keyword | -| zscaler_zpa.audit.object.type | The location within the ZPA Admin Portal where the Action was performed. | keyword | -| zscaler_zpa.audit.operation_type | The type of action performed. | keyword | -| zscaler_zpa.audit.session.id | The ID for the administrator's session in the ZPA Admin Portal. This corresponds to a successful sign in action occurring. | keyword | -| zscaler_zpa.audit.value.new | The new value that was changed if the action type is create, sign in, or update. | flattened | -| zscaler_zpa.audit.value.old | The previous value that was changed if the action type is delete, sign out, or update. | flattened | - - -An example event for `audit` looks as following: - -```json -{ - "@timestamp": "2021-11-17T04:29:38.000Z", - "agent": { - "ephemeral_id": "75bcfb32-c04c-4455-88ed-41a659043c80", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "data_stream": { - "dataset": "zscaler_zpa.audit", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "iam" - ], - "created": "2021-11-17T04:29:38.000Z", - "dataset": "zscaler_zpa.audit", - "id": "11111111-1111-1111-1111-111111111111", - "ingested": "2022-02-03T13:32:04Z", - "kind": "event", - "type": [ - "creation" - ] - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.21.0.7:54030" - } - }, - "organization": { - "id": "98765432109876543" - }, - "related": { - "ip": [ - "1.0.0.1" - ] - }, - "server": { - "address": "1.0.0.1", - "ip": "1.0.0.1" - }, - "tags": [ - "forwarded", - "zscaler_zpa-audit" - ], - "user": { - "id": "12345678901234567", - "name": "zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com" - }, - "zscaler_zpa": { - "audit": { - "client_audit_update": 0, - "object": { - "id": "12345678901234567", - "name": "Some-Name", - "type": "Server" - }, - "operation_type": "Create", - "session": { - "id": "1idn23nlfm2q1txa5h3r4mep6" - }, - "value": { - "new": { - "description": "This is a description field", - "domainOrIpAddress": "1.0.0.1", - "enabled": "true", - "id": "72058340288495701", - "name": "Some-Name" - } - } - } - } -} -``` - -## Browser Access Logs - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.geo.city_name | City name. | keyword | -| client.geo.continent_name | Name of the continent. | keyword | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.country_name | Country name. | keyword | -| client.geo.location | Longitude and latitude | geo_point | -| client.geo.region_iso_code | Region ISO code. | keyword | -| client.geo.region_name | Region name. | keyword | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| client.port | Port of the client. | long | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.body.bytes | Size in bytes of the request body. | long | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.response.body.bytes | Size in bytes of the response body. | long | -| http.response.status_code | HTTP response status code. | long | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| related.ip | All of the IPs seen on your event. | ip | -| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.port | Port of the server. | long | -| tags | List of keywords used to tag each event. | keyword | -| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | -| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| url.path | Path of the request, such as "/search". | wildcard | -| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| user_agent.device.name | Name of the device. | keyword | -| user_agent.name | Name of the user agent. | keyword | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | -| user_agent.os.full | Operating system name, including the version or code name. | keyword | -| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | -| user_agent.os.name | Operating system name, without the version. | keyword | -| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | -| user_agent.os.version | Operating system version as a raw string. | keyword | -| user_agent.version | Version of the user agent. | keyword | -| zscaler_zpa.browser_access.client_private_ip | The private IP address of the user's device. | ip | -| zscaler_zpa.browser_access.connection.id | The application connection ID. | keyword | -| zscaler_zpa.browser_access.connection.status | The status of the connection. | keyword | -| zscaler_zpa.browser_access.cors_token | The token from the CORS request. | keyword | -| zscaler_zpa.browser_access.exporter | The Browser Access Service instance to ZPA Public Service Edge or ZPA Private Service Edge instance. | keyword | -| zscaler_zpa.browser_access.origin | The Browser Access domain that led to the origination of the CORS request. | keyword | -| zscaler_zpa.browser_access.timestamp.request.receive.finish | Timestamp in microseconds when Browser Access Service received the last byte of the HTTP request from web browser. | date | -| zscaler_zpa.browser_access.timestamp.request.receive.header_finish | Timestamp in microseconds when Browser Access Service received the last byte of the HTTP header corresponding to the request from web browser. | date | -| zscaler_zpa.browser_access.timestamp.request.receive.start | Timestamp in microseconds when Browser Access Service received the first byte of the HTTP request from web browser. | date | -| zscaler_zpa.browser_access.timestamp.request.transmit.finish | Timestamp in microseconds when Browser Access Service sent the last byte of the HTTP request to the web server. | date | -| zscaler_zpa.browser_access.timestamp.request.transmit.start | Timestamp in microseconds when Browser Access Service sent the first byte of the HTTP request to the web server. | date | -| zscaler_zpa.browser_access.timestamp.response.receive.finish | Timestamp in microseconds when Browser Access Service received the last byte of the HTTP response from the web server. | date | -| zscaler_zpa.browser_access.timestamp.response.receive.start | Timestamp in microseconds when Browser Access Service received the first byte of the HTTP response from the web server. | date | -| zscaler_zpa.browser_access.timestamp.response.transmit.finish | Timestamp in microseconds when Browser Access Service sent the last byte of the HTTP response to the web browser. | date | -| zscaler_zpa.browser_access.timestamp.response.transmit.start | Timestamp in microseconds when Browser Access Service sent the first byte of the HTTP response to the web browser. | date | -| zscaler_zpa.browser_access.total_time.connection.setup | Time difference between reception of the first byte of the HTTP request from web browser and transmission of the first byte towards the web server, as seen by the Browser Access Service. | long | -| zscaler_zpa.browser_access.total_time.request.receive | Time difference between reception of the first and last byte of the HTTP request from the web browser as seen by the Browser Access Service. | long | -| zscaler_zpa.browser_access.total_time.request.transmit | Time difference between transmission of the first and last byte of the HTTP request towards the web server as seen by the Browser Access Service. | long | -| zscaler_zpa.browser_access.total_time.response.receive | Time difference between reception of the first and last byte of the HTTP response from the web server as seen by the Browser Access Service. | long | -| zscaler_zpa.browser_access.total_time.response.transmit | Time difference between transmission of the first and last byte of the HTTP request towards the web server as seen by the Browser Access Service. | long | -| zscaler_zpa.browser_access.total_time.server.response | Time difference between transmission of the last byte of the HTTP request towards the web server and reception of the first byte of the HTTP response from web server, as seen by the Browser Access Service. | long | -| zscaler_zpa.browser_access.xff | The X-Forwarded-For (XFF) HTTP header. | keyword | - - -An example event for `browser_access` looks as following: - -```json -{ - "@timestamp": "2019-07-03T05:12:25.000Z", - "agent": { - "ephemeral_id": "10484a2f-b664-42ef-a849-7386c8257491", - "hostname": "docker-fleet-agent", - "id": "acf7dca8-817d-4681-bad3-1cc9bfefc49c", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "client": { - "geo": { - "city_name": "London", - "continent_name": "Europe", - "country_iso_code": "GB", - "country_name": "United Kingdom", - "location": { - "lat": 51.5142, - "lon": -0.0931 - }, - "region_iso_code": "GB-ENG", - "region_name": "England" - }, - "ip": "81.2.69.144", - "port": 60006 - }, - "data_stream": { - "dataset": "zscaler_zpa.browser_access", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "acf7dca8-817d-4681-bad3-1cc9bfefc49c", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "agent_id_status": "verified", - "category": [ - "network", - "session" - ], - "dataset": "zscaler_zpa.browser_access", - "ingested": "2022-02-14T07:28:10Z", - "kind": "event", - "type": "connection" - }, - "http": { - "request": { - "body": { - "bytes": 615 - }, - "method": "GET" - }, - "response": { - "body": { - "bytes": 331 - }, - "status_code": 304 - } - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.26.0.7:47148" - } - }, - "organization": { - "name": "ANZ Team/zdemo in beta" - }, - "related": { - "ip": [ - "81.2.69.144", - "81.2.69.193" - ] - }, - "server": { - "address": "portal.beta.zdemo.net", - "port": 443 - }, - "tags": [ - "forwarded", - "zscaler_zpa-browser_access" - ], - "url": { - "domain": "portal.beta.zdemo.net", - "extension": "woff", - "original": "https://portal.beta.zdemo.net/media/regular.woff", - "path": "/media/regular.woff", - "scheme": "https" - }, - "user": { - "name": "admin@zdemo.net" - }, - "user_agent": { - "device": { - "name": "Mac" - }, - "name": "Safari", - "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15", - "os": { - "full": "Mac OS X 10.14.5", - "name": "Mac OS X", - "version": "10.14.5" - }, - "version": "12.1.1" - }, - "zscaler_zpa": { - "browser_access": { - "client_private_ip": "81.2.69.193", - "exporter": "unset", - "timestamp": { - "request": { - "receive": { - "finish": "2019-07-03T05:12:25.723Z", - "header_finish": "2019-07-03T05:12:25.723Z", - "start": "2019-07-03T05:12:25.723Z" - }, - "transmit": { - "finish": "2019-07-03T05:12:25.790Z", - "start": "2019-07-03T05:12:25.790Z" - } - }, - "response": { - "receive": { - "finish": "2019-07-03T05:12:25.791Z", - "start": "2019-07-03T05:12:25.791Z" - }, - "transmit": { - "finish": "2019-07-03T05:12:25.791Z", - "start": "2019-07-03T05:12:25.791Z" - } - } - }, - "total_time": { - "connection": { - "setup": 66995 - }, - "request": { - "receive": 127, - "transmit": 21 - }, - "response": { - "receive": 73, - "transmit": 13 - }, - "server": { - "response": 1349 - } - } - } - } -} -``` - -## User Activity Logs - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| server.ip | IP address of the server (IPv4 or IPv6). | ip | -| server.port | Port of the server. | long | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| zscaler_zpa.user_activity.app_group | The application group name. | keyword | -| zscaler_zpa.user_activity.app_learn_time | Time in microseconds taken for App Connectors to learn about the requested application and report the learned information to the central authority. | long | -| zscaler_zpa.user_activity.application | The application name. | keyword | -| zscaler_zpa.user_activity.ca_processing_time | Time in microseconds taken for processing in the central authority. | long | -| zscaler_zpa.user_activity.client_private_ip | The private IP address of the Zscaler Client Connector. | ip | -| zscaler_zpa.user_activity.client_to_client | The status of the client-to-client connection. | keyword | -| zscaler_zpa.user_activity.connection.id | The application connection ID. | keyword | -| zscaler_zpa.user_activity.connection.setup_time | Time taken by the App Connector to process a notification from the App Connector selection microservice and set up the connection to the application server. | long | -| zscaler_zpa.user_activity.connection.status | The status of the connection. The expected values for this field are: [ Open, Close, Active ]. | keyword | -| zscaler_zpa.user_activity.connector.ip | The source IP address of the App Connector. | ip | -| zscaler_zpa.user_activity.connector.name | The App Connector name. | keyword | -| zscaler_zpa.user_activity.connector.port | The source port of the App Connector. | integer | -| zscaler_zpa.user_activity.connector_zen_setup_time | Time in microseconds taken for setting up connection between App Connector and ZPA Public Service Edge or ZPA Private Service Edge. | long | -| zscaler_zpa.user_activity.double_encryption | The double encryption status. | integer | -| zscaler_zpa.user_activity.idp | The name of the identity provider (IdP) as configured in the ZPA Admin Portal. | keyword | -| zscaler_zpa.user_activity.internal_reason | The internal reason for the status of the transaction. | keyword | -| zscaler_zpa.user_activity.policy.name | The access policy or timeout policy rule name. | keyword | -| zscaler_zpa.user_activity.policy.processing_time | Time in microseconds taken for processing the access policy associated with the application. | long | -| zscaler_zpa.user_activity.server | The server ID name. The server ID must be set to zero if dynamic server discovery is enabled. | keyword | -| zscaler_zpa.user_activity.server_setup_time | Time in microseconds taken for setting up connection at server. | long | -| zscaler_zpa.user_activity.service_port | The destination port of the server. | integer | -| zscaler_zpa.user_activity.session_id | The TLS session ID. | keyword | -| zscaler_zpa.user_activity.timestamp.app_learn_start | Time in microseconds taken for App Connectors to learn about the requested application and report the learned information to the central authority. | keyword | -| zscaler_zpa.user_activity.timestamp.ca.rx | Timestamp in microseconds when the central authority received request from ZPA Public Service Edge or ZPA Private Service Edge. | date | -| zscaler_zpa.user_activity.timestamp.ca.tx | Timestamp in microseconds when the central authority sent request to ZPA Public Service Edge or ZPA Private Service Edge. | date | -| zscaler_zpa.user_activity.timestamp.connection.end | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge terminated the connection. | date | -| zscaler_zpa.user_activity.timestamp.connection.start | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the initial request from Zscaler Client Connector to start the connection. | date | -| zscaler_zpa.user_activity.timestamp.connector_zen.setup_complete | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received request from App Connector to set up data connection. The request from the App Connector is triggered by the initial request for a specific application from the Zscaler Client Connector. | date | -| zscaler_zpa.user_activity.timestamp.zen.client.rx.first | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the first byte from the Zscaler Client Connector. | date | -| zscaler_zpa.user_activity.timestamp.zen.client.rx.last | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the last byte from the Zscaler Client Connector. | date | -| zscaler_zpa.user_activity.timestamp.zen.client.tx.first | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the first byte to the Zscaler Client Connector. | date | -| zscaler_zpa.user_activity.timestamp.zen.client.tx.last | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the last byte to the Zscaler Client Connector. | date | -| zscaler_zpa.user_activity.timestamp.zen.connector.rx.first | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the first byte from the App Connector. | date | -| zscaler_zpa.user_activity.timestamp.zen.connector.rx.last | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the last byte from the App Connector. | date | -| zscaler_zpa.user_activity.timestamp.zen.connector.tx.first | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the first byte to the App Connector. | date | -| zscaler_zpa.user_activity.timestamp.zen.connector.tx.last | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge sent the last byte to the App Connector. | date | -| zscaler_zpa.user_activity.zen.client.bytes_rx | The additional bytes received from the Zscaler Client Connector since the last transaction log. | long | -| zscaler_zpa.user_activity.zen.client.bytes_tx | The additional bytes transmitted to the Zscaler Client Connector since the last transaction log. | long | -| zscaler_zpa.user_activity.zen.client.domain | The ZPA Public Service Edge (formerly Zscaler Enforcement Node or ZEN) or ZPA Private Service Edge that received the request from the Zscaler Client Connector. | keyword | -| zscaler_zpa.user_activity.zen.client.total.bytes_rx | The total bytes received from the Zscaler Client Connector by the ZPA Public Service Edge or ZPA Private Service Edge. | long | -| zscaler_zpa.user_activity.zen.client.total.bytes_tx | The total bytes transmitted to the Zscaler Client Connector from the ZPA Public Service Edge or ZPA Private Service Edge. | long | -| zscaler_zpa.user_activity.zen.connector.bytes_rx | The additional bytes received from the App Connector since the last transaction log. | long | -| zscaler_zpa.user_activity.zen.connector.bytes_tx | The additional bytes transmitted by the App Connector since the last transaction log. | long | -| zscaler_zpa.user_activity.zen.connector.domain | The ZPA Public Service Edge or ZPA Private Service Edge that sent the request from the App Connector. | keyword | -| zscaler_zpa.user_activity.zen.connector.total.bytes_rx | The total bytes received from the App Connector by the ZPA Public Service Edge or ZPA Private Service Edge. | long | -| zscaler_zpa.user_activity.zen.connector.total.bytes_tx | The total bytes transmitted to the App Connector from the ZPA Public Service Edge or ZPA Private Service Edge. | long | - - -An example event for `user_activity` looks as following: - -```json -{ - "@timestamp": "2019-05-31T17:35:42.000Z", - "agent": { - "ephemeral_id": "2686f611-4bf3-4df9-8934-843cbd32d161", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "client": { - "geo": { - "country_iso_code": "US", - "location": { - "lat": 45, - "lon": -119 - } - }, - "ip": "81.2.69.193" - }, - "data_stream": { - "dataset": "zscaler_zpa.user_activity", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "agent_id_status": "verified", - "category": "iam", - "dataset": "zscaler_zpa.user_activity", - "ingested": "2022-02-03T13:34:37Z", - "kind": "event", - "type": [ - "info", - "user" - ] - }, - "host": { - "ip": "175.16.199.1" - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.21.0.7:59296" - } - }, - "network": { - "type": "ipv6" - }, - "organization": { - "name": "Customer XYZ" - }, - "related": { - "hosts": [ - "broker2b.pdx" - ], - "ip": [ - "81.2.69.193", - "175.16.199.1", - "67.43.156.12" - ] - }, - "server": { - "ip": "175.16.199.1", - "port": 10011 - }, - "tags": [ - "forwarded", - "zscaler_zpa-user_activity" - ], - "user": { - "name": "ZPA LSS Client" - }, - "zscaler_zpa": { - "user_activity": { - "app_group": "ABC Lab Apps", - "app_learn_time": 0, - "application": "ABC Lab Apps", - "ca_processing_time": 1330, - "client_to_client": "0", - "connection": { - "id": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm", - "setup_time": 192397, - "status": "active" - }, - "connector": { - "ip": "67.43.156.12", - "name": "ZDEMO ABC", - "port": 60266 - }, - "connector_zen_setup_time": 191017, - "double_encryption": 0, - "idp": "Example IDP Config", - "policy": { - "name": "ABC Lab Apps", - "processing_time": 28 - }, - "server": "0", - "server_setup_time": 465, - "service_port": 10011, - "session_id": "LHJdkjmNDf12nclBsvwA", - "timestamp": { - "ca": { - "rx": "2019-05-30T08:20:42.231Z", - "tx": "2019-05-30T08:20:42.230Z" - }, - "connection": { - "start": "2019-05-30T08:20:42.230Z" - }, - "connector_zen": { - "setup_complete": "2019-05-30T08:20:42.422Z" - }, - "zen": { - "client": { - "rx": { - "first": "2019-05-30T08:20:42.424Z", - "last": "2019-05-31T17:34:27.348Z" - } - }, - "connector": { - "tx": { - "first": "2019-05-30T08:20:42.424Z", - "last": "2019-05-31T17:34:27.348Z" - } - } - } - }, - "zen": { - "client": { - "bytes_rx": 7115, - "bytes_tx": 0, - "domain": "broker2b.pdx", - "total": { - "bytes_rx": 2406926, - "bytes_tx": 0 - } - }, - "connector": { - "bytes_rx": 0, - "bytes_tx": 7115, - "domain": "broker2b.pdx", - "total": { - "bytes_rx": 0, - "bytes_tx": 2406926 - } - } - } - } - } -} -``` - -## User Status Logs - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| client.geo.country_iso_code | Country ISO code. | keyword | -| client.geo.location | Longitude and latitude. | geo_point | -| client.ip | IP address of the client (IPv4 or IPv6). | ip | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.dataset | Event dataset | constant_keyword | -| event.module | Event module | constant_keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| input.type | Input type | keyword | -| log.offset | Log offset | long | -| log.source.address | Source address from which the log event was read / sent from. | keyword | -| organization.name | Organization name. | keyword | -| organization.name.text | Multi-field of `organization.name`. | match_only_text | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| server.geo.country_iso_code | Country ISO code. | keyword | -| server.geo.location | Longitude and latitude. | geo_point | -| tags | List of keywords used to tag each event. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | -| x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | -| zscaler_zpa.user_status.client.type | The client type for the request (i.e., Zscaler Client Connector, ZPA LSS, or Web Browser). | keyword | -| zscaler_zpa.user_status.fqdn.registered | The status of the hostname for the client-to-client connection. The expected values for this field are true or false. | boolean | -| zscaler_zpa.user_status.fqdn.registered_error | The status of the registered hostname. | keyword | -| zscaler_zpa.user_status.idp | The name of the identity provider (IdP) as configured in the ZPA Admin Portal. | keyword | -| zscaler_zpa.user_status.postures.hit | The posture profiles that the Zscaler Client Connector verified for this device. | keyword | -| zscaler_zpa.user_status.postures.miss | The posture profiles that the Zscaler Client Connector failed to verified for this device. | keyword | -| zscaler_zpa.user_status.private_ip | The private IP address of the Zscaler Client Connector. | ip | -| zscaler_zpa.user_status.saml_attributes | The list of SAML attributes reported by the IdP. | keyword | -| zscaler_zpa.user_status.session.id | The TLS session ID. | keyword | -| zscaler_zpa.user_status.session.status | The status of the session. | keyword | -| zscaler_zpa.user_status.timestamp.authentication | Timestamp in microseconds when the Zscaler Client Connector was authenticated. | date | -| zscaler_zpa.user_status.timestamp.unauthentication | Timestamp in microseconds when the Zscaler Client Connector was unauthenticated. | date | -| zscaler_zpa.user_status.total.bytes_rx | The total bytes received. | long | -| zscaler_zpa.user_status.total.bytes_tx | The total bytes transmitted. | long | -| zscaler_zpa.user_status.trusted_networks | The unique IDs for the trusted networks that the Zscaler Client Connector has determined for this device. | keyword | -| zscaler_zpa.user_status.trusted_networks_names | The names for the trusted networks that the Zscaler Client Connector has determined for this device. | keyword | -| zscaler_zpa.user_status.version | The Zscaler Client Connector version. | keyword | -| zscaler_zpa.user_status.zen.domain | The Public Service Edge (formerly Zscaler Enforcement Node or ZEN) or ZPA Private Service Edge that was selected for the connection | keyword | - - -An example event for `user_status` looks as following: - -```json -{ - "@timestamp": "2019-05-31T17:34:48.000Z", - "agent": { - "ephemeral_id": "24dbe515-d3ac-4cb8-aa21-eeee2c2f9204", - "hostname": "docker-fleet-agent", - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.2" - }, - "client": { - "geo": { - "country_iso_code": "US", - "location": { - "lat": 45, - "lon": -119 - } - }, - "ip": "81.2.69.144" - }, - "data_stream": { - "dataset": "zscaler_zpa.user_status", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "8.2.0" - }, - "elastic_agent": { - "id": "d03794ae-c5b7-46b2-8a63-42f00010ac23", - "snapshot": false, - "version": "7.16.2" - }, - "event": { - "agent_id_status": "verified", - "category": "iam", - "dataset": "zscaler_zpa.user_status", - "ingested": "2022-02-03T13:36:02Z", - "kind": "state", - "type": [ - "info", - "user" - ] - }, - "host": { - "hostname": "DESKTOP-99HCSJ1", - "os": { - "platform": "windows" - } - }, - "input": { - "type": "tcp" - }, - "log": { - "source": { - "address": "172.21.0.7:57146" - } - }, - "organization": { - "name": "Customer XYZ" - }, - "related": { - "ip": [ - "81.2.69.144" - ] - }, - "server": { - "geo": { - "location": { - "lat": 47, - "lon": -122 - } - } - }, - "tags": [ - "forwarded", - "zscaler_zpa-user_status" - ], - "user": { - "name": "ZPA LSS Client" - }, - "x509": { - "issuer": { - "common_name": "loggerz2x.pde.zpabeta.net" - } - }, - "zscaler_zpa": { - "user_status": { - "client": { - "type": "zpn_client_type_zapp" - }, - "fqdn": { - "registered": false, - "registered_error": "CUSTOMER_NOT_ENABLED" - }, - "idp": "IDP Config", - "postures": { - "hit": [ - "sm-posture1", - "sm-posture2" - ], - "miss": [ - "sm-posture11", - "sm-posture12" - ] - }, - "saml_attributes": [ - "myname:user", - "myemail:user@zscaler.com" - ], - "session": { - "id": "vkczUERSLl88Y+ytH8v5", - "status": "ZPN_STATUS_AUTHENTICATED" - }, - "timestamp": { - "authentication": "2019-05-29T21:18:38.000Z" - }, - "total": { - "bytes_rx": 31274866, - "bytes_tx": 25424152 - }, - "trusted_networks": "TN1_stc1", - "trusted_networks_names": "145248739466696953", - "version": "19.12.0-36-g87dad18", - "zen": { - "domain": "broker2b.pdx" - } - } - } -} -``` diff --git a/packages/zscaler_zpa/1.0.0/img/zscaler-logo.svg b/packages/zscaler_zpa/1.0.0/img/zscaler-logo.svg deleted file mode 100755 index b8a21a2fa6..0000000000 --- a/packages/zscaler_zpa/1.0.0/img/zscaler-logo.svg +++ /dev/null @@ -1 +0,0 @@ -Zscaler-Logo-TM-Blue-RGB-May2019 \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/img/zscaler-zpa-screenshot.png b/packages/zscaler_zpa/1.0.0/img/zscaler-zpa-screenshot.png deleted file mode 100755 index 45c90c9d1e..0000000000 Binary files a/packages/zscaler_zpa/1.0.0/img/zscaler-zpa-screenshot.png and /dev/null differ diff --git a/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-26cc19c0-4c44-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-26cc19c0-4c44-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index e4ae3b6c6f..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-26cc19c0-4c44-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.browser_access\\\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":180,\"minLat\":-66.51326,\"minLon\":-180},\"mapCenter\":{\"lat\":19.94277,\"lon\":0,\"zoom\":1.06},\"openTOCDetails\":[]},\"gridData\":{\"h\":18,\"i\":\"26f3b155-53ad-40e1-a01d-e469c7193d9d\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"26f3b155-53ad-40e1-a01d-e469c7193d9d\",\"panelRefName\":\"panel_0\",\"type\":\"map\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"2b16dc24-ff32-475b-8dd7-cb51f5d93954\",\"w\":16,\"x\":0,\"y\":18},\"panelIndex\":\"2b16dc24-ff32-475b-8dd7-cb51f5d93954\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ac107bfb-95e0-4f77-9aec-9674891d047b\",\"w\":16,\"x\":32,\"y\":18},\"panelIndex\":\"ac107bfb-95e0-4f77-9aec-9674891d047b\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"286696da-f87c-4872-b7c7-6a20f8584ea6\",\"w\":16,\"x\":16,\"y\":18},\"panelIndex\":\"286696da-f87c-4872-b7c7-6a20f8584ea6\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Zscaler][ZPA] Browser Access Logs", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-26cc19c0-4c44-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "zscaler_zpa-5a0f9320-4c44-11ec-9023-a76a2cb41dcd", - "name": "panel_0", - "type": "map" - }, - { - "id": "zscaler_zpa-1b5846e0-4c44-11ec-9023-a76a2cb41dcd", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "zscaler_zpa-23d03780-4eb8-11ec-9527-b704eaaa5c53", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "zscaler_zpa-d8e44aa0-5992-11ec-b2d0-45019404f2e5", - "name": "panel_3", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-12-10T08:26:57.853Z", - "version": "WzEwNjcsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-7511d7f0-4c49-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-7511d7f0-4c49-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 6025d8dff3..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-7511d7f0-4c49-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":270,\"minLat\":-85.05113,\"minLon\":-270},\"mapCenter\":{\"lat\":1.7677,\"lon\":0,\"zoom\":1.06},\"openTOCDetails\":[]},\"gridData\":{\"h\":22,\"i\":\"5d6fd558-dee7-432b-9374-8d1e7eb8dbc9\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"5d6fd558-dee7-432b-9374-8d1e7eb8dbc9\",\"panelRefName\":\"panel_0\",\"type\":\"map\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"2b19f9ee-4ba4-4f5b-bddb-8be10b5d085e\",\"w\":16,\"x\":0,\"y\":22},\"panelIndex\":\"2b19f9ee-4ba4-4f5b-bddb-8be10b5d085e\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"dc65087e-2242-4e8b-86a0-61e1c0da98f5\",\"w\":15,\"x\":16,\"y\":22},\"panelIndex\":\"dc65087e-2242-4e8b-86a0-61e1c0da98f5\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":14,\"i\":\"ac1bbf4b-b227-4d6a-812d-f6f682a86cb5\",\"w\":17,\"x\":31,\"y\":22},\"panelIndex\":\"ac1bbf4b-b227-4d6a-812d-f6f682a86cb5\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d8929019-59a4-4158-b1f1-b769f1b8ed3c\",\"w\":24,\"x\":0,\"y\":36},\"panelIndex\":\"d8929019-59a4-4158-b1f1-b769f1b8ed3c\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f582a11-a96d-42ab-a4af-8723737dedc0\",\"w\":24,\"x\":24,\"y\":36},\"panelIndex\":\"8f582a11-a96d-42ab-a4af-8723737dedc0\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f1106d4f-52b0-4837-bd41-a0ff1f3e13bb\",\"w\":16,\"x\":0,\"y\":51},\"panelIndex\":\"f1106d4f-52b0-4837-bd41-a0ff1f3e13bb\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"4b74af86-5ad3-4d2b-87e9-c98cb12c673a\",\"w\":16,\"x\":16,\"y\":51},\"panelIndex\":\"4b74af86-5ad3-4d2b-87e9-c98cb12c673a\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5fbfcc7f-07b1-4751-a569-04a0104a9806\",\"w\":16,\"x\":32,\"y\":51},\"panelIndex\":\"5fbfcc7f-07b1-4751-a569-04a0104a9806\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_activity\\\" \"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"4ac99360-4dd5-11ec-9c7f-599fe68d9667\"}],\"drop_last_bucket\":0,\"id\":\"81cebc93-9e11-4079-9241-baa103cd5db6\",\"index_pattern_ref_name\":\"metrics_429030c5-d674-4696-8aac-9385e886ce19_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"pivot_id\":\"client.ip\",\"pivot_label\":\"Client IP\",\"pivot_type\":\"string\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"hidden\":false,\"id\":\"a5e34d80-4dd6-11ec-9c7f-599fe68d9667\",\"label\":\"Application Setup Time (Time in microseconds)\",\"line_width\":1,\"metrics\":[{\"field\":\"json.ServerSetupTime\",\"id\":\"1c4724b0-4dfa-11ec-9c7f-599fe68d9667\",\"type\":\"avg\"},{\"field\":\"json.ConnectionSetupTime\",\"id\":\"5adf7740-4dfa-11ec-9c7f-599fe68d9667\",\"type\":\"avg\"},{\"field\":\"json.ConnectorZENSetupTime\",\"id\":\"6f1124c0-4dfa-11ec-9c7f-599fe68d9667\",\"type\":\"avg\"},{\"id\":\"7956fef0-4dfa-11ec-9c7f-599fe68d9667\",\"script\":\"params.a + params.b + params.c\",\"type\":\"math\",\"variables\":[{\"field\":\"1c4724b0-4dfa-11ec-9c7f-599fe68d9667\",\"id\":\"7ad8bcf0-4dfa-11ec-9c7f-599fe68d9667\",\"name\":\"a\"},{\"field\":\"5adf7740-4dfa-11ec-9c7f-599fe68d9667\",\"id\":\"80181f30-4dfa-11ec-9c7f-599fe68d9667\",\"name\":\"b\"},{\"field\":\"6f1124c0-4dfa-11ec-9c7f-599fe68d9667\",\"id\":\"81c5f640-4dfa-11ec-9c7f-599fe68d9667\",\"name\":\"c\"}]}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"table\",\"use_kibana_indexes\":true},\"title\":\"[Zscaler][ZPA] Slowest Applications\",\"type\":\"metrics\",\"uiState\":{}},\"table\":{\"sort\":{\"column\":\"_default_\",\"order\":\"desc\"}}},\"gridData\":{\"h\":15,\"i\":\"429030c5-d674-4696-8aac-9385e886ce19\",\"w\":24,\"x\":0,\"y\":66},\"panelIndex\":\"429030c5-d674-4696-8aac-9385e886ce19\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"911a577a-4b0e-44e2-80c8-3a70407f8a22\",\"w\":24,\"x\":24,\"y\":66},\"panelIndex\":\"911a577a-4b0e-44e2-80c8-3a70407f8a22\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Zscaler][ZPA] User Activity and Status Logs", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-7511d7f0-4c49-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "zscaler_zpa-1f09dc30-4c4f-11ec-9023-a76a2cb41dcd", - "name": "panel_0", - "type": "map" - }, - { - "id": "zscaler_zpa-c8d009c0-4c4e-11ec-9023-a76a2cb41dcd", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "zscaler_zpa-4ea78dd0-4c49-11ec-9023-a76a2cb41dcd", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "zscaler_zpa-9f334ef0-4c4f-11ec-9023-a76a2cb41dcd", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "zscaler_zpa-552331e0-4c4f-11ec-9023-a76a2cb41dcd", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "zscaler_zpa-76176ed0-4c4e-11ec-9023-a76a2cb41dcd", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "zscaler_zpa-e86c2d90-4c49-11ec-9023-a76a2cb41dcd", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "zscaler_zpa-ccbe7ed0-4c4a-11ec-9023-a76a2cb41dcd", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "zscaler_zpa-d124a2a0-4c4b-11ec-9023-a76a2cb41dcd", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "zscaler_zpa-82076ba0-4e74-11ec-ad09-d9f49962d407", - "name": "panel_9", - "type": "visualization" - }, - { - "id": "zscaler_zpa-4cf30750-4d0a-11ec-ad09-d9f49962d407", - "name": "panel_10", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-11-26T12:58:31.486Z", - "version": "WzU4NjcsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-fa3c3c00-4c57-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-fa3c3c00-4c57-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 1cae7f82fd..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-fa3c3c00-4c57-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":89.78601,\"maxLon\":540,\"minLat\":-89.78601,\"minLon\":-360},\"mapCenter\":{\"lat\":0,\"lon\":115.86278,\"zoom\":0.6},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"d65f21eb-eb68-4cbc-abd9-d8ff48776d1d\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"d65f21eb-eb68-4cbc-abd9-d8ff48776d1d\",\"panelRefName\":\"panel_0\",\"type\":\"map\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":180,\"minLat\":-85.05113,\"minLon\":-360},\"mapCenter\":{\"lat\":20.96631,\"lon\":-81.88323,\"zoom\":0.69},\"openTOCDetails\":[]},\"gridData\":{\"h\":18,\"i\":\"304163ec-bce7-4995-99cd-7892cf6e4277\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"304163ec-bce7-4995-99cd-7892cf6e4277\",\"panelRefName\":\"panel_1\",\"type\":\"map\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b32ccd6a-9edb-47f2-829d-d9e11ad3b850\",\"w\":16,\"x\":0,\"y\":33},\"panelIndex\":\"b32ccd6a-9edb-47f2-829d-d9e11ad3b850\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a6f8c118-5b3d-4339-8037-21651b658e0a\",\"w\":16,\"x\":16,\"y\":33},\"panelIndex\":\"a6f8c118-5b3d-4339-8037-21651b658e0a\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"99a58fff-e3ec-42df-9f37-f69008909dc1\",\"w\":16,\"x\":32,\"y\":33},\"panelIndex\":\"99a58fff-e3ec-42df-9f37-f69008909dc1\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f2952e7e-2165-4908-a9a6-6ebf385438e2\",\"w\":24,\"x\":0,\"y\":48},\"panelIndex\":\"f2952e7e-2165-4908-a9a6-6ebf385438e2\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"efcf0961-81c8-4e07-9bea-b0db4d0a5ec1\",\"w\":24,\"x\":24,\"y\":48},\"panelIndex\":\"efcf0961-81c8-4e07-9bea-b0db4d0a5ec1\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"b1fccb13-65ac-413c-b600-674dfb9b42d5\",\"w\":24,\"x\":0,\"y\":63},\"panelIndex\":\"b1fccb13-65ac-413c-b600-674dfb9b42d5\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"1d384991-def5-4620-b55f-31e9a8b3218a\",\"w\":24,\"x\":24,\"y\":63},\"panelIndex\":\"1d384991-def5-4620-b55f-31e9a8b3218a\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cfd0d990-2314-4b7c-bad4-07b895bf4b55\",\"w\":48,\"x\":0,\"y\":79},\"panelIndex\":\"cfd0d990-2314-4b7c-bad4-07b895bf4b55\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Zscaler][ZPA] App Connector Status", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-fa3c3c00-4c57-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "zscaler_zpa-43836b20-4c55-11ec-9023-a76a2cb41dcd", - "name": "panel_0", - "type": "map" - }, - { - "id": "zscaler_zpa-dff56dd0-4ce8-11ec-9023-a76a2cb41dcd", - "name": "panel_1", - "type": "map" - }, - { - "id": "zscaler_zpa-b0fa5650-4c55-11ec-9023-a76a2cb41dcd", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "zscaler_zpa-860071f0-4c55-11ec-9023-a76a2cb41dcd", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "zscaler_zpa-89a91550-4c5a-11ec-9023-a76a2cb41dcd", - "name": "panel_4", - "type": "visualization" - }, - { - "id": "zscaler_zpa-d0c885a0-4c5b-11ec-9023-a76a2cb41dcd", - "name": "panel_5", - "type": "visualization" - }, - { - "id": "zscaler_zpa-f03d3c90-4c5c-11ec-9023-a76a2cb41dcd", - "name": "panel_6", - "type": "visualization" - }, - { - "id": "zscaler_zpa-1b2c06c0-4eb5-11ec-9527-b704eaaa5c53", - "name": "panel_7", - "type": "visualization" - }, - { - "id": "zscaler_zpa-17759700-4c5b-11ec-9023-a76a2cb41dcd", - "name": "panel_8", - "type": "visualization" - }, - { - "id": "zscaler_zpa-8ca8eb00-4c5e-11ec-9023-a76a2cb41dcd", - "name": "panel_9", - "type": "visualization" - } - ], - "type": "dashboard", - "updated_at": "2021-12-06T11:14:42.883Z", - "version": "WzQ4MTU1LDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-fa5b1830-4c63-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-fa5b1830-4c63-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 9da279c5ee..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/dashboard/zscaler_zpa-fa5b1830-4c63-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" - }, - "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}", - "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c61f1028-287d-427a-80dd-7530fe1d407b\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"c61f1028-287d-427a-80dd-7530fe1d407b\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0c5e09b0-f4c9-41bf-9855-b6aedef7e49b\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"0c5e09b0-f4c9-41bf-9855-b6aedef7e49b\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"590bd39d-7ba8-475f-99a4-94d6fe3c7a66\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"590bd39d-7ba8-475f-99a4-94d6fe3c7a66\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c779f9f4-69c6-4e08-af7b-b79fed7e1b9c\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"c779f9f4-69c6-4e08-af7b-b79fed7e1b9c\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":21,\"i\":\"b4f9406f-ee08-487d-924a-1012fa15442c\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"b4f9406f-ee08-487d-924a-1012fa15442c\",\"panelRefName\":\"panel_4\",\"title\":\"[Zscaler][ZPA] Audit Operations Details\",\"type\":\"search\",\"version\":\"7.16.0-SNAPSHOT\"}]", - "timeRestore": false, - "title": "[Zscaler][ZPA] Audit Logs", - "version": 1 - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-fa5b1830-4c63-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "zscaler_zpa-be0fc2e0-4c63-11ec-9023-a76a2cb41dcd", - "name": "panel_0", - "type": "visualization" - }, - { - "id": "zscaler_zpa-f2e526e0-4c63-11ec-9023-a76a2cb41dcd", - "name": "panel_1", - "type": "visualization" - }, - { - "id": "zscaler_zpa-2fffbd90-4d29-11ec-ad09-d9f49962d407", - "name": "panel_2", - "type": "visualization" - }, - { - "id": "zscaler_zpa-fc5f4ea0-4ebe-11ec-9527-b704eaaa5c53", - "name": "panel_3", - "type": "visualization" - }, - { - "id": "zscaler_zpa-d9d5e800-537b-11ec-9527-b704eaaa5c53", - "name": "panel_4", - "type": "search" - } - ], - "type": "dashboard", - "updated_at": "2021-12-03T05:25:34.232Z", - "version": "WzI0ODQyLDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-1f09dc30-4c4f-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-1f09dc30-4c4f-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index fdf33c4522..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-1f09dc30-4c4f-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"31d17945-828a-4b1e-9d63-5ff628cae1b3\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"0a3d538b-2454-4860-aa46-46f706c738b1\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"client.geo.location\",\"id\":\"aab6b218-afd7-47cf-825f-a39f7b57b1fe\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_status\\\" OR data_stream.dataset : \\\"zscaler_zpa.user_activity\\\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-15y\",\"to\":\"now\"},\"zoom\":1.06}", - "title": "[Zscaler][ZPA] Users by region", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-1f09dc30-4c4f-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "map": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map", - "updated_at": "2021-12-02T08:37:35.859Z", - "version": "WzExMDE5LDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-43836b20-4c55-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-43836b20-4c55-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 574fd1b6f2..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-43836b20-4c55-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"3099042d-0154-49b6-8c0c-f492730c5835\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"0a3d538b-2454-4860-aa46-46f706c738b1\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"observer.geo.location\",\"id\":\"aab6b218-afd7-47cf-825f-a39f7b57b1fe\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":0,\"lon\":-130.09157},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.app_connector_status\\\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-50y\",\"to\":\"now\"},\"zoom\":0.15}", - "title": "[Zscaler][ZPA] App Connectors by region", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-43836b20-4c55-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "map": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map", - "updated_at": "2021-12-02T08:29:02.976Z", - "version": "WzEwNjk0LDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-5a0f9320-4c44-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-5a0f9320-4c44-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 14a71b6d91..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-5a0f9320-4c44-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"44962ab1-9a18-493c-a7c4-4408f7df2ca7\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"0a3d538b-2454-4860-aa46-46f706c738b1\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"client.geo.location\",\"id\":\"aab6b218-afd7-47cf-825f-a39f7b57b1fe\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":-0.77104,\"lon\":35.52056},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.browser_access\\\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-5y\",\"to\":\"now\"},\"zoom\":0.77}", - "title": "[Zscaler][ZPA] Browser Access Events by Region", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-5a0f9320-4c44-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "map": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map", - "updated_at": "2021-12-07T14:31:15.512Z", - "version": "WzE0ODIsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-dff56dd0-4ce8-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-dff56dd0-4ce8-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 544f3b41de..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/map/zscaler_zpa-dff56dd0-4ce8-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": "[{\"alpha\":1,\"id\":\"72f12276-ca0b-455c-a518-bf4493c7d673\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"0a3d538b-2454-4860-aa46-46f706c738b1\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"observer.geo.location\",\"id\":\"aab6b218-afd7-47cf-825f-a39f7b57b1fe\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"field\":\"zscaler_zpa.app_connector_status.connector.group\",\"type\":\"cardinality\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":20.96631,\"lon\":-81.88323},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.app_connector_status\\\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-15y\",\"to\":\"now\"},\"zoom\":0.69}", - "title": "[Zscaler][ZPA] Connector Groups by region", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-dff56dd0-4ce8-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "map": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map", - "updated_at": "2021-12-16T06:12:52.253Z", - "version": "WzIwNDUsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/search/zscaler_zpa-d9d5e800-537b-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zpa/1.0.0/kibana/search/zscaler_zpa-d9d5e800-537b-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index 4b5fbadd6a..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/search/zscaler_zpa-d9d5e800-537b-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "zscaler_zpa.audit.object.type", - "zscaler_zpa.audit.object.name", - "zscaler_zpa.audit.value.new", - "zscaler_zpa.audit.value.old" - ], - "description": "", - "grid": {}, - "hideChart": true, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.audit\\\"\"}}" - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "[Zscaler][ZPA] Audit Operations Details" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-d9d5e800-537b-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search", - "updated_at": "2021-12-03T12:58:06.911Z", - "version": "WzM2NDQyLDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-17759700-4c5b-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-17759700-4c5b-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 4787d83dd0..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-17759700-4c5b-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"zscaler_zpa.app_connector_status.connector_up_time\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"zscaler_zpa.app_connector_status.connector_up_time\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.app_connector_status\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Top 10 Connector with highest uptime", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"max\",\"customLabel\":\"Connector UpTime\",\"field\":\"zscaler_zpa.app_connector_status.connector_up_time\",\"size\":10,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Connector Name\",\"field\":\"zscaler_zpa.app_connector_status.connector.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler][ZPA] Top 10 Connector with highest uptime\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-17759700-4c5b-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-16T06:17:25.442Z", - "version": "WzIxMjgsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-1b2c06c0-4eb5-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-1b2c06c0-4eb5-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index d41e800a8a..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-1b2c06c0-4eb5-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.app_connector_status\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Distribution of App Connector Status by Session Type", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Session Type\",\"field\":\"zscaler_zpa.app_connector_status.session.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Zscaler][ZPA] Distribution of App Connector Status by Session Type\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-1b2c06c0-4eb5-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-02T08:15:40.723Z", - "version": "WzEwMzAzLDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-1b5846e0-4c44-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-1b5846e0-4c44-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 0ed80ca99f..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-1b5846e0-4c44-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.browser_access\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Distribution of Browser Access by Exporter", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Exporter\",\"field\":\"zscaler_zpa.browser_access.exporter\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler][ZPA] Distribution of Browser Access by Exporter\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-1b5846e0-4c44-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-06T10:33:40.004Z", - "version": "WzQ3NjY5LDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-23d03780-4eb8-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-23d03780-4eb8-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index 08b32acc4d..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-23d03780-4eb8-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.browser_access\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Distribution of Browser Access by Browser", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Browser\",\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler][ZPA] Distribution of Browser Access by Browser\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-23d03780-4eb8-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-06T10:33:52.939Z", - "version": "WzQ3Njk2LDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-2fffbd90-4d29-11ec-ad09-d9f49962d407.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-2fffbd90-4d29-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 79d7fdef22..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-2fffbd90-4d29-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.audit\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Distribution of Audit Events by Object Type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object Type\",\"field\":\"zscaler_zpa.audit.object.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler][ZPA] Distribution of Audit Events by Object Type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-2fffbd90-4d29-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-02T07:26:39.134Z", - "version": "Wzk0NDIsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-4cf30750-4d0a-11ec-ad09-d9f49962d407.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-4cf30750-4d0a-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 3b716c4832..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-4cf30750-4d0a-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"zscaler_zpa.user_activity.server_setup_time\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"zscaler_zpa.user_activity.server_setup_time\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_activity\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Slowest Connector Server", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Server Setup Time (in microseconds)\",\"field\":\"zscaler_zpa.user_activity.server_setup_time\"},\"schema\":\"metric\",\"type\":\"avg\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Host\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler][ZPA] Slowest Connector Server\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-4cf30750-4d0a-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-03T10:15:04.677Z", - "version": "WzMxMzkyLDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-4ea78dd0-4c49-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-4ea78dd0-4c49-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index e010a8e4d0..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-4ea78dd0-4c49-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_activity\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Distribution of Users by Connection Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Connection Status\",\"field\":\"zscaler_zpa.user_activity.connection.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler][ZPA] Distribution of Users by Connection Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-4ea78dd0-4c49-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-03T09:46:37.308Z", - "version": "WzI5OTg1LDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-552331e0-4c4f-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-552331e0-4c4f-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 0538404258..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-552331e0-4c4f-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_status\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Distribution of User by Client type", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client Type\",\"field\":\"zscaler_zpa.user_status.client.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler][ZPA] Distribution of User by Client type\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-552331e0-4c4f-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-11-26T12:58:31.486Z", - "version": "WzU4NjAsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-76176ed0-4c4e-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-76176ed0-4c4e-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index fe817b5960..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-76176ed0-4c4e-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_status\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Top Countries with Users", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Country Code\",\"field\":\"client.geo.country_iso_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Zscaler][ZPA] Top Countries with Users\",\"type\":\"horizontal_bar\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-76176ed0-4c4e-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-11-26T12:58:31.486Z", - "version": "WzU4NjEsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-82076ba0-4e74-11ec-ad09-d9f49962d407.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-82076ba0-4e74-11ec-ad09-d9f49962d407.json deleted file mode 100755 index 633846a8a1..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-82076ba0-4e74-11ec-ad09-d9f49962d407.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"zscaler_zpa.user_activity.connector_zen_setup_time\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"zscaler_zpa.user_activity.connector_zen_setup_time\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"zscaler_zpa.user_activity.connection.setup_time\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"zscaler_zpa.user_activity.connection.setup_time\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"zscaler_zpa.user_activity.server_setup_time\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"zscaler_zpa.user_activity.server_setup_time\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_activity\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Slowest Applications", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[],\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"bar_color_rules\":[{\"id\":\"4ac99360-4dd5-11ec-9c7f-599fe68d9667\"}],\"drop_last_bucket\":0,\"id\":\"81cebc93-9e11-4079-9241-baa103cd5db6\",\"index_pattern_ref_name\":\"metrics_0_index_pattern\",\"interval\":\"\",\"isModelInvalid\":false,\"max_lines_legend\":1,\"pivot_id\":\"client.ip\",\"pivot_label\":\"Client IP\",\"pivot_type\":\"string\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"default\",\"hidden\":false,\"id\":\"a5e34d80-4dd6-11ec-9c7f-599fe68d9667\",\"label\":\"Application Setup Time (in microseconds)\",\"line_width\":1,\"metrics\":[{\"field\":\"zscaler_zpa.user_activity.server_setup_time\",\"id\":\"1c4724b0-4dfa-11ec-9c7f-599fe68d9667\",\"type\":\"avg\"},{\"field\":\"zscaler_zpa.user_activity.connection.setup_time\",\"id\":\"5adf7740-4dfa-11ec-9c7f-599fe68d9667\",\"type\":\"avg\"},{\"field\":\"zscaler_zpa.user_activity.connector_zen_setup_time\",\"id\":\"6f1124c0-4dfa-11ec-9c7f-599fe68d9667\",\"type\":\"avg\"},{\"id\":\"7956fef0-4dfa-11ec-9c7f-599fe68d9667\",\"script\":\"params.a + params.b + params.c\",\"type\":\"math\",\"variables\":[{\"field\":\"1c4724b0-4dfa-11ec-9c7f-599fe68d9667\",\"id\":\"7ad8bcf0-4dfa-11ec-9c7f-599fe68d9667\",\"name\":\"a\"},{\"field\":\"5adf7740-4dfa-11ec-9c7f-599fe68d9667\",\"id\":\"80181f30-4dfa-11ec-9c7f-599fe68d9667\",\"name\":\"b\"},{\"field\":\"6f1124c0-4dfa-11ec-9c7f-599fe68d9667\",\"id\":\"81c5f640-4dfa-11ec-9c7f-599fe68d9667\",\"name\":\"c\"}]}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"table\",\"use_kibana_indexes\":true},\"title\":\"[Zscaler][ZPA] Slowest Applications\",\"type\":\"metrics\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-82076ba0-4e74-11ec-ad09-d9f49962d407", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "metrics_0_index_pattern", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-03T10:14:36.668Z", - "version": "WzMxMzYxLDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-860071f0-4c55-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-860071f0-4c55-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index c5224befdc..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-860071f0-4c55-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.app_connector_status\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Top 10 ZEN with frequent usage", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ZEN\",\"field\":\"zscaler_zpa.app_connector_status.zen\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler][ZPA] Top 10 ZEN with frequent usage\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-860071f0-4c55-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-02T08:10:02.798Z", - "version": "WzEwMDYxLDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-89a91550-4c5a-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-89a91550-4c5a-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 7ea6fd33d0..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-89a91550-4c5a-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.app_connector_status\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Top 10 Connectors by name", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Connector Name\",\"field\":\"zscaler_zpa.app_connector_status.connector.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler][ZPA] Top 10 Connectors by name\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-89a91550-4c5a-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-02T08:10:44.274Z", - "version": "WzEwMDk1LDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-8ca8eb00-4c5e-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-8ca8eb00-4c5e-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 4c03bc8062..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-8ca8eb00-4c5e-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.app_connector_status\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Distribution of App Connector by Session Type, Session Status, OS Platform", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Connector Name\",\"field\":\"zscaler_zpa.app_connector_status.connector.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Session Status\",\"field\":\"zscaler_zpa.app_connector_status.session.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Session Type\",\"field\":\"zscaler_zpa.app_connector_status.session.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"OS Platform\",\"field\":\"observer.os.platform\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":false,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler][ZPA] Distribution of App Connector by Session Type, Session Status, OS Platform\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-8ca8eb00-4c5e-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-02T08:23:25.330Z", - "version": "WzEwNTIxLDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-9f334ef0-4c4f-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-9f334ef0-4c4f-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index c5360d5987..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-9f334ef0-4c4f-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_status\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Distribution of User by Session Status", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Session Status\",\"field\":\"zscaler_zpa.user_status.session.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler][ZPA] Distribution of User by Session Status\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-9f334ef0-4c4f-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-11-26T12:58:31.486Z", - "version": "WzU4NTksMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-b0fa5650-4c55-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-b0fa5650-4c55-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index c3cb501590..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-b0fa5650-4c55-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.app_connector_status\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Total App Connectors", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total App Connectors\",\"field\":\"zscaler_zpa.app_connector_status.connector.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Zscaler][ZPA] Total App Connectors\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-b0fa5650-4c55-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-02T07:57:25.973Z", - "version": "Wzk4MjIsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-be0fc2e0-4c63-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-be0fc2e0-4c63-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 99d665a027..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-be0fc2e0-4c63-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.audit\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Top Users with most activities", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler][ZPA] Top Users with most activities\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-be0fc2e0-4c63-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-02T07:24:53.458Z", - "version": "WzkzMjksMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-c8d009c0-4c4e-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-c8d009c0-4c4e-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 1f2148e09c..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-c8d009c0-4c4e-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_activity\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Total Users", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Users\",\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Zscaler][ZPA] Total Users\",\"type\":\"metric\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-c8d009c0-4c4e-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-11-26T12:58:31.486Z", - "version": "WzU4NTcsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-ccbe7ed0-4c4a-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-ccbe7ed0-4c4a-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index c982d2f131..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-ccbe7ed0-4c4a-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_activity\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Distribution of Users per Application (Top 10)", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Application Name\",\"field\":\"zscaler_zpa.user_activity.application\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler][ZPA] Distribution of Users per Application (Top 10)\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-ccbe7ed0-4c4a-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-11-26T12:58:31.486Z", - "version": "WzU4NjMsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-d0c885a0-4c5b-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-d0c885a0-4c5b-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index a07cf30e57..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-d0c885a0-4c5b-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.app_connector_status\\\"\"}}" - }, - "title": "[Zscaler][ZPA] CPU Utilization by Connector over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"CPU Utilization\",\"field\":\"host.cpu.usage\",\"size\":10,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"12h\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Connector Name\",\"field\":\"zscaler_zpa.app_connector_status.connector.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"CPU Utilization\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"CPU Utilization\"},\"type\":\"value\"}]},\"title\":\"[Zscaler][ZPA] CPU Utilization by Connector over time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-d0c885a0-4c5b-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-02T08:13:27.959Z", - "version": "WzEwMjAzLDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-d124a2a0-4c4b-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-d124a2a0-4c4b-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 47b4a9e322..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-d124a2a0-4c4b-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_activity\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Top 10 AppGroups", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"App Groups\",\"field\":\"zscaler_zpa.user_activity.app_group\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler][ZPA] Top 10 AppGroups\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-d124a2a0-4c4b-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-11-26T12:58:31.486Z", - "version": "WzU4NjQsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-d8e44aa0-5992-11ec-b2d0-45019404f2e5.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-d8e44aa0-5992-11ec-b2d0-45019404f2e5.json deleted file mode 100755 index dc8efb5fdc..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-d8e44aa0-5992-11ec-b2d0-45019404f2e5.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.browser_access\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Distribution of OS across user.", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"field\":\"user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"user_agent.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":false,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler][ZPA] Distribution of OS across user.\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-d8e44aa0-5992-11ec-b2d0-45019404f2e5", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-10T08:26:18.069Z", - "version": "WzEwNTMsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-e86c2d90-4c49-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-e86c2d90-4c49-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 6fb7949307..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-e86c2d90-4c49-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.user_activity\\\" and zscaler_zpa.user_activity.connection.status : \\\"active\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Top 10 Active Users", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User Name\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler][ZPA] Top 10 Active Users\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-e86c2d90-4c49-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-03T09:50:43.417Z", - "version": "WzMwMjYwLDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-f03d3c90-4c5c-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-f03d3c90-4c5c-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index 04ba639e45..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-f03d3c90-4c5c-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.app_connector_status\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Memory Utilization by Connector over time", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Memory Utilization\",\"field\":\"zscaler_zpa.app_connector_status.memory.utilization\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"12h\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Connector Name\",\"field\":\"zscaler_zpa.app_connector_status.connector.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"fittingFunction\":\"linear\",\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":9,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Memory Utilization\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Memory Utilization\"},\"type\":\"value\"}]},\"title\":\"[Zscaler][ZPA] Memory Utilization by Connector over time\",\"type\":\"line\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-f03d3c90-4c5c-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-02T08:14:55.427Z", - "version": "WzEwMjU4LDFd" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-f2e526e0-4c63-11ec-9023-a76a2cb41dcd.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-f2e526e0-4c63-11ec-9023-a76a2cb41dcd.json deleted file mode 100755 index a23e6ac8fc..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-f2e526e0-4c63-11ec-9023-a76a2cb41dcd.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.audit\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Distribution of Audit Events by type of Operation", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Audit Operation type\",\"field\":\"zscaler_zpa.audit.operation_type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Zscaler][ZPA] Distribution of Audit Events by type of Operation\",\"type\":\"pie\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-f2e526e0-4c63-11ec-9023-a76a2cb41dcd", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-02T07:25:49.816Z", - "version": "WzkzNjMsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-fc5f4ea0-4ebe-11ec-9527-b704eaaa5c53.json b/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-fc5f4ea0-4ebe-11ec-9527-b704eaaa5c53.json deleted file mode 100755 index 1c607b57a9..0000000000 --- a/packages/zscaler_zpa/1.0.0/kibana/visualization/zscaler_zpa-fc5f4ea0-4ebe-11ec-9527-b704eaaa5c53.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"zscaler_zpa.audit\\\"\"}}" - }, - "title": "[Zscaler][ZPA] Top 10 Objects on which most operations are performed", - "uiStateJSON": "{}", - "version": 1, - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Object Name\",\"field\":\"zscaler_zpa.audit.object.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Zscaler][ZPA] Top 10 Objects on which most operations are performed\",\"type\":\"table\"}" - }, - "coreMigrationVersion": "7.16.0", - "id": "zscaler_zpa-fc5f4ea0-4ebe-11ec-9527-b704eaaa5c53", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "visualization", - "updated_at": "2021-12-02T07:27:29.190Z", - "version": "Wzk0NjYsMV0=" -} \ No newline at end of file diff --git a/packages/zscaler_zpa/1.0.0/manifest.yml b/packages/zscaler_zpa/1.0.0/manifest.yml deleted file mode 100755 index 6413662ac9..0000000000 --- a/packages/zscaler_zpa/1.0.0/manifest.yml +++ /dev/null @@ -1,70 +0,0 @@ -format_version: 1.0.0 -name: zscaler_zpa -title: "Zscaler Private Access" -version: 1.0.0 -license: basic -description: Collect logs from Zscaler Private Access (ZPA) with Elastic Agent. -type: integration -categories: - - security -release: ga -conditions: - kibana.version: ^7.16.2 || ^8.0.0 -screenshots: - - src: /img/zscaler-zpa-screenshot.png - title: Zscaler ZPA app connector status dashboard screenshot - size: 600x600 - type: image/png -icons: - - src: /img/zscaler-logo.svg - title: Zscaler logo - size: 32x32 - type: image/svg+xml -policy_templates: - - name: zscaler_zpa - title: Zscaler Private Access logs - description: Collect Zscaler Private Access logs - inputs: - - type: tcp - vars: - - name: listen_address - type: text - title: Listen Address - description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. - multi: false - required: true - show_user: true - default: localhost - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- - title: Collect Zscaler Private Access logs via TCP input - description: Collecting Zscaler Private Access logs via TCP input -owner: - github: elastic/security-external-integrations